Discover and read the best of Twitter Threads about #Dridex

Most recents (3)

The #ContiLeaks contained some messages consisting of IP:Username:pass combinations for #Conti infrastructure.
This allows us to connect certain #Trickbot activcity with the #Conti group:

1/x Image
The IP's in the image are the following:
117.252.69[.]134
117.252.68[.]15
116.206.153[.]212
103.78.13[.]150
103.47.170[.]131
103.47.170[.]130
118.91.190[.]42
117.197.41[.]36
117.222.63[.]77
117.252.69[.]210

2/x
Using @MaltegoHQ together with OTX/Alienvault and
@virustotal integration, we are able to connect several of these IP's to #Trickbot activity:

3/x Image
Read 8 tweets
Today our behavioural anomaly hit an interesting sample.

1⃣ Macro Document
2⃣ Spawning Notead with a funny command line
3⃣ Spawning a WMIC instance
4⃣ WMIC running rundll32 with a malicious dll

But what got my attention was something else:
The bahaviour of wmic.

thread 👇🧵
I always looks for interesting behaviour, what you can notice is how is possible that WMIC is creating a process? 2 possibilites, or with the Macro injecting code, or #Squiblytwo

You can notice there is no Injection involved, nor the cmdline for Squiblytwo! 👇🧵
So i started digging the Macro and the behaviour was very funny.

1⃣ Macro spawns notepad and using Message Passing, it let create the document xsl needed later on
2⃣ Macro spawns wmic and using PostMessageA pass a new cmdline that will be the #Squiblytwo attack

👇🧵
Read 6 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!