Discover and read the best of Twitter Threads about #RCintel

Most recents (3)

Profile picture
Red Canary
@redcanary
Over the past few hours, we’ve observed malicious phishing emails associated with the delivery affiliate TR in multiple customer environments. The infection scheme was consistent, executing in the following pattern: OneDrive phishing page -> ZIP download -> malicious XLSB -> Qbot
The ZIP file and XLSB had formats similar to `123 (1).zip/123.xlsb`. The Excel macros downloaded a Qbot binary with an OCX file extension to the TR-specific folder “C:\Watdan” and executed it with the command `regsvr32 C:\Watdan\tle1.ocx`
We observed reconnaissance commands and lateral movement next, and the adversary dropped Cobalt Strike and Bloodhound, common post-exploitation tools, into victims’ environments. This progression of activity is a common ransomware precursor.
Read 6 tweets
Profile picture
Red Canary
@redcanary
We sat down with @likethecoins, director of intelligence at Red Canary, to chat about the Microsoft Exchange activity happening and share what we’re seeing. Check out what she had to say in the thread. #RCintel Image
Q1: What do we know about the adversaries exploiting the recent Exchange vulnerabilities? #RCintel
There’s a lot of confusion rn. Based on our visibility and that of researchers from Microsoft, FireEye, & others, there are at least 5 different clusters of activity that appear to be exploiting the vulnerabilities. -Katie Nickels #RCintel (1/2)
Read 22 tweets
Profile picture
Red Canary
@redcanary
We’ve detected suspicious activity in multiple environments today, and, while we haven’t yet observed a payload, we’re concerned the activity may be the result of Exchange Server compromise. 1/7 #RCintel Image
What we’re observing is consistent with DLTminer precursor activity uncovered by @vmw_carbonblack in 2019, specifically its use of scheduled tasks to execute PowerShell and make external network connections. carbonblack.com/blog/cb-tau-te… 2/7 Image
Prior to the Scheduled Task and PowerShell activity, we’re seeing the adversary leverage the IIS Worker process (w3wp.exe) to spawn the Command Processor in a manner that’s consistent with web shell activity. 3/7 Image
Read 7 tweets

Related hashtags

#RCIntel #RCintel

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!