Profile picture
Vess @VessOnSecurity
, 3 tweets, 1 min read Read on Twitter
My honeypot just caught something substantially new. Spreads via Telnet but not your run-of-the-mill Mirai variant or Monero miner...

First stage is just a few commands that download a rather sophisticated shell script, disguised as a CSS file. (URL is still live.)
The script is quite sophisticated, unlike the usual Mirai crap. It eventually downloads the executable for the appropriate CPU architecture, like

http://104.237.218.85/0/DIGIT1/DIGIT2

where DIGIT1 and DIGIT2 are two decimal digits.
I downloaded one of the executables - zero detections in VirusTotal both for it and for the script.

virustotal.com/#/file/cf3bfd3…

virustotal.com/#/file/9ef5864…
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Vess
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @VessOnSecurity see all

Profile picture
OK, folks, the month of October is over here, so it is time for my honeypot report. Let's start with our Telnet & SSH honeypot.
First, the big picture. As always, the USA is at the top of the list of countries where the attacks are coming from. Three TIMES more attacks from there than from the next contender, Germany. The latter is somewhat unusual, Germany is rarely near the top.
Next, a graph of the number of attacks per hour. The honeypot is being attacked nearly once every second on average!
Read 14 tweets
Profile picture
@siri_urz @Malwageddon @decalage2 @DissectMalware @James_inthe_box @ItsReallyNick @_devonkerr_ @likethecoins @angealbertini No, the code isn't there, although there is something strange...

You are looking at the raw file with a hex editor and are seeing stuff that's in unallocated clusters that aren't part of the OLE2 stream structures at all. You need a more intelligent tool.

Take a look:
@siri_urz @Malwageddon @decalage2 @DissectMalware @James_inthe_box @ItsReallyNick @_devonkerr_ @likethecoins @angealbertini First, we have the OLE2 structure of the file. This is what you have to look at. The VBA structures are there. The module streams are:

Module1
UserForm1
ThisDocument
@siri_urz @Malwageddon @decalage2 @DissectMalware @James_inthe_box @ItsReallyNick @_devonkerr_ @likethecoins @angealbertini Now, let's inspect each one of them as a stream, not as raw sectors from the file. Again, you need a tool that understands this. The compressed source is at the end of the stream, with the p-code immediately preceding it.

Module1:
Read 10 tweets
Profile picture
So, some time ago, the site of a customer of ours gets breached, because they used a version of Joomla that's older than my shoes.

Suddenly, all their visitors are forced to mine crypto currencies in their browsers, which tends to be a tad annoying for them.
But no problem, hey? Can happen to anyone. That's why you call a security team - to fix up your shit that's messed up.

Sysadmin doesn't give us full access to their system because "security". We're given access only to the webroot folder.
We clean up the crypto mining scripts but find something else.

Somebody has installed a web shell. Whoever could enter through that web shell has wider access to the system than is given to us for investigating it.
Read 15 tweets

Related threads

Profile picture
New malware pulls its instructions from code hidden in memes posted to Twitter
Cc @OpWolverines #steganography
techcrunch.com/2018/12/17/mal…
Security researchers said they’ve found a new kind of malware that takes its instructions from CODE HIDDEN IN MEMES posted to Twitter.
The malware authors posted two tweets featuring malicious memes on October 25 and 26 via a Twitter account created in 2017.
Read 16 tweets
Profile picture
[Monero Price Thread]

1/ Perhaps $XMR / USD ; #Monero bounces off of the lower support depicted here.
2/ Moving Fib Indicator (custom) showing the same thing $XMR #Monero
3/ ZN Double Guppy showing impending reversal as well very soon. #Monero $XMR
Read 5 tweets
Profile picture
1/ Monero Price Analysis Article

Flat top triangle is pretty apparent here based on the price action. I attached an example of this chart formation as well.

This is generally considered to be a bullish pattern although the price could break out the downside (what I predict)
2/ There are two major characteristics that validate a trader’s hypothesis that this pattern is under way and those are:

A) The top of the triangle being tested multiple times
and

B) There being a series of ‘higher lows’ that occur in conjunction.
3/ The first two pictures below show the 'proof' that $XMR is in a flat top triangle pattern. Simultaneously, it appears to be in an ascending channel as well.

There was a confirmed breakout in the 3rd pic, then it returned back to the channel.

In danger of breaking below now
Read 7 tweets
Profile picture
#New Traders, Understand #Mathematics Of #Profit In Market Before You Put Hard #Earned Money On Risk.

Expectancy = Success Rate x Reward Risk Ratio

Lets Talk About Expectancy Of Short Term Directional Trading System.

Read On (1/n)
Success Rate = No Of Profitable Tades/ No Of Loss Making Trades

Reward Risk Ratio = Average Profit Per Trade / Average Loss Per Trade

If Success Rate is 0.5 and Reward Risk 2, Then

Expectancy = 2 x 0.5 =1

For Making Profit, Expectancy Should Be Positive Number (2/n)
To Calculate Expectancy, You Need Defined System With Rules To Get Success Rate and Reward Risk. If You Have No System To Take Decisions, You Are Hanging In Thin Air and Will Never No Whether You Will Keep Making Or Loosing Money In Future (3/n)
Read 12 tweets
Profile picture
#NEW on ARC2020: #CAP & #MFF | Eco-Spin without Public Goods Substance.
Its been 2 weeks since the MFF proposals, here's our round up of some of the perspectives so far.
All perspective-givers tagged in picture.
arc2020.eu/cap-mff-eco-sp…
What's needed?
@davidbaldock & Allan Buckwell of @IEEP_eu:
1: Sufficient funding for environmental measures in Pillar 1
2: Specifics for New Delivery Model
3: Flexibility for Pillar 1 to 2 transfers
4. Fund ANCs under Pillar 1
arc2020.eu/cap-mff-eco-sp…
#MFF #FutureofCAP #CAP
And who said: "unconditional direct income support to farmers is manifestly absurd in today’s world when it maintains uncompetitive farming practices that have negative implications for the climate, the environment or people’s health"?
Why @AnnikaAhtonen of @epc_eu
Read 8 tweets
Profile picture
#New PA cong. map increases D chance of winning the House majority by 4%. They only need a 6.8% generic ballot margin now (down from 7.7) to be favored.

Diff. will be closer to 10% in Nov when uncertainty from polls is ⬇️. Redraw is a very big deal.

One major reason the new PA map is such a big gain for Democrats is that it solidifies, not just tips, PA districts in Philly burbs. Also creates one additional vulnerable R district. (Easily seen in this map made by @JMilesColeman)
My forecasting model will have new PA map in the near future. This is not just a simple switch; it’s a coding redesign, restructuring of input, & drawing new geographic files. Takes a while (for me, a student).

In the meantime, just add 3-4% to the model: bit.ly/2018_house
Read 4 tweets

Trending hashtags

#ImogenCunninghamF64 #Monero #unga #NotAGame #YJweek18 #chequers #SundayFunday #Brexit #AmericaSoldOut #CAP #Maddow #New #TopNaijaCorporatedealsof2018 #tripoli #SaturdayMorning #Zcash #StopBrexitSaveBritain #Phish #day1 #Treason #Sedition #CastleLock #HoneyPot #bbcqt #Winning

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!