Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).
Note: Viewing the pages linked in this blog post requires a ThreatConnect account.
In this edition, we cover:
- Mustang Panda PlugX Variant
- Cybercrime Forums
Roundup Highlight: Mustang Panda PlugX Variant Samples and Decryption Script
Our highlight in this Roundup is the Malware: PlugX (Mustang Panda Variant). ThreatConnect Research analyzed samples of a modified version of the remote access trojan (RAT) known as PlugX. According to Avira, the two significant enhancements in this version are:
- the ability to traverse via USB drives along with exfiltrating data to the drive on air gapped networks
- an additional network C2 communication protocol
Each sample was decrypted and analyzed, and the relevant findings for each are shared as an Incident associated to the Threat. The analysis includes information about each sample’s specific configuration, including hardcoded C2 Indicators, which are associated to each Incident. All related Indicators can be viewed in the Browse screen.
Additionally, we have shared the Ghidra script that was used to analyze the malware and extract the configurations here: Mustang Panda PlugX Config Extractor.
Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).
- Daily Emotet IoCs and Notes for 07/21/20 (Source: https://paste.cryptolaemus.com/emotet/2020/07/21/emotet-malware-IoCs_07-21-20.html)
- Daily Emotet IoCs and Notes for 07/20/20 (Source: https://paste.cryptolaemus.com/emotet/2020/07/20/emotet-malware-IoCs_07-20-20.html)
- Emotet C2 and RSA Key Update – 07/20/2020 13:30 (Source: https://paste.cryptolaemus.com/emotet/2020/07/20/emotet-c2-rsa-update-07-20-20-1.html)
- Threat Roundup for July 10 to July 17 (Source: https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html)
- Scanning Activity for ZeroShell Unauthenticated Access, (Sun, Jul 19th) (Source: https://isc.sans.edu/diary/rss/26368)
- Exposing the Modern Cybercrime Ecosystem – A Compilation of Currently Active Cyberfrime-Friendly … (Source: https://ddanchev.blogspot.com/2020/07/exposing-modern-cybercrime-ecosystem_29.html)
To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.