Tweets are mine. Intel junkie
Joined May 2019
- Tweets 120
- Following 108
- Followers 314
- Likes 469
4 Photos and videos
DerekT2 retweeted
6 Jan 2021
Morphisec has been tracking #FIN7’s activity for the past several years and last month, our team was able to extract #data from one of the latest FIN7 attack approaches. Check out our analysis of the evolution of the FIN7 JSSLoader here: bit.ly/3pZ5xqP
2
2
DerekT2 retweeted
1 Dec 2020
Noticed spikes of dropped batch helper files with low AV detection rates
YARA Rule
github.com/Neo23x0/signature…
- use with LOKI/THOR to uncover past successful infections
Rule Info
valhalla.nextron-systems.com…
Malware
virustotal.com/gui/file/dd67…
Dropped BAT
virustotal.com/gui/file/3a9d…
21
58
DerekT2 retweeted
3 Sep 2020
#more_eggs A new sample of #Terraloader have been spotted and continue to be FUD to the AV engines. This keeps the same structure that the last sample of July with new exceptions loops and modified rounds on the algorithm.
1
23
50
DerekT2 retweeted
1 Sep 2020
The second part of our Article Series: "OpBlueRaven: Unveiling Fin7/Carbanak" has just been published! In the second article; we are deailing with BadUSB attacks carried out by these threat actors!
threatintel.blog/OPBlueRaven…
24
62
DerekT2 retweeted
24 Jul 2020
2020-07-24: 🔥👁🗨#more_eggs JS loader | #TerraLoader #Signed .ocx
Cert -> 🇨🇿 [AntiFIX s.r.o.] #Sectigo
base91 en|de|code | crc32 sum AV process check
BV = "6.6a"
🛑C2: maps.doaglas .com/update/check
MD5:C8AEF418DF5CE78AA55FDA9B4DA2B6A8
h/t @malwrhunterteam
1
25
58
17 Jul 2020
still amazes me #badbullz #more_eggs dropper gets 0 on VT 🤷 md5: a340facf78875e447dd06ba225a07502
couldn't find the ocx/dll associated with this one
9
DerekT2 retweeted
4 May 2020
Correct. But it's not #TerraTV, this is new #TerraLoader version directly injecting #Meterpreter instead (c2 xo[.]mikeplein[.]com). There is somethig likely in common with TerraTV tho..the #GoldenChickens customer using it - #FIN6 (more on this to come, stay tuned)
2
3
DerekT2 retweeted
15 Apr 2020
Interesting use of Outlook calendar format (ICS) in a phishing attack.
Hash of the file: 0986e7cbdef080dada8dee9c55542c37
🌐pwncode.io/2020/04/outlook-c…
🅾️ 0 detections on VT.
ICS -> Sharepoint -> Google Storage -> Wells Fargo Phishing.
@malwrhunterteam @ItsReallyNick @JayTHL
1
35
79
DerekT2 retweeted
14 Apr 2020
2020-04-14:🆕🔥Possible #FIN7 'VBS' PowerShell Active Directory (LDAP) Hunter via 'Payment overdue' Spam
'JS' Loader 'group=vbs' ( start_delay())
🛡️
C2:domenuscdm. com
C2:environmentalist .com
h/t @Simpo13|cc @malz_intel
Pushed the decoded portions↘️
github.com/k-vitali/Malware-…
1
26
72
DerekT2 retweeted
12 Apr 2020
Easter Egg time !
Comparative analysis on the JS loader #Terraloader
Thanks to @malz_intel
github.com/StrangerealIntel/…
1
7
13
9 Apr 2020
#Badbullz JS dropper: virustotal.com/gui/file/dd61…
JS -> OCX -> JS -> OCX ⁉️
final payload looks like an infostealer: virustotal.com/gui/file/2e64…
network:
digebuy[.]com - GET!
doaglas[.]com - POST
office.fielnnam[.]com / 91.92.109[.]59 - POST
3
13
23
Goooooooood morning, Excel 4.0 macros! With a side of sandbox evasion! This was a fun one.
clickallthethings.wordpress.…
3
99
269
DerekT2 retweeted
2 Apr 2020
For your Excel 4.0 Macro pleasure @DissectMalware. These files are "encrypted" 🔓 with the VelvetSweatshop password. Luckily @decalage2's oletools knows how to decrypt, but your #Yara rules might not!
🔗virustotal.com/gui/file/9e13…
📋gist.github.com/JohnLaTwC/55…
🧠nakedsecurity.sophos.com/201…
3
38
88
DerekT2 retweeted
31 Mar 2020
New blog post "Update: msoffcrypto-crack. py Version 0.0.5" blog.didierstevens.com/2020/…
5
12
DerekT2 retweeted
28 Mar 2020
Friday night #FIN7 -- below domains are also serving the #Malware:
colorpickerdesk.\com
digitalsoundmaker99.\com
expressdesign9.\com
fgfotr.\com
nattplot.\com
nlotsoft.\com
poolwort.\com
softowii.\com
tssoftos.\com
untypicaldesign9.\com
uoplotr.\com
(1/3)
#threatintel
2
10
15
DerekT2 retweeted
27 Mar 2020
Have you received an unsolicited USB like this in the mail? It may be an attempt to compromise your computer. If you receive a USB, please contact your local #FBI office.
2
159
155
DerekT2 retweeted
27 Mar 2020
#FIN7 mailing USBs is finally out in the public this week 😅
These make for interesting IRs 📦🤏🏽🔍
It’s super cool that they validate various red team assessment techniques (like phone-based social engineering); but don’t be surprised. Remember they run offsec front companies.
27 Mar 2020
FIN7 may be using a “middleman or unwitting mule in the U.S.,” though concrete evidence remains elusive -- @BarryV cyberscoop.com/fin7-usps-fir…
5
19
66
DerekT2 retweeted
25 Mar 2020
This week @wesleyneelen received a malicious xls on an email adres leaked by @litebiteu later that week i also received it. Interesting part is, gmail spam filters did not catch it. Had a tough time analyzing it so decided to make a small thread.
2
13
23