threat-intelligence-report

Trends

  • The top attacker country was China with 318624 unique attackers (62%).
  • The top Trojan C&C server detected was Heodo with 65 instances detected.
 

Top Attackers By Country

Country Occurences Percentage
China 318624 62.00%
Australia 58107 11.00%
South Africa 26186 5.00%
Singapore 25722 5.00%
United States 20904 4.00%
France 8311 1.00%
United Kingdom 7580 1.00%
Chile 7053 1.00%
Canada 5540 1.00%
South Korea 4662 0%
India 3898 0%
Netherlands 3133 0%
Indonesia 2221 0%
Ukraine 2021 0%
Vietnam 1736 0%
Hong Kong 1545 0%
Turkey 830 0%
Pakistan 712 0%
Czech Republic 630 0%
Malaysia 567 0%
Top Attackers by CountryUnited StatesChinaVietnamBrazilRepublic of Korea39.3%8.2%8.2%11.5%32.8%
Country Percentage of Attacks
United States 24
China 20
Vietnam 7
Brazil 5
Republic of Korea 5

Threat Geo-location

567318,624


Top Attacking Hosts

Host Occurrences
49.88.112.116 23690
223.25.69.98 21684
202.161.116.141 21461
112.85.42.187 20266
222.186.52.78 16650
14.200.151.138 13873
112.85.42.186 11175
218.92.0.192 10249
218.92.0.191 10137


 

Top Attackers49.88.112.116223.25.69.98202.161.116.141112.85.42.187222.186.52.7814.200.151.138112.85.42.186218.92.0.192218.92.0.191010,00020,00030,000
Host Occurences
49.88.112.116 23,690
223.25.69.98 21,684
202.161.116.141 21,461
112.85.42.187 20,266
222.186.52.78 16,650
14.200.151.138 13,873
112.85.42.186 11,175
218.92.0.192 10,249
218.92.0.191 10,137


Top Network Attackers

ASN Country Name
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
56300 Singapore MYREPUBLIC-SG MyRepublic Ltd., SG
7545 Australia TPG-INTERNET-AP TPG Telecom Limited, AU
4837 China CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
23650 China CHINANET-JS-AS-AP AS Number for CHINANET jiangsu province backbone, CN


Top Event NIDS and Exploits


Top Alarms

Comparison from last week


Remote Access Trojan C&C Servers Found

Name Number Discovered Location
Amadey 1 217.8.117.61
AZORult 3 185.219.81.127 , 209.127.19.34 , 45.141.152.18
Heodo 65 101.187.134.207 , 103.122.75.218 , 108.179.206.219 , 108.191.2.72 , 110.142.161.90 , 116.48.142.21 , 123.142.37.165 , 130.45.45.31 , 1.32.54.12 , 139.130.241.252 , 165.228.24.197 , 172.105.213.30 , 173.13.135.102 , 176.106.183.253 , 177.103.201.23 , 185.160.212.3 , 186.68.48.204 , 188.14.39.65 , 188.152.7.140 , 188.216.24.204 , 188.230.134.205 , 189.134.4.209 , 189.225.211.171 , 190.5.162.204 , 191.103.76.34 , 193.33.38.208 , 200.119.11.118 , 204.63.252.182 , 210.111.160.220 , 210.224.65.117 , 212.186.191.177 , 212.64.171.206 , 213.179.105.214 , 24.28.178.71 , 37.132.193.19 , 45.129.121.222 , 47.146.42.234 , 58.171.42.66 , 63.246.252.234 , 68.129.203.162 , 69.30.205.162 , 70.175.171.251 , 72.29.55.174 , 72.69.99.47 , 73.167.135.180 , 77.241.53.234 , 77.245.12.212 , 79.31.85.103 , 80.29.54.20 , 81.82.247.216 , 82.79.244.92 , 82.8.232.51 , 83.110.107.243 , 83.156.88.159 , 83.165.163.225 , 83.99.211.160 , 86.98.156.239 , 91.187.80.246 , 91.231.166.126 , 91.242.138.5 , 91.73.197.90 , 93.147.141.5 , 95.179.195.74 , 96.126.121.64 , 98.15.140.226
HVNC 1 13.232.142.19
Lokibot 3 107.175.150.73 , 209.127.19.34 , 31.184.253.234
PredatorTheThief 2 185.132.53.138 , 8.208.20.215
TrickBot 26 107.172.208.51 , 107.172.208.52 , 107.172.251.159 , 107.172.29.105 , 107.172.29.108 , 107.172.29.110 , 144.217.50.246 , 146.185.219.94 , 172.82.152.115 , 172.82.152.130 , 185.174.172.203 , 185.43.5.84 , 185.62.189.132 , 193.37.213.110 , 194.5.250.125 , 194.5.250.35 , 194.5.250.50 , 194.99.22.48 , 195.123.221.5 , 45.80.148.168 , 5.2.72.84 , 5.34.177.50 , 64.44.133.151 , 66.55.71.152 , 85.143.220.41 , 92.38.171.54
Trojan C&C Servers DetectedAZORultHeodoLokiBotTrickBotOther4%25.7%64.4%
Name Number Discovered
Amadey 1
AZORult 3
Heodo 65
HVNC 1
LokiBot 3
PredatorTheThief 2
TrickBot 26

Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
c5608e 40f6f47 ad84e2985 804957c342 https://www.virustotal.com/ gui/file/f917be677 daab5e
e91dd 3e9ec3f8fd0 27a58
371524 f46dd31 4a13aefc
78b2 ddc/details		 Flash HelperServices.exe FlashHelper Service PUA: 2144FlashPlayer-tpd
ef048c078 55b3ef98 bd991c41 3bc73b1 https://www.virustotal.com/ gui/file/a97e53 96d7dcd10
313874 7ad09486671321f b75e01a70b26c90 8e7e0b
727fad1 /details		 xme64-501.exe N/A PUA.Win. Dropper. Razy::tpd
df432f0 5996cdd 0973b3c eb48992 c5ce https://www.virustotal.com/ gui/file/49b9736 191fdb2e
b62b48 e8a093418a2947 e8d288f39b98d65a 903c
2ae6eb8f5/details		 xme32 -501-gcc.exe N/A W32.49B9736191 -100.SBX.TG
e2ea31 5d9a83 e75770 53f52c 974f6a5a https://www.virustotal.com/ gui/file/c3e530cc 005583b
47322b6649ddc0dab1b64
bcf22b124a4 92606763c5
2fb 048f/details		 c3e530cc0055 83b47322b6649d dc0dab1b64bcf2 2b124a492606763c 52fb048f.bin N/A W32.AgentWDCR: Gen.21gn.1201
f7145b1 32e23e 3a55d2 269a00 8395034 https://www.virustotal.com/ gui/file/8c0b271744bf654e
a3538c6b92aa7bb9819de
3722640796234e243efc07
7e2b6/details		 8c0b271 744bf65 4ea3538 c6b92aa 7bb9819 de37226 4079623 4e243ef c077e2b6.bin N/A Unix.Exploit .Lotoor:: other.talos


CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v2 Base Score Date Created Date Updated

CVE-2019-5434

Revive Adserver Remote Code Execution Vulnerability

revive-sas

 An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities or PHP object injection. 7.5(AV:N/AC:
L/Au:N/C:P/I:
P/A:P)		 05/06/2019 10/09/2019

CVE-2019-11932

Android-Gif-Drawable Whatsapp Double Free Vulnerability

WhatsApp

 A double free vulnerability exists in the DDGifSlurp function in decoding.c in libpl_droidsonroids_gif, as used in WhatsApp for Android. The vulnerability allows remote attackers to execute arbitrary code or cause a denial of service. 7.5(AV:N/AC:
L/Au:N/C:P/I:
P/A:P)		 10/03/2019 12/05/2019

CVE-2019-10092

Apache Httpd mod_proxy Error Page Cross-Site Scripting Vulnerability

Multi-Vendor

 A limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed. 4.3(AV:N/AC:
M/Au:N/C:N/I:
P/A:N)		 09/26/2019 09/30/2019

CVE-2019-11539

Pulse Secure VPN Arbitrary Command Execution Vulnerability

Pulse Secure

 Pulse Secure VPN with admin web interface allows an authenticated attacker to inject and execute commands. An attacker can exploit these issues to access arbitrary files in the context of the application, write arbitrary files, hijack an arbitrary session and gain unauthorized access, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, obtain sensitive information, inject and execute arbitrary commands and execute arbitrary code in the context of the application. 6.5(AV:N/AC:
L/Au:S/C:P/I:
P/A:P)		 04/25/2019 08/09/2019

CVE-2019-3568

WhatsApp VOIP stack buffer overflow vulnerability

WhatsApp

 A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploits will result in denial of service condition. 7.5(AV:N/AC:
L/Au:N/C:P/I:
P/A:P)		 05/14/2019 08/13/2019
Details
Date Published
December 11, 2019
Category
Threat Intelligence