Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
ESET Research Profile picture
@ESETresearch
May 20, 2022 6 tweets 6 min read Read on X
#BREAKING #Sandworm continues attacks in Ukraine 🇺🇦. #ESETresearch found an evolution of a malware loader used during the #Industroyer2 attacks. This updated piece of the puzzle is malware
@_CERT_UA calls #ArguePatch. ArguePatch was used to launch #CaddyWiper. #WarInUkraine 1/6 Image
The #Industroyer2 attacks used a patched version of @HexRaysSA IDA Pro’s remote debug server (win32_remote.exe). It was modified to include code to decrypt and run #CaddyWiper from an external file. 2/6 ImageImage
This time, #Sandworm chose an official @ESET executable to hide #ArguePatch. It was stripped of its digital signature and code was overwritten in a function called during the MSVC runtime initialization. 3/6 ImageImage
The added code is very similar in both cases, but it now includes a feature to launch the next stage at a particular time. This makes #ArguePatch a timed bomb when started. 4/6 Image
This replaces the need to setup a Windows scheduled task for future detonation. This is perhaps a way to evade detections using known TTPs. 5/6
IoC:
eset_ssl_filtered_cert_importer.exe
SHA-1: 796362BD0304E305AD120576B6A8FB6721108752
ESET detection name: Win32/Agent.AEGY trojan #ESETresearch
6/6

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ESET Research

ESET Research Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ESETresearch

ESET Research Profile picture
Aug 30, 2023
#ESETresearch identified two GREF campaigns targeting #Android users with @signalapp and @telegram apps trojanized into cyberespionage tools .
@LukasStefanko

1/9 welivesecurity.com/en/eset-resear…
Image
Signal Plus Messenger and FlyGram were built by merging the BadBazaar espionage code, previously used to target #Uyghurs and other #Turkic minorities, into the respective base app’s code. 2/9
The purpose of both apps is data exfiltration. Signal Plus Messenger presents the first documented case of spying on a victim’s Signal communications by secretly autolinking the compromised device to the attacker’s Signal device. 3/9 Image
Read 9 tweets
ESET Research Profile picture
May 10, 2023
#ESETResearch warns about a CPIO archive named “Jump Crypto Investment ” uploaded to VirusTotal from the USA 🇺🇸. It is another malicious PDF viewer distributed by #Lazarus #APT for #macOS @pkalnai @michalmalik 1/7 Agreement.zip

Image
@pkalnai @michalmalik The archive contains a fully functional – but malicious – PDF viewer, and a crafted “locked” PDF file. When the file is opened in the viewer, the malicious code is triggered. The functionality is very similar to the malware reported by @JamfSoftware. 2/7 jamf.com/blog/bluenorof…
Image
@pkalnai @michalmalik @JamfSoftware First, the malicious PDF viewer decrypts a decoy document embedded inside the original PDF file, and displays it to the target. 3/7 Image
Read 7 tweets
ESET Research Profile picture
Apr 20, 2023
#ESETResearch confirms Lazarus is linked to the recent #3CX supply-chain attacks. Based on code similarities and network infrastructure, we connect the 3CX incident with a Linux case of DreamJob, a long-term Lazarus operation using job offer as lures. 1/6 welivesecurity.com/2023/04/20/lin…
First, let’s look at the timeline. It shows that the trojanized macOS version of the 3CX Desktop App was ready two months prior to the distribution of the Windows version. Also interesting is that the attack was in preparation as early as December 2022. 2/6 Image
It was reported that Mandiant has found Mac malware they call SIMPLESEA inside the 3CX network. While we do not have the sample, their description of this malware overlaps with second-stage Linux malware we found while investigating a recent Operation DreamJob case. 3/6 Image
Read 6 tweets
ESET Research Profile picture
Mar 14, 2023
#ESETResearch discovered an attack by APT group Tick against a data-loss prevention (DLP) company in East Asia and found a previously unreported tool used by the group. welivesecurity.com/2023/03/14/slo… @0xfmz 1/6
In 2021, in the DLP company’s network, the attackers introduced trojanized installers of the legitimate application Q-dir, part of a toolkit used by the company. When executed, the installer dropped the open-source ReVBShell backdoor and ran the original Q-dir application. 2/6 Image
Subsequently, in 2022, on customers of the DLP company’s software, the trojanized Q-dir installers were deployed using remote support tools. Our hypothesis is that this occurred while the DLP company provided technical support to their customers. 3/6
Read 6 tweets
ESET Research Profile picture
Mar 2, 2023
#ESETResearch analyzed a new #MustangPanda backdoor. Its C&C communications is done over #MQTT using the open-source QMQTT library, so we named it MQsTTang. This library depends on parts of the Qt framework, statically linked in the PE. welivesecurity.com/2023/03/02/mqs… 1/5
A sample of MQsTTang was identified by @Unit42_Intel on 2023-02-17. As stated in that thread, the backdoor uses the legitimate MQTT broker 3.228.54.173. This has the benefit of hiding their actual C&C servers from victims and analysts. 2/5
This malware family is also tracked as "Kumquat" by @threatinsight.
3/5
Read 5 tweets
ESET Research Profile picture
Mar 1, 2023
#ESETResearch analyze first in-the-wild UEFI bootkit bypassing UEFI Secure Boot even on fully updated Windows 11 systems. Its functionality indicates it is the #BlackLotus UEFI bootkit, for sale on hacking forums since at least Oct 6, 2022. @smolar_m welivesecurity.com/2023/03/01/bla… 1/11
BlackLotus brings legit but vulnerable binaries to the victim’s system (#BYOVD) to exploit #CVE-2022-21894 and bypass UEFI Secure Boot on up-to-date Windows systems. In some samples, these binaries are downloaded directly from the MS Symbol Store. cve.mitre.org/cgi-bin/cvenam… 2/11
Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible by bringing vulnerable drivers to the system, as the affected binaries have still not been added to the UEFI revocation list. msrc.microsoft.com/update-guide/e… 3/11
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(