Over the past month I've seen intermittent runs of a campaign that uses novel methods to deliver stealer malware. This draws similarities with what was described by Blackberry in February: blogs.blackberry.com/en/2023/02/b... Techniques include JS delivery, stenography and reflective loading.
October 20, 2023 at 2:52 AM
Over the past month I've seen intermittent runs of a campaign that uses novel methods to deliver stealer malware. This draws similarities with what was described by Blackberry in February: blogs.blackberry.com/en/2023/02/b... Techniques include JS delivery, stenography and reflective loading.
IcedID. Reviving old tricks. danceharddiehard[.]com > 1azure[.]com > ZIP > ISO > LNK > BAT > rundll32. C2: mistulinno[.]com (as seen in the campaign detailed by Cryptolaemus1 on X this morning) Sample: tria.ge/231019-3d1wm...
October 20, 2023 at 2:41 AM
IcedID. Reviving old tricks. danceharddiehard[.]com > 1azure[.]com > ZIP > ISO > LNK > BAT > rundll32. C2: mistulinno[.]com (as seen in the campaign detailed by Cryptolaemus1 on X this morning) Sample: tria.ge/231019-3d1wm...
IcedID. PDF > ZIP > JS > CMD > Curl > 7Z (PW protected) > DLL. ZIP: hXXps://newssarkari[.]in/directions (via ad68e[.]app[.]goo[.]gl) 7Z: hXXps://gardenconceptstudio[.]pl/wp-includes/js/tinymce/plugins/compat3x/css/5673.7z C2: minutozhart[.]online Sample: tria.ge/230913-2nkfy...
September 13, 2023 at 11:06 PM
IcedID. PDF > ZIP > JS > CMD > Curl > 7Z (PW protected) > DLL. ZIP: hXXps://newssarkari[.]in/directions (via ad68e[.]app[.]goo[.]gl) 7Z: hXXps://gardenconceptstudio[.]pl/wp-includes/js/tinymce/plugins/compat3x/css/5673.7z C2: minutozhart[.]online Sample: tria.ge/230913-2nkfy...
Great work by Wiz, as always. Certainly leaves far more questions than answers.
Compromised Microsoft Key: More Impactful Than We Thought | Wiz Blog
Our investigation of the security incident disclosed by Microsoft and CISA and attributed to Chinese threat actor Storm-0558, found that this incident seems to have a broader scope than originally ass...
www.wiz.io
July 24, 2023 at 8:13 AM
Great work by Wiz, as always. Certainly leaves far more questions than answers.
Remcos RAT. URL (komamin[.]net) > ZIP > VBS > PS > ielowutil. Payload: 103.10.68[.]110/zimbra/gVCeM32.bin (opendir)
C2: septrem.duckdns[.]org:2424 Sample: https://tria.ge/230717-2c6vtafa63
C2: septrem.duckdns[.]org:2424 Sample: https://tria.ge/230717-2c6vtafa63
July 17, 2023 at 11:37 PM
Remcos RAT. URL (komamin[.]net) > ZIP > VBS > PS > ielowutil. Payload: 103.10.68[.]110/zimbra/gVCeM32.bin (opendir)
C2: septrem.duckdns[.]org:2424 Sample: https://tria.ge/230717-2c6vtafa63
C2: septrem.duckdns[.]org:2424 Sample: https://tria.ge/230717-2c6vtafa63
Brilliant new project from Curated Intel lads @bushidotoken.net and Freddy. "The Threat Actor Profile Guide for CTI Analysts".
The Threat Actor Profile Guide for CTI Analysts
Threat actor profiles are made for a range of reasons. An example trigger for creating a new profile can include after an incident, e.g., a...
www.curatedintel.org
July 14, 2023 at 4:55 AM
Brilliant new project from Curated Intel lads @bushidotoken.net and Freddy. "The Threat Actor Profile Guide for CTI Analysts".
Interestingly, Microsoft released the advisory for CVE-2023-36884 without any associated patch. However, both the update guidance and this blog post include some great hardening advice which is effective well beyond just the exploitation of this vulnerability.
Storm-0978 attacks reveal financial and espionage motives | Microsoft Security Blog
Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse ...
www.microsoft.com
July 12, 2023 at 6:35 AM
Interestingly, Microsoft released the advisory for CVE-2023-36884 without any associated patch. However, both the update guidance and this blog post include some great hardening advice which is effective well beyond just the exploitation of this vulnerability.
Remcos RAT. Discord hosted JS. WScript > PowerShell > PowerShell > InstallUtil. Script parts hosted on Pastebin and WTOOLS. Runkey persistence. PowerShell obfuscation in one script is broken. C2: salwanazeeze.ddns[.]net:9595 Sample: https://tria.ge/230710-3hnf4aeh9z
July 11, 2023 at 12:24 AM
Remcos RAT. Discord hosted JS. WScript > PowerShell > PowerShell > InstallUtil. Script parts hosted on Pastebin and WTOOLS. Runkey persistence. PowerShell obfuscation in one script is broken. C2: salwanazeeze.ddns[.]net:9595 Sample: https://tria.ge/230710-3hnf4aeh9z
Neat new project: a spreadsheet that outlines methods and data sources for analysing adversary infrastructure: https://docs.google.com/spreadsheets/d/1oBOW5qGJstWYg3qXwSK12MHav4Pz6rzP77FzSB2IEeY/edit?pli=1#gid=1591959748 The author has also produced an accompanying blog post - linked below.
Wyciskając cytryny IoC - metodyczna analiza infrastruktury sieciowej.
Jednym z najczęstszych problemów przed jakimi stają analitycy CTI jest wykorzystanie zgromadzonych danych do odkrycia dalszych elementów wrogiej aktywności, czyli tak zwany „pivoting„. Najpro...
counterintelligence.pl
July 5, 2023 at 3:07 AM
Neat new project: a spreadsheet that outlines methods and data sources for analysing adversary infrastructure: https://docs.google.com/spreadsheets/d/1oBOW5qGJstWYg3qXwSK12MHav4Pz6rzP77FzSB2IEeY/edit?pli=1#gid=1591959748 The author has also produced an accompanying blog post - linked below.
Remcos RAT. ZIP > EXE (.BAT extension). DLL sideloaded into easinvoker.exe to set a Defender exclusion for C:\Users with PowerShell. OVPN C2. Config: https://pastebin.com/raw/NsnRP6fw Sample: https://tria.ge/230705-avk8aaaa84
July 5, 2023 at 1:34 AM
Remcos RAT. ZIP > EXE (.BAT extension). DLL sideloaded into easinvoker.exe to set a Defender exclusion for C:\Users with PowerShell. OVPN C2. Config: https://pastebin.com/raw/NsnRP6fw Sample: https://tria.ge/230705-avk8aaaa84