Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Microsoft Threat Intelligence Profile picture
@MsftSecIntel
Sep 3, 2020 5 tweets 2 min read Read on X
Our comprehensive, active tracking of Dudear operations, attributed to the threat actor CHIMBORAZO (aka TA505), shows that these campaigns relentlessly use multiple layers of detection evasion techniques to try and slip through defenses.
These techniques include the routine use of varying social engineering lures (recent ones include Expense report, fake Citrix ShareFile email, and fake Dropbox notification) and download websites that block traffic from automated analysis, in addition to the CAPTCHA challenge. ImageImageImage
The email campaigns also switch between using HTML attachments that lead to a series of redirector websites before eventually leading to the download website, and using malicious URLs that download the malicious HTML, or both.
The downloaded Excel file contains a malicious macro that, per usual, drops the GraceWire payload that is embedded to the document. As another evasion tactic, the embedded file contains a PNG file that contains 2 DLL files, the 32-bit and 64-bit versions of the GraceWire loader. ImageImage
Even with these evasion tactics, however, Dudear campaigns are detected by Microsoft Threat Protection, driven by its visibility into emails, files, and network activities, and experts who connect the dots to deliver comprehensive protection.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Microsoft Threat Intelligence

Microsoft Threat Intelligence Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MsftSecIntel

Microsoft Threat Intelligence Profile picture
Feb 11
Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA) using a new tactic: tricking targets into running PowerShell as an administrator and then pasting and running code provided by the threat actor. Screenshot of registration link with instructions to run PowerShell and copy code provided by the threat actor.
To execute this tactic, the threat actor masquerades as a South Korean government official and over time builds rapport with a target before sending a spear-phishing email with an PDF attachment.
To read the PDF file attached to the email, the target is lured to click a URL with instructions to register their device. The registration link has instructions to open PowerShell as an administrator and paste code provided by Emerald Sleet.
Read 9 tweets
Microsoft Threat Intelligence Profile picture
Jan 21
In the last quarter of 2024, Microsoft Threat Intelligence observed developments in the ransomware ecosystem that researchers and defenders should watch for in 2025. 🧵 Image
Exploitation of vulnerabilities remains a key method for initial access. In October, the threat actor Lace Tempest, known for exploiting 0-days in file-transfer software, was observed exploiting vulnerabilities in Cleo products (CVE-2024-50623, CVE-2024-55956).
This exploitation activity increased in December and, as in past campaigns, Lace Tempest performed double extortion via the Clop leak site. Among ransomware leak sites, however, RansomHub saw the most activity.
Read 12 tweets
Microsoft Threat Intelligence Profile picture
Oct 29, 2024
Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. msft.it/6011W3CGX
Based on our investigation of previous Midnight Blizzard spear-phishing campaigns, we assess that the goal of this operation is likely intelligence collection.
The spear-phishing emails in this campaign were sent to thousands of targets in over 100 organizations and contained a signed Remote Desktop Protocol (RDP) configuration file that connected to an actor-controlled server.
Read 4 tweets
Microsoft Threat Intelligence Profile picture
Sep 18, 2024
Microsoft observed the financially motivated threat actor tracked as Vanilla Tempest using INC ransomware for the first time to target the healthcare sector in the United States. Image with the Tempest icon for financially motivated threat actors, and the text Vanilla Tempest in white font on blue background
Vanilla Tempest receives hand-offs from Gootloader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool.
The threat actor then performs lateral movement through Remote Desktop Protocol (RDP) and uses the Windows Management Instrumentation Provider Host to deploy the INC ransomware payload.
Read 5 tweets
Microsoft Threat Intelligence Profile picture
Jul 15, 2024
In the second quarter of 2024, financially motivated threat actor Octo Tempest, our most closely tracked ransomware threat actor, added RansomHub and Qilin to its ransomware payloads in campaigns. Image with a blue background, white icon displaying a computer with a lock and warning sign, and the word "Ransomware" in white text.
Octo Tempest, known for its sophisticated social engineering techniques, identity compromise and persistence, focus on targeting VMWare ESXi servers, and deployment of BlackCat ransomware, accounts for a significant bulk of our investigations and incident response engagements.
RansomHub is a ransomware as a service (RaaS) payload used by more and more threat actors, including ones that have historically used other (sometimes defunct) ransomware payloads (like BlackCat), making it one of the most widespread ransomware families today.
Read 12 tweets
Microsoft Threat Intelligence Profile picture
Dec 21, 2023
Microsoft has observed the Iranian nation-state actor Peach Sandstorm attempting to deliver a newly developed backdoor named FalseFont to individuals working for organizations in the Defense Industrial Base (DIB) sector.
FalseFont is a custom backdoor with a wide range of functionalities that allow operators to remotely access an infected system, launch additional files, and send information to its C2 servers. It was first observed being used against targets in early November 2023.
The development and use of FalseFont is consistent with Peach Sandstorm activity observed by Microsoft over the past year, suggesting that Peach Sandstorm is continuing to improve their tradecraft.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(