Discover and read the best of Twitter Threads about #tortillas
Most recents (1)
#Proxyshell in #tortillas recipe #ransomware
We have seen a new actor named tortillas abusing proxyshell to run ransomware.
The ransomware maybe born from the leaked #Babuk code.
The attack is originated by the IP: 185.219.52.]229
@58_158_177_102 @sugimu_sec
We have seen a new actor named tortillas abusing proxyshell to run ransomware.
The ransomware maybe born from the leaked #Babuk code.
The attack is originated by the IP: 185.219.52.]229
@58_158_177_102 @sugimu_sec
Chain: proxyshell -> webshell (a lot) -> certutil -> download and execute the payload.
The encrypted files has .babyk extension and end with "choung dong looks like hot dog!!" string that is typical from #Babuk, but the ransom note are different.
So we guess they used Babuk code.
The encrypted files has .babyk extension and end with "choung dong looks like hot dog!!" string that is typical from #Babuk, but the ransom note are different.
So we guess they used Babuk code.
Ioc:
3556821DD4184777D340ACE0D17D3A53
DA6C6C0A07723DE52912AFA07B8D06C8
5000E5FDDAA93D43C8FE8CE833BFEA43
http://185.219.52.]229/tortillas/tore.exe
http://185.219.52.]229:8083/NRy1EZKJRn4GH.hta
sample dwnld from pastebin.]pl\view\raw\a57be2ca
and inject to AddInProcess32.exe
3556821DD4184777D340ACE0D17D3A53
DA6C6C0A07723DE52912AFA07B8D06C8
5000E5FDDAA93D43C8FE8CE833BFEA43
http://185.219.52.]229/tortillas/tore.exe
http://185.219.52.]229:8083/NRy1EZKJRn4GH.hta
sample dwnld from pastebin.]pl\view\raw\a57be2ca
and inject to AddInProcess32.exe
