Discover and read the best of Twitter Threads about #UNC2596

Most recents (1)

Profile picture
Germán Fernández
@1ZRR4H
1/ Interesting toolkit currently used by #Ransomware affiliates 💣

- 1.bat > Disabler (UAC/NLA/IFEOs)
- 1.msi > Anydesk wrapped using exemsi[.]com (persistence/C2)
- aswArPot.sys > Avast Anti-Rootkit driver used to disable AV/EDR (BYOVD)
- terminat.exe > #BURNTCIGAR (?) ImageImageImageImage
2/ The artifacts were available until today on a server with #opendir (80.209.241.3:8888) that was active for at least 15 days.

You may want to block/monitor this hash: 4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1 (aswArPot.sys)

[+] bazaar.abuse.ch/browse/tag/80-… Image
3/ More references regarding these TTPs:

[+] @TrendMicro (2022-05-02): trendmicro.com/en_us/research…
[+] @Aon_plc (2022-02-26): aon.com/cyber-solution…
[+] @Mandiant (2022-02-23): mandiant.com/resources/unc2…

#AvosLocker/#CUBA/#UNC2596/#Ransomware
Read 5 tweets

Related hashtags

#CUBA #UNC2596 #AvosLocker #opendir #BURNTCIGAR #Ransomware

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!