Discover and read the best of Twitter Threads about #Metasploit
Most recents (3)
1/ New #MuddyWater 🇮🇷Infra detected; moves to #Metasploit and #HPAnywhere/#Teradici tool added?
@GroupIB_TI released a great report detailing MuddyWater’s use of SimpleHelp Remote Support Software. They tracked the #APT's infrastructure using Etags.
Let's take a look! 🧐 👇👇
@GroupIB_TI released a great report detailing MuddyWater’s use of SimpleHelp Remote Support Software. They tracked the #APT's infrastructure using Etags.
Let's take a look! 🧐 👇👇
2/ First Etag(153): 🔟results.
First IP of interest: 👉164.132.237[.]67
If we now pivot on the SSH hash, we match on another IP:
👉3.6.222[.]144.
Looking at this IP, the SSL certificate presented mentions O=Teradici Corporation...
First IP of interest: 👉164.132.237[.]67
If we now pivot on the SSH hash, we match on another IP:
👉3.6.222[.]144.
Looking at this IP, the SSL certificate presented mentions O=Teradici Corporation...
3/ Teradici (now HP Anywhere) allows for remote access to machines from any PCoIP client. 💻⬅️🌐⬅️💻
Indicating that MuddyWater may also be using HP’s Anywhere/Teradici as well as SimpleHelp?🧐
Indicating that MuddyWater may also be using HP’s Anywhere/Teradici as well as SimpleHelp?🧐
If you utilise API hashing in your #malware or offensive security tooling. Try rotating your API hashes. This can have a significant impact on #detection rates and improve your chances of remaining undetected by AV/EDR. See below for an example with a Bind Shell vs #Virustotal.
Since API hashing can be confusing, most attackers won't rotate their hashes with each iteration of malware. Those same hashes can be a reliable detection mechanism if you can recognize them in code.
Luckily finding these hashes isn't too difficult, just look for random hex values prior to a "call rbp".
If you're unsure whether the value is an API hash, just google it and see if you get any hits. Most of the time, identification can be a simple google search away.
If you're unsure whether the value is an API hash, just google it and see if you get any hits. Most of the time, identification can be a simple google search away.
🚨 Cuidado con las descargas desde #Anonfiles (utilizado por muchos actores maliciosos), puede que en vez del archivo que querías, termines instalando, no solo 1, sino que 7 clases distintas de #Malware 👀
Revisemos por ejemplo: /anonfiles.com/7c62z4s9ob/Youtube_Viewer_rar
1/X
Revisemos por ejemplo: /anonfiles.com/7c62z4s9ob/Youtube_Viewer_rar
1/X
Al hacer click en "download" se descarga automaticamente un archivo que tiene de nombre "YouTube+Viewer.rar[.]zip" pero la descarga se realiza desde /yfilesstorage.com/Youtube+Viewer.rar.zip?c=AISJk2FCGQUA4ksCAENMFwAMAMyKTf0A (.ZIP protegido con contraseña) 🤔
2/X
2/X
Lamentablemente esto pasa desapercibido para usuarios menos prudentes.
Sin embargo, gracias a @hatching_io, podemos averiguar que lo que instalan realmente es #Arkei, #Metasploit, #Racoon, #Redline, #Smokeloader, #Socelars y #Vidar 😵
tria.ge/211116-mn4ghad…
3/X
Sin embargo, gracias a @hatching_io, podemos averiguar que lo que instalan realmente es #Arkei, #Metasploit, #Racoon, #Redline, #Smokeloader, #Socelars y #Vidar 😵
tria.ge/211116-mn4ghad…
3/X
