Peeling the Sandworm: Reversing the nhmpy PyPI Supply-Chain Worm (Shai-Hulud / Hades Wave): meltedinhex.com/posts/shai-h…

Someone showed me this on Telegram. It is very silly. It is clearly masquerading as "Free GPT and Claude". Anyone with half a brain knows this is malicious, but people will still fall for it. People asked what it is. I have some free time. I poked it with a stick, People discussing it said it is XMRig. That is not entirely accurate. This is not XMRig. This is flagged as XMRig from Triage and VirusTotal because it does indeed drop XMRig, but it is much more than that. This is a (maybe new) information stealer packaged with XMRig as a double whammy. This malware is interesting because of a few things: 1. It is position independent, they care enough to be evasive and strip out a majority of dependencies. This is usually indicative of more serious malware. 2. They .zip it delivers from the "Free GPT and Claude" is intentionally bloated (payload inflation). It is 97MB, which may evade a majority of anti-malware product (initially) due to it's large size. It packages itself with FFMpeg and various other audio codecs. 3. It accesses Microsoft Outlook e-mails, accesses Chrome stuff using the COM IElevationService, looks for any SFTP credentials It (currently) does not have any matching YARA rules from AV vendors. The closest approximation is LummaStealer. My knowledge base on the Information Stealer scene is out-of-date (it changes a lot). However, on first initial glance this appears like a new information stealer. Again, this should be taken with a grain of salt. It's also worth noting the domain it exfiltrates to does not appear in any malware reports. The domain is unique, and the payload does not match any existing YARA rules (it's behavioral characteristics do, but not a specific malware family), so this is actually a pretty interesting sample. A lookup though shows this is an emerging malware campaign. It first appeared around the end of May. This is (probably) a known Threat Actor who has switched it up a bit (or it's MaaS, whatever though). The malware appears online masquerading as various products. - ecore-sourceproject - LogiDA - GPT_Claude_Free - CortexSystems.v3.4.2.Stable - TikTokBot-v2.2 - CortexLauncher Funny enough, this malware would have been much, much, much, MUCH more evasive if they didn't package it with XMRig. VirusTotal and Triage immediately flagged it because after it establishes persistence, and steals any credentials on the machine, it pulls XMRig to turn into a cryptocurrency miner. If they did not pull the XMRig binary this stealer would be much more quiet. I have no idea why they decided to burn their OPSEC with XMRig. C2: dfwioeiofwr-dot-info Payload (and associated families from the C2) 027d576c6b5512d661081aaeeeb8e611f95a469ccf5ba35e0a390e8814334d05 5dcc599cf48227e65ea49d2708d08704fd1cb7e3b89736718d0d8e557857c49c 5e8b40b0b7512e1a1355374fb0cf34bfdf1260ebdb80a353c8f9da2490beeed3 6a0c332296b017220fc2b522da653fce36a8a3c5c79de0200d61c5fc31eb89ce a2f8ebf65d54a4d9c8b720d01da77ad796683f1a5b8bd3d08738d7df4365f8a 9d4aaa9842c947756b7c128c432292732098fb71d247ef0bce60368563572da3 c4caca93e2291c018e701c217b7d232c534e4dd142042a59aa4d32754ef3022a

One more #Bisonal #APT malware from recent attacks against Russia and South Korea. XOR encrypted payload. RC4 encrypted strings and C2 communication remains the same. 221b9de416d42a979288cfa196912af4 15af764731c257caf1ee26d1cfc049a9 etude.servemp3[.]com app.any.run/tasks/861c9b52-c…

#sload #malware #malspam #spam #italy 🇮🇹 vbs > ps > bitsadm bitsadmin downloads from hxxps://clubdeajedrezmatamoros.com/doprena/TQ29261131062.gif @JAMESWT_MHT @malwrhunterteam @matte_lodi @luc4m @VK_Intel @merlos1977 #ThreatIntel #ThreatMonitoring #infosec #PowerShell #IOC

