Post

How to get URL link on X (Twitter) App

On the Twitter thread, click on or icon on the bottom
Click again on or Share Via icon
Click on Copy Link to Tweet
Paste it above and click "Unroll Thread"!
More info at Twitter Help

Germán Fernández

@1ZRR4H

Sep 29, 2022 • 10 tweets • 13 min read • Read on X

Scrolly

@Fortinet

1/ So, site impersonating @Fortinet downloads signed MSI that uses Powershell to run #BatLoader, if the user is connected to a domain (corporate network) it deploys:

1) #Ursnif (Bot)
2) #Vidar (Stealer)
3) #Syncro RMM (C2)
4) #CobaltStrike
And possibly
5) #Ransomware 💥

2/ For initial deployment they use NirCmd, NSudo and GnuPG (to encrypt payloads) among other utilities.

* Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
* Remove-Encryption -FolderPath $env:APPDATA -Password '105b'

@Zoom

3/ The websites are boosted through SEO poisoning and impersonate brands such as @Zoom, @TeamViewer, @anydesk, @LogMeIn, @CCleaner, #FileZilla and #Winrar among others.

/teamviewclouds.com
/zoomcloudcomputing.tech
/logmein-cloud.com
/teamcloudcomputing.com
/anydeskos.com

4/ Apparently this would be a "new" #Malsmoke campaign and these are the IoCs I saw:

#Ursnif aka #Gozi

C&C:
/45.8.158.104
/188.127.224.114
/weiqeqwns.com
/wdeiqeqwns.com
/weiqeqwens.com
/weiqewqwns.com
/iujdhsndjfks.com

[+] tria.ge/220928-xh5gqag…

5/ #Vidar is a thief that allows them to collect multiple valid credentials quickly from computers.

C2 from Telegram and Mastodon:
/t.me/trampapanam > 116.202.2.236
/nerdculture.de/yoxhyp > 88.198.89.6:80

[+] tria.ge/220928-vcwxaah…

6/ Then the TA install #Syncro RMM (I didn't know this one) for C&C and persistence on the infected computers.

The installer sends a signal to:
/rmm.syncromsp.com/device_api/auth/?shop_api_key=HABB92nNT4_O5RPUFRDWwA&installer_version=1.0.161

[+] virustotal.com/gui/file/1988e…

@nosecurething

7/ There are currently two #BatLoader C2 domains in use: updatea1[.]com and cloudupdatesss[.]com.

These were also being reported by @nosecurething who could see the usage of #SystemBC as well

https://twitter.com/nosecurething/status/1572037530803113984

and @idclickthat on

https://twitter.com/idclickthat/status/1569679750138052608

/cc: @ViriBack

8/ I couldn't get the #CobaltStrike beacon yet, but no doubt, these are some C2s to watch out for:

/pregabas.com
/msoftupdate.com
/sombrat.com
/callibry.to
/alojun.com
/sombrat.com
/fregiyu.com
/get-topservice.com
/service1ventures.com
/anbush.com
/ausija.com
/zominoz.com

9/ More information about this campaign:
- medium.com/walmartglobalt…
- mandiant.com/resources/blog…

https://twitter.com/VK_Intel/status/1580300511081029632

New domains related to this campaign, now impersonating AnyDesk, SlackHQ, Evernote and Adobe Acrobat Reader 🥸

/anydesko.tech
/slackss.tech
/evernotes.tech
/adobee.tech

Yara rule for MSI files: github.com/CronUp/ReglasD…

#BatLoader C2:
/cloudupdatesss.com

https://twitter.com/VK_Intel/status/1580300511081029632

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @1ZRR4H

Germán Fernández

@1ZRR4H

Feb 2, 2024

📌 1/ I find this technique very interesting, it's a LNK file that executes a payload that hides in the remnant data of the same LNK file, so, if you only look at the shortcut properties you might miss something. [+] Document.pdf.lnk: bazaar.abuse.ch/sample/1eaec3a….

▪ 1) "powershell -W Hidden -e [Base64]" > http://raw.githubusercontent[.]com/MyPrincessAkira/Jarvas/main/Alej.exe.
▪ 2) PDF decoy from http://files.catbox[.]moe/p1yr9i.pdf.

Then, "Alej.exe" (bazaar.abuse.ch/sample/e974fde…) downloads the next stage from https://qu[.]ax/Gvlc.pdf (404 now).

Thanks to @malwrhunterteam for sharing the initial sample 🦾

T1204.001 User Execution: Malicious Link

2/ The Github repository gives us more clues about the possible propagation method: Youtube videos (including positive comments made by fraudulent accounts).

https://github[.]com/MyPrincessAkira/Jarvas/

- "engagement.txt":
https://www[.]youtube[.]com/watch?v=tYMUm7rabFM
https://www[.]youtube[.]com/watch?v=ccTKARJiM5c
https://www[.]youtube[.]com/watch?v=HL3Q9e5J3aU
https://www[.]youtube[.]com/watch?v=jQWB3zuhtEQ
https://www[.]youtube[.]com/watch?v=oADMNyZxrYM
https://www[.]youtube[.]com/watch?v=BtUdfVU0Tpc
https://www[.]youtube[.]com/watch?v=bGNibYNYFZ4
https://www[.]youtube[.]com/watch?v=o7lLqcEX96A
https://www[.]youtube[.]com/watch?v=zIXGazKWIT0
https://www[.]youtube[.]com/watch?v=QUvdG3g_a1s
https://www[.]youtube[.]com/watch?v=Cwzrzddv8qY
https://www[.]youtube[.]com/watch?v=c49YKB5dkEA
https://www[.]youtube[.]com/watch?v=V3zEF2v60mk
https://www[.]youtube[.]com/watch?v=8sacRZJrQgw
https://www[.]youtube[.]com/watch?v=BiRXvDc9zLE
https://www[.]youtube[.]com/watch?v=iGla02rqxJs
https://www[.]youtube[.]com/watch?v=Zb6FHscJPGM

