Germán Fernández Profile picture
Nov 16, 2021 9 tweets 10 min read Read on X
🚨 Cuidado con las descargas desde #Anonfiles (utilizado por muchos actores maliciosos), puede que en vez del archivo que querías, termines instalando, no solo 1, sino que 7 clases distintas de #Malware 👀

Revisemos por ejemplo: /anonfiles.com/7c62z4s9ob/Youtube_Viewer_rar

1/X Image
Al hacer click en "download" se descarga automaticamente un archivo que tiene de nombre "YouTube+Viewer.rar[.]zip" pero la descarga se realiza desde /yfilesstorage.com/Youtube+Viewer.rar.zip?c=AISJk2FCGQUA4ksCAENMFwAMAMyKTf0A (.ZIP protegido con contraseña) 🤔

2/X ImageImageImage
Lamentablemente esto pasa desapercibido para usuarios menos prudentes.

Sin embargo, gracias a @hatching_io, podemos averiguar que lo que instalan realmente es #Arkei, #Metasploit, #Racoon, #Redline, #Smokeloader, #Socelars y #Vidar 😵

tria.ge/211116-mn4ghad…

3/X Image
Esto se debe a que el sitio de #Anonfiles tiene inyectado un script de publicidad que es utilizado para distribuír Malware (carga aleatoria).

El script en /djv99sxoqpv11.cloudfront.net también ha estado activo en sitios como /1337x.to y /bayfiles.com (urlscan.io/domain/djv99sx…). ImageImage
IOC's:

#Socelars C2: /www.gianninidesign.com
#Redline (udptest) C2: 193.56.146.64:65441
#Redline (15.11_BUILD_1) C2: 45.9.20.104:6334

#Smokeloader:
/membro.at/upload/
/jeevanpunetha.com/upload/
/misipu.cn/upload/
/zavodooo.ru/upload/
/targiko.ru/upload/
/vues3d.com/upload/

5/X
IOC's (continuación):

#Vidar carga su C2 desde @koyuspace
159.69.92.223

6/X Image
Y finalmente, estos son 1105 dominios asociados a esta campaña de #Malvertising y publicidad maliciosa con descarga activa de Malware.

IOC's -> pastebin.com/DCJBk2f4

Referencias: virustotal.com/gui/ip-address…

7/X Image
Espera hay más...

La campaña está relacionada a estas "supuestas" agencias de publicidad y monetización de tráfico 🤔

/heartbid.net
/data-cash.network
/bidmag.net
/affilight.network
/sapphirum.network
/chikikliki.com
/mobile10.network

(las dejare aquí para despues)

8/X ImageImageImageImage
📌 @AnonFiles -> #Malvertising (AD Network) -> 7 #Malware families

Add /1.zip to download:

/yfilesstorage.com
/getfileasap.com
/getthisfileasap.com
/topfilesstorage.com
/yourfilesstorage.com
/readytoloadforyou.com
/secondfilesstorage.com

[+] pastebin.com/DCJBk2f4 ImageImageImageImage

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Germán Fernández

Germán Fernández Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @1ZRR4H

May 25, 2023
🚨 1/ Ongoing campaign primarily targeting security researchers here on Twitter.

Possibly they are trying to exploit some vulnerability in Internet Explorer and database tools like Navicat. I haven't been able to get the malicious payload yet, but something fishy is going on 🤔 ImageImageImageImage
2/ Tweets mention things like #0day, #databreach, #Kimsuky, #Lazarus and point to a file download on pan[.]baidu[.]com, just now removed.

There is also a repo on Github with connection data and credentials to supposed DBs and Web Apps that ask to use IE 🤭 ImageImageImageImage
3/ I tried 211.143.190.233:2222, at first glance harmless, but in the code we see that it points to a rather suspicious .JS.