#AZORult Tracker is now publicly available! azorult-tracker.net It's centralizing AZORult C2 panels and monitoring them for threat hunting and statistics purpose 🦅 Happy hunting!

x18 .exe #opendir with a variety of file sizes, just waiting to be ID'd. Lots of #agenttesla so far: http://dk-rc[.]com/js/ Nice find, @zbetcheckin - @abuse_ch

quickly update！ New #Bluekeep Appeared! Patch new wormable vulnerabilities in Remote Desktop Services (CVE-2019-1181/1182) msrc-blog.microsoft.com/2019… update： portal.msrc.microsoft.com/en… portal.msrc.microsoft.com/en…

#FinderBot C2 #stealer #malware finabisope[.]host/login app.any.run/tasks/268a119c-f…

#APT #Ocealotus #APT32 ITW: 8cfac8fdc7ec06c9a1f5d1af739e0328 FileName: Documents to be signed on One Belt One Road Forum.doc C2: ps.andreagahuvrauvin[.]com

#Opendir #ransomware #gandcrab /bobbobb1z.com/ @VirITeXplorer @malwrhunterteam @kafeine @BleepinComputer @demonslay335 @Amigo_A_

2019-04-01: #Signed #TVSPY #Malware RAR SFX h/t @malwrhunterteam | Sectigo Decoded XOR blob -> 0x77 form_date -> product = TV RMS lang_id = 1049 (Russian lang) user_name,comp_name,email,id(RtlRandom(&Seed)) 🔦Walkthrough Notebook #MISP JSON/CSV IOCs github.com/k-vitali/Malware-…

#Ransomware #Gandcrab 5.2 distributed in disguise of fake #DHL delivery note. Please #dontclick | VirusTotal: virustotal.com/gui/file/ebcd… | Sandbox: app.any.run/tasks/1fe0a5e1-b…

#Banker #Bancos /www.urbasi.cl/wp-includes/js/tinymce/skins/lightgray/fonts/food.png -> /www.urbasi.cl/wp-includes/js/tinymce/skins/wordpress/images/now.php @James_inthe_box @malwrhunterteam @VirITeXplorer

#opendir #Lime #RAT (#NjRAT) #LokiBot #Pony /justpony.xyz/bin/ ->/warezpony.ga/Lk/fre.php ->/myloki.icu/Pony/gate.php @James_inthe_box @malwrhunterteam @VirITeXplorer

Abuse of hidden “well-known” directory in HTTPS sites. zscaler.com/blogs/research/a…

#Ursnif 2.17.072 virustotal.com/en/file/81890… Group ID 5000 config pastebin.com/eMdaig58 cc @malwrhunterteam @James_inthe_box @JayTHL @JRoosen @dvk01uk @shotgunner101 @Bank_Security @pancak3lullz @luc4m

#Emotet 25/03/2019 129 DOC 314 Payload 131 C2 [ ] 11 New C2 [ ] ZIPs with DOC/JS (11) IOC's pastebin.com/k6bJ8a3r @DecayPotato @Jan0fficial @_ddoxer @luc4m @executemalware @James_inthe_box @bauldini @JRoosen @neonprimetime @JayTHL @NelsonSecurity @HazMalware @Cryptolaemus1

It looks like there is a new EK in town (CVE-2018-15982 inside). See 85.17.197[.101. I first thought about GrandSoft but that's not it. Reminds SPL EK (an evolution?). Going for "Spelevo" as name. cc thx @jspchc @EKwatcher @ring_lcy ( virustotal.com/#/file/daf734… )

#sophisticated #malicious #PowerShell script with #encrypted payload is targeting Japan 1. The decrypted payload is valid if (Get-Culture).Name starts with j (Japan) 2. 8 layers of #obfuscation 3. if OSVersion.Major is 6 then downloads a png file containing code (#steganography)

#smokeloader, c2: http://mailcdn-office365[.]io/ in turn drops a #coinminer cc @benkow_ @Xylit0l @Anti_Expl0it @h3x2b @cocaman @fumik0_ @0Btemos_BHS