- "videos_redirect.txt":
http://files[.]catbox[.]moe/o5w3yq[.]zip
http://files[.]catbox[.]moe/g6mac3[.]zip
http://files[.]catbox[.]moe/ab4uzt[.]zip
http://files[.]catbox[.]moe/j697j3[.]zip
http://files[.]catbox[.]moe/xhdjzs[.]zip
http://files[.]catbox[.]moe/gt2njt[.]zip

@JAMESWT_MHT @0xToxin @pr0xylife @AnFam17 @executemalware @g0njxa @StopMalvertisin @reecdeep @Cryptolaemus1 @Kostastsale 3/ Some samples of the videos (apparently all associated with games) and their comments.

Read 5 tweets

Germán Fernández

@1ZRR4H

May 25, 2023

🚨 1/ Ongoing campaign primarily targeting security researchers here on Twitter.

Possibly they are trying to exploit some vulnerability in Internet Explorer and database tools like Navicat. I haven't been able to get the malicious payload yet, but something fishy is going on 🤔

2/ Tweets mention things like #0day, #databreach, #Kimsuky, #Lazarus and point to a file download on pan[.]baidu[.]com, just now removed.

There is also a repo on Github with connection data and credentials to supposed DBs and Web Apps that ask to use IE 🤭

3/ I tried 211.143.190.233:2222, at first glance harmless, but in the code we see that it points to a rather suspicious .JS.

When we deofuscate and clean, a hidden URL appears that could load the next stage, however I could not get it (maybe geofenced or some other trick).

Read 7 tweets

Germán Fernández

@1ZRR4H

May 14, 2023

Some recently registered .ZIP domains 🤭

I liked this one too:
/keygen.zip

Okeyyyyyyyyy! 😏
/microsoft-office.zip

Read 7 tweets

Germán Fernández

@1ZRR4H

Mar 20, 2023

1/ Part of the script used by #TA569 (Initial Access Broker) to inject the Keitaro TDS code into compromised sites 🚩

In this variant, if the IP is correct and the red_ok cookie is not declared, the injection is shown and the infection flow continues until #SocGholish or others.

@ViriBack

2/ Two #KeitaroTDS domains in use by #TA569:
- jqueryns[.]com
- jqscr[.]com "new"

In the IP of the latter there is also the domain jqueryj[.]com with a panel that at first sight I cannot recognize 🧐 but is some kind of bot/stealer/clipper, very likely related. / @ViriBack

3/ To get an idea of the scope, if we search on publicwww for the domain "jqueryns[.]com" we get 2196 infected sites, for the domain "jqscr[.]com" we get another 196 compromised sites so far.

- publicwww.com/websites/%22jq…
- publicwww.com/websites/%22jq…

More results in Google too 🤦‍♂️

Read 5 tweets

Germán Fernández

@1ZRR4H

Feb 27, 2023

1/ Entonces, "kung_liao" un nuevo actor de amenazas logró acceso y expuso información privada de varias empresas Chilenas 🇨🇱

1) DIGITALPROSERVER.COM | 21/01/23
2) TESORERIA.CL | 03/02/23
3) CMFCHILE.CL | 12/02/23
4) ARKAVIA.COM | 15/02/23

2/ Para DIGITALPROSERVER.COM, el atacante indica que vende acceso a más de 500 DBs y sitios que incluyen importantes medios digitales, noticieros, radios, etc.

Como muestra, el atacante publicó credenciales y una de las Webshell que tenía instalada en El Mostrador (reportado)

3/ Para TESORERIA.CL, el atacante al parecer explotó una vulnerabilidad de Inyección SQL y además obtuvo acceso a la Intranet a través de la VPN.

Una de las evidencias muestra al atacante modificando información personal de una persona de apellido "Piñera Echenique".

Read 6 tweets

Germán Fernández

@1ZRR4H

Jan 21, 2023

1/ DEV-0569, current distribution via #GoogleAds.

1.- #Gozi aka #Ursnif (bot) ↓
2.- #RedLine (stealer) ↓
And if the conditions are right, possibly:
3.- #CobaltStrike (C2) ↓
4.- #Royal Ransomware 💥

(No more BatLoader in the infection chain)

2/ For deployment, they use Add-MpPreference to configure exclusions in Windows Defender (extensions, paths and processes), #NSudo to launch binaries with full privileges and #GnuPG to encrypt the payloads.

Initial MSI file has 0 hits in VT.

@Bitbucket

3/ All payloads are hosted on @Bitbucket, in a repository that was created in August 2022.

In just 3 days, #Gozi and #RedLine have been downloaded 2477 and 2503 times respectively.

ZLocal.gpg has been downloaded more than 48193 times since December 24, 2022 (potential victims).

Read 10 tweets

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Share this page!

Enter URL or ID to Unroll

Germán Fernández

Try unrolling a thread yourself!

More from @1ZRR4H

Germán Fernández

Germán Fernández

Germán Fernández

Germán Fernández

Germán Fernández

Germán Fernández

Did Thread Reader help you today?

Don't want to be a Premium member but still want to support us?

Send Email!