Trends

  • The top attacker country was China with 941679 unique attackers (37.00%).
  • The top Trojan C&C server detected was TrickBot with 18 instances detected.


Top Attackers By Country

CountryOccurencesPercentage
China94167937.00%
Australia47643919.00%
South Africa1515486.00%
Russia1385605.00%
United States1350215.00%
India882663.00%
Chile873423.00%
United Kingdom767553.00%
South Korea609102.00%
Germany574102.00%
Thailand362651.00%
France289931.00%
Vietnam228920%
Brazil188670%
Italy149190%
Taiwan67480%
Romania63840%
Estonia42850%
Dominican Republic29090%
Top Attackers by CountryChinaAustraliaSouth AfricaRussiaUnited StatesIndiaChileUnited KingdomSouth KoreaGermanyOther40%6%5.7%5.9%6.4%20.2%
CountryPercentage of Attacks
China941,679
Australia476,439
South Africa151,548
Russia138,560
United States135,021
India88,266
Chile87,342
United Kingdom76,755
South Korea60,910
Germany57,410
Thailand36,265
France28,993
Vietnam22,892
Brazil18,867
Italy14,919
Taiwan6,748
Romania6,384
Estonia4,285
Dominican Republic2,909


Threat Geo-location

2,909941,679


Top Attacking Hosts

HostOccurrences
112.85.42.18735686
89.248.168.22124353
94.102.53.11221105
181.43.214.7820855
94.102.49.15919988
195.54.166.2916528
112.85.42.8813132
49.88.112.11411827
80.82.65.6010854
112.85.42.1889569
185.40.4.1168034
92.63.196.37139
121.36.44.626564
121.218.128.506044
Top Attackers112.8…89.24…94.10…181.4…94.10…195.5…112.8…49.88.…49.50.…80.82.…112.8…185.4…139.9…92.63.…121.3…121.2…020,00040,000
HostOccurences
112.85.42.18735,686
89.248.168.22124,353
94.102.53.11221,105
181.43.214.7820,855
94.102.49.15919,988
195.54.166.2916,528
112.85.42.8813,132
49.88.112.11411,827
49.50.69.8511,359
80.82.65.6010,854
112.85.42.1889,569
185.40.4.1168,034
139.99.187.237,711
92.63.196.37,139
121.36.44.626,564
121.218.128.506,044


Top Network Attackers

ASNCountryName
49505RussiaSELECTEL, RU
50113RussiaSUPERSERVERSDATACENTER, RU
35582RussiaCHISTYAKOV, RU


Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
Amadey1217.8.117.89
BetaBot1193.38.54.155
BlackBot1193.38.54.155
Flexnet445.141.84.31 , 45.141.84.32 , 45.141.86.209 , 45.141.86.79
Guadox1193.38.54.155
H1N11193.38.54.155
Heodo4186.188.222.3 , 195.76.232.114 , 196.179.249.218 , 85.94.170.73
KatyushaPro145.141.86.143
Keitaro346.249.62.206 , 46.249.62.253 , 91.219.239.183
KPOT11101.99.75.21 , 104.27.156.242 , 162.0.230.107 , 172.105.3.120 , 192.64.115.242 , 213.226.100.185 , 5.101.50.191 , 5.53.125.153 , 8.208.77.208 , 8.208.89.38 , gatehub.services
Lokibot13103.21.59.27 , 104.237.252.50 , 104.24.109.135 , 104.27.144.219 , 104.27.154.111 , 104.28.12.250 , 157.52.211.247 , 162.215.255.4 , 185.55.225.217 , 190.61.250.140 , 45.143.138.142 , 92.42.34.215 , rnarport.com
Oski1195.133.147.113
PredatorTheThief11141.8.193.236 , 177.55.116.76 , 185.178.208.137 , 185.50.25.17 , 5.23.50.132 , 5.23.50.190 , 81.177.141.121 , 81.177.141.22 , 8.209.73.155 , 92.53.96.169 , nelujan.beget.tech
Taurus6104.18.44.216 , 104.27.152.168 , 104.28.17.29 , 185.141.62.31 , 185.219.83.222 , bit-browser.gq
TeamViewerBot1193.38.54.155
TrickBot18144.91.64.194 , 144.91.76.208 , 158.69.133.68 , 185.105.1.225 , 185.164.32.164 , 185.164.32.167 , 185.205.209.101 , 193.38.54.106 , 194.5.250.211 , 194.5.250.214 , 45.148.120.176 , 5.101.50.173 , 51.89.177.14 , 5.9.178.74 , 62.108.35.45 , 79.137.100.4 , 85.204.116.18 , 85.204.116.182
ZyklonHTTP1193.38.54.155
Trojan C&C Servers DetectedFlexnetHeodoKeitaroKPOTLokibotPredatorTheThiefTaurusTrickBotOther13.9%16.5%11.4%22.8%7.6%13.9%
NameNumber Discovered
Amadey1
BetaBot1
BlackBot1
Flexnet4
Guadox1
H1N11
Heodo4
KatyushaPro1
Keitaro3
KPOT11
Lokibot13
Oski1
PredatorTheThief11
Taurus6
TeamViewerBot1
TrickBot18
ZyklonHTTP1


Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
c6dc7326766f3769575caa3ccab71f63https://www.virustotal.com/gui/file/fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4/detailswupxarch.exeN/AWin.Dropper.Ranumbot::in03.talos
47b97de62ae8b2b927542aa5d7f3c858https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/detailsqmreportupload.exeqmreportuploadWin.Trojan.Generic::in10.talos
8c80dd97c37525927c1e549cb59bcbf3https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detailsEternalblue-2.2.0.exeN/AW32.85B936960F.5A5226262.auto.Talos
e2ea315d9a83e7577053f52c974f6a5ahttps://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detailsTempmf582901854.exeN/AW32.AgentWDCR:Gen.21gn.1201
799b30f47060ca05d80ece53866e01cchttps://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/detailsmf2016341595.exeN/AW32.Generic:Gen.22fz.1201


Top Phishing Campaigns

Phishing TargetCount


CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v2 Base ScoreDate CreatedDate Updated

CVE-2020-11651

Saltstack Remote Code Execution Vulnerability

Multi-Vendor

An issue was discovered in SaltStack Salt where, the salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication.CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/30/202005/08/2020

CVE-2020-0932

Microsoft SharePoint Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.CVSSv3BaseScore:8.8(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)04/15/202004/17/2020

CVE-2020-2883

Oracle WebLogic Server T3 Protocol Deserialization of Untrusted Data Remote Code Execution Vulnerability

Oracle

Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) is vulnerable to an easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/15/202004/16/2020

CVE-2020-9294

FortiMail Authentication Bypass Vulnerability

Fortiguard

An improper authentication vulnerability in FortiMail may allow a remote unauthenticated attacker to access the system as a legitimate user by requesting a password change via the user interface.CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/27/202005/04/2020

CVE-2020-0558

Intel Wi-Fi Products Denial of Service Vulnerability

Intel

Improper buffer restrictions in kernel mode driver for Intel PROSet/Wireless WiFi products on Windows 10 may allow an unprivileged user to potentially enable denial of service via adjacent access.CVSSv3BaseScore:6,5(AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)04/15/202004/23/2020

CVE-2020-0796

Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)03/12/202003/31/2020

CVE-2020-0674

Microsoft Scripting Engine Memory Corruption Vulnerability

Microsoft

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.CVSSv3BaseScore:7.5(AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)02/11/202005/08/2020
0 Comments
Tuesday, May 12, 2020 By john