Over the past month I've seen intermittent runs of a campaign that uses novel methods to deliver stealer malware. This draws similarities with what was described by Blackberry in February: blogs.blackberry.com/en/2023/02/b... Techniques include JS delivery, stenography and reflective loading.
October 20, 2023 at 2:52 AM
Over the past month I've seen intermittent runs of a campaign that uses novel methods to deliver stealer malware. This draws similarities with what was described by Blackberry in February: blogs.blackberry.com/en/2023/02/b... Techniques include JS delivery, stenography and reflective loading.
IcedID. Reviving old tricks. danceharddiehard[.]com > 1azure[.]com > ZIP > ISO > LNK > BAT > rundll32. C2: mistulinno[.]com (as seen in the campaign detailed by Cryptolaemus1 on X this morning) Sample: tria.ge/231019-3d1wm...
October 20, 2023 at 2:41 AM
IcedID. Reviving old tricks. danceharddiehard[.]com > 1azure[.]com > ZIP > ISO > LNK > BAT > rundll32. C2: mistulinno[.]com (as seen in the campaign detailed by Cryptolaemus1 on X this morning) Sample: tria.ge/231019-3d1wm...
IcedID. PDF > ZIP > JS > CMD > Curl > 7Z (PW protected) > DLL. ZIP: hXXps://newssarkari[.]in/directions (via ad68e[.]app[.]goo[.]gl) 7Z: hXXps://gardenconceptstudio[.]pl/wp-includes/js/tinymce/plugins/compat3x/css/5673.7z C2: minutozhart[.]online Sample: tria.ge/230913-2nkfy...
September 13, 2023 at 11:06 PM
IcedID. PDF > ZIP > JS > CMD > Curl > 7Z (PW protected) > DLL. ZIP: hXXps://newssarkari[.]in/directions (via ad68e[.]app[.]goo[.]gl) 7Z: hXXps://gardenconceptstudio[.]pl/wp-includes/js/tinymce/plugins/compat3x/css/5673.7z C2: minutozhart[.]online Sample: tria.ge/230913-2nkfy...
Remcos RAT. URL (komamin[.]net) > ZIP > VBS > PS > ielowutil. Payload: 103.10.68[.]110/zimbra/gVCeM32.bin (opendir)
C2: septrem.duckdns[.]org:2424 Sample: https://tria.ge/230717-2c6vtafa63
C2: septrem.duckdns[.]org:2424 Sample: https://tria.ge/230717-2c6vtafa63
July 17, 2023 at 11:37 PM
Remcos RAT. URL (komamin[.]net) > ZIP > VBS > PS > ielowutil. Payload: 103.10.68[.]110/zimbra/gVCeM32.bin (opendir)
C2: septrem.duckdns[.]org:2424 Sample: https://tria.ge/230717-2c6vtafa63
C2: septrem.duckdns[.]org:2424 Sample: https://tria.ge/230717-2c6vtafa63
Remcos RAT. Discord hosted JS. WScript > PowerShell > PowerShell > InstallUtil. Script parts hosted on Pastebin and WTOOLS. Runkey persistence. PowerShell obfuscation in one script is broken. C2: salwanazeeze.ddns[.]net:9595 Sample: https://tria.ge/230710-3hnf4aeh9z
July 11, 2023 at 12:24 AM
Remcos RAT. Discord hosted JS. WScript > PowerShell > PowerShell > InstallUtil. Script parts hosted on Pastebin and WTOOLS. Runkey persistence. PowerShell obfuscation in one script is broken. C2: salwanazeeze.ddns[.]net:9595 Sample: https://tria.ge/230710-3hnf4aeh9z
Remcos RAT. ZIP > EXE (.BAT extension). DLL sideloaded into easinvoker.exe to set a Defender exclusion for C:\Users with PowerShell. OVPN C2. Config: https://pastebin.com/raw/NsnRP6fw Sample: https://tria.ge/230705-avk8aaaa84
July 5, 2023 at 1:34 AM
Remcos RAT. ZIP > EXE (.BAT extension). DLL sideloaded into easinvoker.exe to set a Defender exclusion for C:\Users with PowerShell. OVPN C2. Config: https://pastebin.com/raw/NsnRP6fw Sample: https://tria.ge/230705-avk8aaaa84