📌 1/ I find this technique very interesting, it's a LNK file that executes a payload that hides in the remnant data of the same LNK file, so, if you only look at the shortcut properties you might miss something. [+] Document.pdf.lnk: bazaar.abuse.ch/sample/1eaec3a….

▪ 1) "powershell -W Hidden -e [Base64]" > http://raw.githubusercontent[.]com/MyPrincessAkira/Jarvas/main/Alej.exe.
▪ 2) PDF decoy from http://files.catbox[.]moe/p1yr9i.pdf.

Then, "Alej.exe" (bazaar.abuse.ch/sample/e974fde…) downloads the next stage from https://qu[.]ax/Gvlc.pdf (404 now).

Thanks to @malwrhunterteam for sharing the initial sample 🦾

T1204.001 User Execution: Malicious Link

2/ The Github repository gives us more clues about the possible propagation method: Youtube videos (including positive comments made by fraudulent accounts).

https://github[.]com/MyPrincessAkira/Jarvas/

- "engagement.txt":
https://www[.]youtube[.]com/watch?v=tYMUm7rabFM
https://www[.]youtube[.]com/watch?v=ccTKARJiM5c
https://www[.]youtube[.]com/watch?v=HL3Q9e5J3aU
https://www[.]youtube[.]com/watch?v=jQWB3zuhtEQ
https://www[.]youtube[.]com/watch?v=oADMNyZxrYM
https://www[.]youtube[.]com/watch?v=BtUdfVU0Tpc
https://www[.]youtube[.]com/watch?v=bGNibYNYFZ4
https://www[.]youtube[.]com/watch?v=o7lLqcEX96A
https://www[.]youtube[.]com/watch?v=zIXGazKWIT0
https://www[.]youtube[.]com/watch?v=QUvdG3g_a1s
https://www[.]youtube[.]com/watch?v=Cwzrzddv8qY
https://www[.]youtube[.]com/watch?v=c49YKB5dkEA
https://www[.]youtube[.]com/watch?v=V3zEF2v60mk
https://www[.]youtube[.]com/watch?v=8sacRZJrQgw
https://www[.]youtube[.]com/watch?v=BiRXvDc9zLE
https://www[.]youtube[.]com/watch?v=iGla02rqxJs
https://www[.]youtube[.]com/watch?v=Zb6FHscJPGM

- "videos_redirect.txt":
http://files[.]catbox[.]moe/o5w3yq[.]zip
http://files[.]catbox[.]moe/g6mac3[.]zip
http://files[.]catbox[.]moe/ab4uzt[.]zip
http://files[.]catbox[.]moe/j697j3[.]zip
http://files[.]catbox[.]moe/xhdjzs[.]zip
http://files[.]catbox[.]moe/gt2njt[.]zip

@JAMESWT_MHT @0xToxin @pr0xylife @AnFam17 @executemalware @g0njxa @StopMalvertisin @reecdeep @Cryptolaemus1 @Kostastsale 3/ Some samples of the videos (apparently all associated with games) and their comments.

🚨 1/ Ongoing campaign primarily targeting security researchers here on Twitter.

Possibly they are trying to exploit some vulnerability in Internet Explorer and database tools like Navicat. I haven't been able to get the malicious payload yet, but something fishy is going on 🤔

2/ Tweets mention things like #0day, #databreach, #Kimsuky, #Lazarus and point to a file download on pan[.]baidu[.]com, just now removed.

There is also a repo on Github with connection data and credentials to supposed DBs and Web Apps that ask to use IE 🤭

3/ I tried 211.143.190.233:2222, at first glance harmless, but in the code we see that it points to a rather suspicious .JS.

When we deofuscate and clean, a hidden URL appears that could load the next stage, however I could not get it (maybe geofenced or some other trick).

Some recently registered .ZIP domains 🤭

I liked this one too:
/keygen.zip

Okeyyyyyyyyy! 😏
/microsoft-office.zip

1/ Part of the script used by #TA569 (Initial Access Broker) to inject the Keitaro TDS code into compromised sites 🚩

In this variant, if the IP is correct and the red_ok cookie is not declared, the injection is shown and the infection flow continues until #SocGholish or others.

2/ Two #KeitaroTDS domains in use by #TA569:
- jqueryns[.]com
- jqscr[.]com "new"

In the IP of the latter there is also the domain jqueryj[.]com with a panel that at first sight I cannot recognize 🧐 but is some kind of bot/stealer/clipper, very likely related. / @ViriBack

3/ To get an idea of the scope, if we search on publicwww for the domain "jqueryns[.]com" we get 2196 infected sites, for the domain "jqscr[.]com" we get another 196 compromised sites so far.

- publicwww.com/websites/%22jq…
- publicwww.com/websites/%22jq…

More results in Google too 🤦‍♂️

1/ Entonces, "kung_liao" un nuevo actor de amenazas logró acceso y expuso información privada de varias empresas Chilenas 🇨🇱

1) DIGITALPROSERVER.COM | 21/01/23
2) TESORERIA.CL | 03/02/23
3) CMFCHILE.CL | 12/02/23
4) ARKAVIA.COM | 15/02/23

2/ Para DIGITALPROSERVER.COM, el atacante indica que vende acceso a más de 500 DBs y sitios que incluyen importantes medios digitales, noticieros, radios, etc.

Como muestra, el atacante publicó credenciales y una de las Webshell que tenía instalada en El Mostrador (reportado)

3/ Para TESORERIA.CL, el atacante al parecer explotó una vulnerabilidad de Inyección SQL y además obtuvo acceso a la Intranet a través de la VPN.

Una de las evidencias muestra al atacante modificando información personal de una persona de apellido "Piñera Echenique".

1/ DEV-0569, current distribution via #GoogleAds.

1.- #Gozi aka #Ursnif (bot) ↓
2.- #RedLine (stealer) ↓
And if the conditions are right, possibly:
3.- #CobaltStrike (C2) ↓
4.- #Royal Ransomware 💥

(No more BatLoader in the infection chain)

2/ For deployment, they use Add-MpPreference to configure exclusions in Windows Defender (extensions, paths and processes), #NSudo to launch binaries with full privileges and #GnuPG to encrypt the payloads.

Initial MSI file has 0 hits in VT.

3/ All payloads are hosted on @Bitbucket, in a repository that was created in August 2022.

In just 3 days, #Gozi and #RedLine have been downloaded 2477 and 2503 times respectively.

ZLocal.gpg has been downloaded more than 48193 times since December 24, 2022 (potential victims).