For those with access to a SIEM with email headers, things to watch with email campaigns like emotet: Patterns in: Message-ID X-Mailer URLs in message body Filenames Sender host IP/Domain Obvious sender spoof attempts

@redcanary I am seeing similar activity to your redcanary.com/blog/intellige… from last May. Changed from support.onli-ne[.]com to support.dwnload[.]online Then: ps.c-0[.]uk/in.mp3 This is taking screenshots of the user's device and sending to dll[.]lat. I am seeing 502 right now.

[REPOST, TYPO IN IOC] #MineBridge #IOC 88.119.169.193 (SSH) 194.15.112.147 (SSH) hxxps://virtualsecretaryservices[.]com/online/tunupd.php (SSH config) 2baserec[.]xyz 2baserec2[.]guru If anyone knows anything about that campaign and/or stealer component, feel free to share :)

#CTI #ThreatIntelligence #Infosec

Another active campaign by Vietnamese 🇻🇳 threat actors targeting content creators and advertisers among others. ⛓️ @Facebook Ad > @Google Sites > @Dropbox download > protected .zip > .msi > .bat > load Chrome extension with ai[.]google > steal data from Facebook Business accounts 💵 Exfiltration to: managedkv[.]com FB profile: /web.facebook.com/Marketing.GoogleAI Google Site: /sites.google.com/view/g-aimarketing/ad Apparently someone monitors connections as they take down profiles and websites when they detect something suspicious 😏 H/T @milannshrestga [ ] Setup.msi: bazaar.abuse.ch/sample/8c072… [ ] background.js: bazaar.abuse.ch/sample/19e8f… [ ] setup.bat: bazaar.abuse.ch/sample/05c3f… REF: malwarebytes.com/blog/threat…

I'm absolutely advocating for the name "reMOVEit" based on remediation advice from @killamjr

we have started!! First up is @charlesherring.

Just got through presenting on #thrunting @HackSpaceCon such a great conference github.com/killamjr/Presenta…

#TA505 really does not care too much. Their domain hxxps://binance-cloud[.]com is delivering payloads for months now and it's still up. hxxps://binance-cloud[.]com/pload/ => HVNC variant hxxps://binance-cloud[.]com/ldr/ => Their Loader 🧵1/4

@killamjr from @redcanary is gonna talk about the basics of "thrunting" otherwise known as threat hunting, or the process of searching for "unknown evil" that your existing alerts may be missing at #hackspacecon Get your tix now! eventbrite.com/e/hack-space-… hackspacecon.com

We saw the same TTP behavior yesterday with an American victim but payloads were hosted elsewhere: hxxps://www.basejumper[.io/info.txt hxxps://www.basejumper[.io/b.png C2: nasori.ddnsfree[.com:6666 #3LOSH tria.ge/221016-pnbgtshef9/be…

Always click @killamjr SuspiciousLink

Well, I didn't expect to be greeted like this by a C2, this gets fun. Hashes - SHA-1: 54d9da90371592843a59917a17be59cd9b961ae1 - SHA-256: 8fce1d24cf952528169f473b9462724482511615ed31165710e5e3a74cefdd02 C2 URIs - /registrauser.php - /license.txt

Malware @SlackHQ 🤖 /slack-download.net file here: /bitbucket.org/slack-files/windows/downloads/SIackSetupWin.iso tria.ge/221120-sldqysdd5s virustotal.com/gui/file/2cb5…

this how ransomware works

Noticed an interesting registry export with powershell loader working completely on data stored in the registry Reg export hastebin.com/jadunepoke.prop… Sample virustotal.com/gui/file/6702…

If you're seeing unusual systeminfo and ipconfig commands in your environment, you might wanna take a closer look... #Emotet

interesting maldoc using reactos cmd.dll from rundll32 to download nslookup.exe high likely to sideload malicious dnsapi.dll (unfort not available) a6142f3b7ef5349f1894a4cd7613fae26f4d0f99a39de48d54b9d9aa8b5e3473

Beware of wazusoft[.]com , this crack site gives you malware regardless of your OS If visited from Windows -> Redirects to cutt(.)ly -> pass 1234 -> zip -> inflated exe -> Slivetalks telegram -> #Vidar If visited from Mac -> Downloads .dmg > macho > #Bundlore malicious script

#Qakbot - BB04 - url > .zip > .iso > .lnk > .cmd > .dll cmd /c Contract.lnk cmd.exe /c liveried\musquash.cmd reg sv r regsvr32.exe liveried\grazed.ssd bazaar.abuse.ch/sample/19ff7… bazaar.abuse.ch/sample/9ffd7… IOC's github.com/pr0xylife/Qakbot/…

For me and many other analysts it’s always: “Blah blah, critical vulnerability, blah blah install patch now, blah blah some kid published a PoC [great] blah blah … were’s the god damn information on how to detect a compromise? Where are the indicators?” helpnetsecurity.com/2022/10/…