threat-intelligence-report


Trends

  • The top attacker country was China with 195228 unique attackers (33.00%).
  • The top Trojan C&C server detected was Lokibot with 33 instances detected.


Top Attackers By Country

CountryOccurencesPercentage
China19522833.00%
Australia11741020.00%
Canada7624813.00%
South Africa514838.00%
United Kingdom280684.00%
Chile279164.00%
Bangladesh166842.00%
Russia100591.00%
United States99701.00%
France90331.00%
Vietnam29930%
Italy24910%
India24230%
Indonesia23180%
Thailand15850%
Hong Kong12250%
Seychelles9210%
Hungary7900%
Latvia7620%


Threat Geo-location


Top Attacking Hosts

HostOccurrences
112.85.42.18732773
181.43.56.6627667
202.164.212.24216684
49.88.112.11616193
49.88.112.7610832
112.85.42.18810150
218.92.0.1908553
45.141.84.255557
149.202.87.54648
49.88.112.1124303
222.186.180.1302370
222.186.30.762316

 


Top Network Attackers

ASNCountryName
4837ChinaCHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
6471ChileENTEL CHILE S.A., CL
38026BangladeshMNBL-TRANSIT-AS-AP MetroNet Bangladesh Limited, Fiber Optic Based Metropolitan Data, BD
4134ChinaCHINANET-BACKBONE No.31,Jin-rong Street, CN
206728RussiaMEDIALAND-AS, RU
16276FranceOVH, FR
23650ChinaCHINANET-JS-AS-AP AS Number for CHINANET jiangsu province backbone, CN


Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
AgentTesla195.163.248.15
Anubis13185.31.163.148 , 198.54.117.244 , 1.pestola.online , 69.com , 72.18.132.133 , borjomi-ge.club , doktorlar.com , elka929.club , pinpong.top , rxetcryvtubyinurxetcryvtubyinumcryvetucaybnu.com , vitel.top , www.newtest456678.top , yourdarkside.club
AZORult420.36.46.115 , 217.160.59.64 , 45.143.138.38 , 95.163.214.100
Betabot1170.106.50.37
BorrStealer8141.8.192.46 , 176.57.69.214 , 185.178.208.176 , 209.182.217.85 , 212.86.115.244 , 45.132.105.97 , 45.14.14.38 , gwujbwnug381u2hgb22hg172.fun
Heodo29101.141.5.17 , 110.232.188.29 , 129.205.201.163 , 149.210.171.237 , 152.169.31.120 , 173.24.68.195 , 174.53.195.88 , 182.71.222.187 , 187.162.248.237 , 189.235.233.119 , 213.107.110.252 , 213.60.19.245 , 24.167.122.146 , 37.211.90.253 , 42.115.22.145 , 45.118.133.154 , 47.155.214.239 , 50.251.171.165 , 5.32.84.54 , 64.207.176.4 , 70.187.114.147 , 71.126.247.90 , 71.197.197.100 , 71.222.233.135 , 76.86.17.1 , 78.188.33.71 , 85.100.115.92 , 91.74.88.6 , 98.15.121.180
KPOT8104.24.125.192 , 111.90.142.112 , 161.117.184.53 , 176.57.217.21 , 190.97.166.142 , 192.64.119.14 , 8.208.26.77 , 89.105.202.59
Lokibot33103.21.59.27 , 103.74.123.3 , 104.223.170.113 , 104.24.100.123 , 104.27.156.253 , 104.31.70.73 , 104.31.78.250 , 104.31.89.164 , 107.175.150.73 , 111.90.156.119 , 162.241.6.97 , 170.106.50.37 , 173.247.252.61 , 176.107.160.198 , 176.126.201.11 , 176.32.33.34 , 192.185.119.161 , 192.185.88.246 , 192.185.92.174 , 192.185.92.183 , 193.142.59.96 , 198.23.200.241 , 207.174.213.181 , 45.143.138.38 , 45.252.248.29 , 46.165.223.4 , 66.85.173.45 , 68.183.42.186 , 89.208.196.16 , 89.208.84.96 , 89.37.226.146 , 95.163.212.79 , noniwire7.website
Pony1107.175.150.73
Raccoon534.65.176.45 , 34.77.125.60 , 35.204.238.220 , 35.228.28.245 , 35.246.8.131
SmokeLoader145.141.86.24
Tables145.141.86.52
TrickBot26107.172.165.149 , 146.185.253.181 , 185.11.146.86 , 185.186.77.222 , 185.65.202.240 , 185.99.2.52 , 188.227.84.209 , 193.26.217.243 , 194.5.250.52 , 195.123.219.69 , 195.123.220.154 , 23.95.231.164 , 45.148.120.13 , 45.148.120.31 , 46.229.213.27 , 51.254.164.240 , 51.89.73.154 , 5.2.77.18 , 5.2.78.70 , 5.2.78.77 , 5.34.177.40 , 64.44.133.39 , 66.85.173.20 , 81.177.180.254 , 85.204.116.84 , 88.99.112.87
Unknown3217.29.57.164 , 45.80.68.4 , 5.8.88.189
Vidar1185.99.133.188


Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
47b97de62ae8b2b927542aa5d7f3c858https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/detailsqmreportupload.exeqmreportuploadWin.Trojan.Generic::in10.talos
7c38a43d2ed9af80932749f6e80fea6fhttps://www.virustotal.com/gui/file/c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94/detailsxme64-520.exeN/APUA.Win.File.Coinminer::1201
88cbadec77cf90357f46a3629b6737e6https://www.virustotal.com/gui/file/1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7/detailsFlashHelperServices.exeFlashHelperServicesPUA.Win.File.2144flashplayer::tpd
8c80dd97c37525927c1e549cb59bcbf3https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detailseternalblue-2.2.0.exeN/AW32.85B936960F.5A5226262.auto.Talos
e2ea315d9a83e7577053f52c974f6a5ahttps://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detailsc3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
N/A


CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v2 Base ScoreDate CreatedDate Updated

CVE-2019-18426

whatsapp Cross-Site Scripting Vulnerability

whatsapp

A vulnerability in WhatsApp Desktop versions when paired with WhatsApp for iPhone versions allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.5.8(AV:N/AC:M/Au:N/C:P/I:P/A:N)01/21/202001/29/2020

CVE-2019-16027

Cisco IOS XR Software Intermediate System-to-Intermediate System Denial of Service Vulnerability

Cisco

A vulnerability in the implementation of the Intermediate System-to-Intermediate System (IS-IS) routing protocol functionality in Cisco IOS XR Software could allow an authenticated, remote attacker to cause a denial of service condition in the IS-IS process. The vulnerability is due to improper handling of a SNMP request for specific Object Identifiers OIDs by the IS-IS process. An attacker could exploit this vulnerability by sending a crafted SNMP request to the affected device.4.0(AV:N/AC:L/Au:S/C:N/I:N/A:P)01/26/202001/31/2020

CVE-2019-16516

ConnectWise Control User Enumeration Information Disclosure Vulnerability

ConnectWise

An issue was discovered in ConnectWise Control (formerly known as ScreenConnect). ConnectWise Control is vulnerable to a user enumeration vulnerability, allowing an unauthenticated attacker to determine with certainty if an account exists for a given username.5.0(AV:N/AC:L/Au:N/C:P/I:N/A:N)01/23/202001/28/2020

CVE-2020-8417

WordPress Code Snippets Plugin Remote Code Execution Vulnerability

WordPress

WordPress plugin code snippets is vulnerable to cross site request forgery. Plugin's import function does not provide protection against CSRF. This vulnerability leads to Remote Code Execution. An attacker could possibly exploit this vulnerability and gain access to sensitive information.7.5(AV:N/AC:M/Au:S/C:C/I:P/A:P)01/28/202002/06/2020

CVE-2012-6114

pyrad Password Hash Information Disclosure Vulnerability and Packet Spoofing Vulnerability

pyrad

pyrad is prone to an information disclosure vulnerability and a packet spoofing vulnerability. An attacker can exploit these issue to obtain sensitive information through man in the middle attacks and spoof packet IDs that may lead to further attacks.4.3(AV:N/AC:M/Au:N/C:P/I:N/A:N)01/28/202002/07/2020
Details
Date Published
February 11, 2020