Most recents (3)

The #ContiLeaks contained some messages consisting of IP:Username:pass combinations for #Conti infrastructure.
This allows us to connect certain #Trickbot activcity with the #Conti group:

1/x

The IP's in the image are the following:
117.252.69[.]134
117.252.68[.]15
116.206.153[.]212
103.78.13[.]150
103.47.170[.]131
103.47.170[.]130
118.91.190[.]42
117.197.41[.]36
117.222.63[.]77
117.252.69[.]210

2/x

Using @MaltegoHQ together with OTX/Alienvault and
@virustotal integration, we are able to connect several of these IP's to #Trickbot activity:

3/x

Read 8 tweets

Berto Jongman

@BertoJongman100

https://twitter.com/beveiliging/status/1307945669269704704

Read 55 tweets

Giuseppe `N3mes1s`

@gN3mes1s

Today our behavioural anomaly hit an interesting sample.

1⃣ Macro Document
2⃣ Spawning Notead with a funny command line
3⃣ Spawning a WMIC instance
4⃣ WMIC running rundll32 with a malicious dll

But what got my attention was something else:
The bahaviour of wmic.

thread 👇🧵

I always looks for interesting behaviour, what you can notice is how is possible that WMIC is creating a process? 2 possibilites, or with the Macro injecting code, or #Squiblytwo

You can notice there is no Injection involved, nor the cmdline for Squiblytwo! 👇🧵

So i started digging the Macro and the behaviour was very funny.

1⃣ Macro spawns notepad and using Message Passing, it let create the document xsl needed later on
2⃣ Macro spawns wmic and using PostMessageA pass a new cmdline that will be the #Squiblytwo attack

👇🧵

Read 6 tweets

Discover and read the best of Twitter Threads about #dridex

Most recents (3)

Related hashtags

Discover and read the best of Twitter Threads about #dridex

Most recents (3)

Related hashtags

Did Thread Reader help you today?