Profile picture
, 8 tweets, 7 min read
My Authors
Read all threads
1/6
 Based on the evidence published, some bullets in Everis case:

#Ryuk not was involved, the ransome note is different.

#Ryuk/#Bitpaymer take long time to been deployed.

#Ryuk has been saw in combination of #Emotet->#Trickbot.
2/6
 0day Bonjour Updater
Oct 10, Morphisec published “the abuse of an Apple zero-day vulnerability in the Apple Software Update utility that comes packaged with iTunes for Windows” , related with #Bitpaymer adversaries.
3/6
 BlueKeep
Over the weekend @GossiTheDog, report that his honeypot saw activity related with Bluekeep, working with @MalwareTechBlog they found that the final payload is a #MoneroMiner. Some IOC's shared today are related with this activity.
@GossiTheDog @MalwareTechBlog 4/6
Teams
Other theory is related with Microsoft Teams desktop app that allows downloading and executing arbitrary files on the system through:
[Update|squirrel].exe --[update|download|updateRollback] "url to payload"
@GossiTheDog @MalwareTechBlog 5/6
BitPaymer/IEncrypt
Some times this ransomware is distributed via RDP compromised, fake updates or emails. After it use Empire to move laterally, gain account w/privileges [mimikatz] and PsExec or GPO to deploy it.
@GossiTheDog @MalwareTechBlog 6/6
Targeted attack
the extension .3v3r1s is a proof of this? Maybe no, normally BitPaymer/IEncrypt use the name "PCname_of_company" as extension. In this case they used 1337 for the ext.

Ex:
Krauss-Maffei company, “.kraussmfz”
CMS Nextech company ".cmsnwned"
@GossiTheDog @MalwareTechBlog Sources:

pastebin.com/xYpWXDc7
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with \_(ʘ_ʘ)_/

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#Ryuk #Bitpaymer #Emotet #Trickbot #MoneroMiner

Related threads

Profile picture
ChrispLOL2
@ChrispLOL
@Clivedurdle @Jen_robrien @MrPeteAbel @CleanAirGM @LevyCleanAir @ClientEarth @foemcr @JZCOS @MumsForLungs @uom_meri @headstretcher @ArupGroup He doesn't like the answers we have is it. He wants #different answers than the true ones (which he finds inconvenient and difficult).

Excess cars (even excess cleaner cars) have a huge net cost in human and money terms to @greatermcr .. Paradoxically that #includes the God GVA.
@Clivedurdle @Jen_robrien @MrPeteAbel @CleanAirGM @LevyCleanAir @ClientEarth @foemcr @JZCOS @MumsForLungs @uom_meri @headstretcher @ArupGroup @greatermcr Further research and analysis is needed. Many things we know about cars and motor vehicles and their use in GM that #do #not suggest discouraging their use into city and town centres would not be harmful as believed and stated.

Running anywhere in GM is maybe a different Q tho.
@Clivedurdle @Jen_robrien @MrPeteAbel @CleanAirGM @LevyCleanAir @ClientEarth @foemcr @JZCOS @MumsForLungs @uom_meri @headstretcher @ArupGroup @greatermcr @bricycle @CatrionaSwanson @arupforesight @ancoats2020 @evefrancisholt @KevinClimate 1. We know that in 2011 the car and van ownership/access inside the M60 was about 60% of households. To turn that on its head 40% had no access at all. In some wards there are towards 60% of households with no access at all. @thomasforth has mapped this.
Read 9 tweets
Profile picture
Cas
@CowgirlCas22
And here are the redacted ones! Happy Hunting. #QAnon #DarkToLight
3 of 3
Hmmm Twatter fuckery? Unredacted disappeared let's try again
Read 379 tweets
Profile picture
Richard James
@RichJamesBits
I have reached a whole new level of #PISSEDOFF.

I didnt think such a #dark and #scary state, or level, could be reached. It may top 12-14-17's causation. It's. That. Bad. So, I've prepared a statement...

docs.google.com/document/d/1_J…

#PascoSheriff #HaveYouAllNoShame @CigarCityBeer
Dear @FBI,
I must implore you ask your colleauges in @FBITampa to help research this new level of #PISSEDOFFNESS. As locals, they may offer a special indepth knowledge of this new level I have reached. This is not fair & law enforcement must #investigate. No one deserves this.
This is my #apogee of #Pissedoffness.
If #motherfuckers & #tears werent a noticable level.
If #HUSH or #INTIMIDATION tactics being deployed didnt strike a chord.
If #EVIDENCE, PROOF, or 30k Bonds didnt #WOW YOU.
If posting mom with no shred of investigatable value wasnt enough...
Read 463 tweets
Profile picture
Sibel Edmonds
@sibeledmonds
#Khashoggi Case Thread: I am going to ‘pin’ this post to use it as an ‘Info Thread’ on the #Khashoggi Case. I am in #Turkey. I’ve been following the case closely and with access to sources & experts here. This is a very ‘sensitive’ criminal case due to ‘Diplomatic Booby Traps’!!!
The Evidence Obtained Outside Cameras will not show any evidence of ‘tempering’ but other than license plates of dozens of diplomatic cars (Many with tinted windows-large trunks) with related time stamp, drivers Info, model/year: Nothing.
#Turkish Intel-Investigative Bodies also have the list of all Diplomatic & Private Saudi & “other significant’ Planes in #Turkey for the period of ‘interest.’ Many of the Target airports have their own security cameras & related evidence.
Read 335 tweets
Profile picture
Eketi Edima Ette
@eketiette
Are you one of those people who's looked back on 2017 and convinced yourself that you haven't achieved anything? Worried about catching up with your mates who seem to have done much better?

Let me tell you a story about #time.

A thread 👇
A long #time ago, back when I was about twelve or thirteen years old, my parents travelled to Uyo.

Before leaving, my mother asked me to prepare Edikang ikong soup so she and my father would eat when they returned.
When I was finished with the soup, it was supposed to look something like this:

*photo credit: waiter foodies.
Read 32 tweets

Trending hashtags

#TheyCantStopUs #Patriots #indie #This #THANKYOU #History #Pasco #LIVEPD #WOOF #WILD #reylofic #Director #think #Governor #DigitalSoldiers #FBI #Fact #stealing #stalking #Repost #OsamaBinLaden #Cyclingnews #SaudiArabia #Palestine #Few
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!