[CDP-development] CISA - Pysa Golang RAT Indicators - TLP: AMBER

Fri Jan 21 14:08:41 PST 2022

FYSA

CISA is sharing the attached (TLP:AMBER) Indicator Bulletin (IB) containing indicators of compromise (IOCs) sourced from a trusted third party and open-source research. The IB-22-10006 “Pysa Golang RAT Intrusion Observed on Network” contains IOCs related to activity observed in the Healthcare and Public Health (HPH) sector.

This information is provided "as is" for informational purposes only. The US-CERT (DHS) does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information.

The display of the DHS official seal or other DHS visual identities, including the US-CERT or ICS-CERT name or logo shall not be interpreted to provide any person or organization the authorization to use the official seal, insignia or other visual identities of the Department of Homeland Security, including US-CERT and ICS-CERT. The DHS seal, insignia, or other visual identities shall not be used in any manner to imply endorsement of any commercial product or activity by DHS, US-CERT, ICS-CERT or the United States Government. Use of the DHS seal without proper authorization violates federal law (e.g., 18 U.S.C. §§ 506, 701, 1017), and is against DHS policies governing usage of its seal.

The Department of Homeland Security does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by DHS.

We kindly request any incidents related to this product be reported to CISA at https://us-cert.cisa.gov/report, Central at cisa.dhs.gov<mailto:Central at cisa.dhs.gov>, or 888-282-0870.

Theresa A. Masse
Cyber Security Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse at cisa.dhs.gov<mailto:theresa.masse at cisa.dhs.gov>

[cid:image007.png at 01D80ECD.EAADE8A0]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220121/45edc38a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 16152 bytes
Desc: image007.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220121/45edc38a/attachment-0001.png>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: TLP_AMBER_IB-22-10006_Pysa_Golang_RAT_Intrusion_Observed_on_Network.txt
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220121/45edc38a/attachment-0001.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TLP_AMBER_IB-22-10006.csv
Type: application/octet-stream
Size: 3484 bytes
Desc: TLP_AMBER_IB-22-10006.csv
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220121/45edc38a/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TLP_AMBER_IB-22-10006.stix.xml
Type: application/xml
Size: 44368 bytes
Desc: TLP_AMBER_IB-22-10006.stix.xml
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220121/45edc38a/attachment-0001.wsdl>