When we deofuscate and clean, a hidden URL appears that could load the next stage, however I could not get it (maybe geofenced or some other trick). ImageImageImageImage
Read 7 tweets
May 14, 2023
Some recently registered .ZIP domains 🤭 Image
I liked this one too:
/keygen.zip Image
Okeyyyyyyyyy! 😏
/microsoft-office.zip Image
Read 7 tweets
Mar 20, 2023
1/ Part of the script used by #TA569 (Initial Access Broker) to inject the Keitaro TDS code into compromised sites 🚩

In this variant, if the IP is correct and the red_ok cookie is not declared, the injection is shown and the infection flow continues until #SocGholish or others. ImageImageImage
2/ Two #KeitaroTDS domains in use by #TA569:
- jqueryns[.]com
- jqscr[.]com "new"

In the IP of the latter there is also the domain jqueryj[.]com with a panel that at first sight I cannot recognize 🧐 but is some kind of bot/stealer/clipper, very likely related. / @ViriBack ImageImageImageImage
3/ To get an idea of the scope, if we search on publicwww for the domain "jqueryns[.]com" we get 2196 infected sites, for the domain "jqscr[.]com" we get another 196 compromised sites so far.

- publicwww.com/websites/%22jq…
- publicwww.com/websites/%22jq…

More results in Google too 🤦‍♂️ ImageImageImageImage
Read 5 tweets
Feb 27, 2023
1/ Entonces, "kung_liao" un nuevo actor de amenazas logró acceso y expuso información privada de varias empresas Chilenas 🇨🇱

1) DIGITALPROSERVER.COM | 21/01/23
2) TESORERIA.CL | 03/02/23
3) CMFCHILE.CL | 12/02/23
4) ARKAVIA.COM | 15/02/23
2/ Para DIGITALPROSERVER.COM, el atacante indica que vende acceso a más de 500 DBs y sitios que incluyen importantes medios digitales, noticieros, radios, etc.

Como muestra, el atacante publicó credenciales y una de las Webshell que tenía instalada en El Mostrador (reportado)
3/ Para TESORERIA.CL, el atacante al parecer explotó una vulnerabilidad de Inyección SQL y además obtuvo acceso a la Intranet a través de la VPN.

Una de las evidencias muestra al atacante modificando información personal de una persona de apellido "Piñera Echenique".
Read 6 tweets
Jan 21, 2023
1/ DEV-0569, current distribution via #GoogleAds.

1.- #Gozi aka #Ursnif (bot) ↓
2.- #RedLine (stealer) ↓
And if the conditions are right, possibly:
3.- #CobaltStrike (C2) ↓
4.- #Royal Ransomware 💥

(No more BatLoader in the infection chain)
2/ For deployment, they use Add-MpPreference to configure exclusions in Windows Defender (extensions, paths and processes), #NSudo to launch binaries with full privileges and #GnuPG to encrypt the payloads.

Initial MSI file has 0 hits in VT.
3/ All payloads are hosted on @Bitbucket, in a repository that was created in August 2022.

In just 3 days, #Gozi and #RedLine have been downloaded 2477 and 2503 times respectively.

ZLocal.gpg has been downloaded more than 48193 times since December 24, 2022 (potential victims).
Read 10 tweets
Sep 29, 2022
1/ So, site impersonating @Fortinet downloads signed MSI that uses Powershell to run #BatLoader, if the user is connected to a domain (corporate network) it deploys:

1) #Ursnif (Bot)
2) #Vidar (Stealer)
3) #Syncro RMM (C2)
4) #CobaltStrike
And possibly
5) #Ransomware 💥 ImageImageImageImage
2/ For initial deployment they use NirCmd, NSudo and GnuPG (to encrypt payloads) among other utilities.

* Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
* Remove-Encryption -FolderPath $env:APPDATA -Password '105b' ImageImageImageImage
3/ The websites are boosted through SEO poisoning and impersonate brands such as @Zoom, @TeamViewer, @anydesk, @LogMeIn, @CCleaner, #FileZilla and #Winrar among others.

/teamviewclouds.com
/zoomcloudcomputing.tech
/logmein-cloud.com
/teamcloudcomputing.com
/anydeskos.com ImageImageImageImage
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(