#Proxyshell in #tortillas recipe #ransomware
We have seen a new actor named tortillas abusing proxyshell to run ransomware.
The ransomware maybe born from the leaked #Babuk code.
The attack is originated by the IP: 185.219.52.]229
@58_158_177_102 @sugimu_sec
We have seen a new actor named tortillas abusing proxyshell to run ransomware.
The ransomware maybe born from the leaked #Babuk code.
The attack is originated by the IP: 185.219.52.]229
@58_158_177_102 @sugimu_sec
Chain: proxyshell -> webshell (a lot) -> certutil -> download and execute the payload.
The encrypted files has .babyk extension and end with "choung dong looks like hot dog!!" string that is typical from #Babuk, but the ransom note are different.
So we guess they used Babuk code.
The encrypted files has .babyk extension and end with "choung dong looks like hot dog!!" string that is typical from #Babuk, but the ransom note are different.
So we guess they used Babuk code.
Ioc:
3556821DD4184777D340ACE0D17D3A53
DA6C6C0A07723DE52912AFA07B8D06C8
5000E5FDDAA93D43C8FE8CE833BFEA43
http://185.219.52.]229/tortillas/tore.exe
http://185.219.52.]229:8083/NRy1EZKJRn4GH.hta
sample dwnld from pastebin.]pl\view\raw\a57be2ca
and inject to AddInProcess32.exe
3556821DD4184777D340ACE0D17D3A53
DA6C6C0A07723DE52912AFA07B8D06C8
5000E5FDDAA93D43C8FE8CE833BFEA43
http://185.219.52.]229/tortillas/tore.exe
http://185.219.52.]229:8083/NRy1EZKJRn4GH.hta
sample dwnld from pastebin.]pl\view\raw\a57be2ca
and inject to AddInProcess32.exe
The sample seems has been uploaded to VirusTotal the first time on 12 october 2021 from Russia and re-submitted on 14 october from Malasya.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
