Discover and read the best of Twitter Threads about #Babuk
Most recents (3)
#Proxyshell in #tortillas recipe #ransomware
We have seen a new actor named tortillas abusing proxyshell to run ransomware.
The ransomware maybe born from the leaked #Babuk code.
The attack is originated by the IP: 185.219.52.]229
@58_158_177_102 @sugimu_sec
We have seen a new actor named tortillas abusing proxyshell to run ransomware.
The ransomware maybe born from the leaked #Babuk code.
The attack is originated by the IP: 185.219.52.]229
@58_158_177_102 @sugimu_sec
Chain: proxyshell -> webshell (a lot) -> certutil -> download and execute the payload.
The encrypted files has .babyk extension and end with "choung dong looks like hot dog!!" string that is typical from #Babuk, but the ransom note are different.
So we guess they used Babuk code.
The encrypted files has .babyk extension and end with "choung dong looks like hot dog!!" string that is typical from #Babuk, but the ransom note are different.
So we guess they used Babuk code.
Ioc:
3556821DD4184777D340ACE0D17D3A53
DA6C6C0A07723DE52912AFA07B8D06C8
5000E5FDDAA93D43C8FE8CE833BFEA43
http://185.219.52.]229/tortillas/tore.exe
http://185.219.52.]229:8083/NRy1EZKJRn4GH.hta
sample dwnld from pastebin.]pl\view\raw\a57be2ca
and inject to AddInProcess32.exe
3556821DD4184777D340ACE0D17D3A53
DA6C6C0A07723DE52912AFA07B8D06C8
5000E5FDDAA93D43C8FE8CE833BFEA43
http://185.219.52.]229/tortillas/tore.exe
http://185.219.52.]229:8083/NRy1EZKJRn4GH.hta
sample dwnld from pastebin.]pl\view\raw\a57be2ca
and inject to AddInProcess32.exe
Former #Babuk and Payload.bin leak site has changed again. Now it's a place where "successful people can stay protected from the RaaS services' scam." The admin claims that following the ransomware ban on other forums, he wants to create a new community.
Also, the admin says he - probably - has some connection with the recent leak of Babuk's builder but now he is not affiliated with the gang: "I recommend to blacklist this product to all security firms and data security [specialists]."
Interestingly, the name of the new forum is RAMP which is probably a reference to the now-defunct Russian Anonymous Marketplace (a drug market closed in 2017).
Le groupe aux commandes du #ransomware #babuk annonce à l'instant mettre un terme à ses activités, et préparer le versement en #opensource de leur code... 🧐
Les opérateurs de #Babuk venaient tout juste de donner leur première et dernière interview ⤵️
Bon, c'est pas drôle : j'ai à peine le temps de finir et publier mon papier que zou, la page en question a disparu du site de #Babuk... lemagit.fr/actualites/252…
