Germán Fernández Profile picture
Sep 29, 2022 10 tweets 13 min read Read on X
1/ So, site impersonating @Fortinet downloads signed MSI that uses Powershell to run #BatLoader, if the user is connected to a domain (corporate network) it deploys:

1) #Ursnif (Bot)
2) #Vidar (Stealer)
3) #Syncro RMM (C2)
4) #CobaltStrike
And possibly
5) #Ransomware 💥 ImageImageImageImage
2/ For initial deployment they use NirCmd, NSudo and GnuPG (to encrypt payloads) among other utilities.

* Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
* Remove-Encryption -FolderPath $env:APPDATA -Password '105b' ImageImageImageImage
3/ The websites are boosted through SEO poisoning and impersonate brands such as @Zoom, @TeamViewer, @anydesk, @LogMeIn, @CCleaner, #FileZilla and #Winrar among others.

/teamviewclouds.com
/zoomcloudcomputing.tech
/logmein-cloud.com
/teamcloudcomputing.com
/anydeskos.com ImageImageImageImage
4/ Apparently this would be a "new" #Malsmoke campaign and these are the IoCs I saw:

#Ursnif aka #Gozi

C&C:
/45.8.158.104
/188.127.224.114
/weiqeqwns.com
/wdeiqeqwns.com
/weiqeqwens.com
/weiqewqwns.com
/iujdhsndjfks.com

[+] tria.ge/220928-xh5gqag… Image
5/ #Vidar is a thief that allows them to collect multiple valid credentials quickly from computers.

C2 from Telegram and Mastodon:
/t.me/trampapanam > 116.202.2.236
/nerdculture.de/yoxhyp > 88.198.89.6:80

[+] tria.ge/220928-vcwxaah… ImageImage
6/ Then the TA install #Syncro RMM (I didn't know this one) for C&C and persistence on the infected computers.

The installer sends a signal to:
/rmm.syncromsp.com/device_api/auth/?shop_api_key=HABB92nNT4_O5RPUFRDWwA&installer_version=1.0.161

[+] virustotal.com/gui/file/1988e… Image
7/ There are currently two #BatLoader C2 domains in use: updatea1[.]com and cloudupdatesss[.]com.

These were also being reported by @nosecurething who could see the usage of #SystemBC as well and @idclickthat on

/cc: @ViriBack ImageImageImage
8/ I couldn't get the #CobaltStrike beacon yet, but no doubt, these are some C2s to watch out for:

/pregabas.com
/msoftupdate.com
/sombrat.com
/callibry.to
/alojun.com
/sombrat.com
/fregiyu.com
/get-topservice.com
/service1ventures.com
/anbush.com
/ausija.com
/zominoz.com Image
9/ More information about this campaign:
- medium.com/walmartglobalt…
- mandiant.com/resources/blog…
New domains related to this campaign, now impersonating AnyDesk, SlackHQ, Evernote and Adobe Acrobat Reader 🥸

/anydesko.tech
/slackss.tech
/evernotes.tech
/adobee.tech

Yara rule for MSI files: github.com/CronUp/ReglasD…

#BatLoader C2:
/cloudupdatesss.com
ImageImageImageImage

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Germán Fernández

Germán Fernández Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @1ZRR4H

Feb 2, 2024
📌 1/ I find this technique very interesting, it's a LNK file that executes a payload that hides in the remnant data of the same LNK file, so, if you only look at the shortcut properties you might miss something. [+] Document.pdf.lnk: bazaar.abuse.ch/sample/1eaec3a….

▪ 1) "powershell -W Hidden -e [Base64]" > http://raw.githubusercontent[.]com/MyPrincessAkira/Jarvas/main/Alej.exe.
▪ 2) PDF decoy from http://files.catbox[.]moe/p1yr9i.pdf.

Then, "Alej.exe" (bazaar.abuse.ch/sample/e974fde…) downloads the next stage from https://qu[.]ax/Gvlc.pdf (404 now).

Thanks to @malwrhunterteam for sharing the initial sample 🦾

T1204.001 User Execution: Malicious LinkImage
Image
Image
Image
2/ The Github repository gives us more clues about the possible propagation method: Youtube videos (including positive comments made by fraudulent accounts).

https://github[.]com/MyPrincessAkira/Jarvas/

- "engagement.txt":
https://www[.]youtube[.]com/watch?v=tYMUm7rabFM
https://www[.]youtube[.]com/watch?v=ccTKARJiM5c
https://www[.]youtube[.]com/watch?v=HL3Q9e5J3aU
https://www[.]youtube[.]com/watch?v=jQWB3zuhtEQ
https://www[.]youtube[.]com/watch?v=oADMNyZxrYM
https://www[.]youtube[.]com/watch?v=BtUdfVU0Tpc
https://www[.]youtube[.]com/watch?v=bGNibYNYFZ4
https://www[.]youtube[.]com/watch?v=o7lLqcEX96A
https://www[.]youtube[.]com/watch?v=zIXGazKWIT0
https://www[.]youtube[.]com/watch?v=QUvdG3g_a1s
https://www[.]youtube[.]com/watch?v=Cwzrzddv8qY
https://www[.]youtube[.]com/watch?v=c49YKB5dkEA
https://www[.]youtube[.]com/watch?v=V3zEF2v60mk
https://www[.]youtube[.]com/watch?v=8sacRZJrQgw
https://www[.]youtube[.]com/watch?v=BiRXvDc9zLE
https://www[.]youtube[.]com/watch?v=iGla02rqxJs
https://www[.]youtube[.]com/watch?v=Zb6FHscJPGM

- "videos_redirect.txt":
http://files[.]catbox[.]moe/o5w3yq[.]zip
http://files[.]catbox[.]moe/g6mac3[.]zip
http://files[.]catbox[.]moe/ab4uzt[.]zip
http://files[.]catbox[.]moe/j697j3[.]zip
http://files[.]catbox[.]moe/xhdjzs[.]zip
http://files[.]catbox[.]moe/gt2njt[.]zipImage
Image
Image
Image
@JAMESWT_MHT @0xToxin @pr0xylife @AnFam17 @executemalware @g0njxa @StopMalvertisin @reecdeep @Cryptolaemus1 @Kostastsale 3/ Some samples of the videos (apparently all associated with games) and their comments. Image
Image
Image
Image
Read 5 tweets
May 25, 2023
🚨 1/ Ongoing campaign primarily targeting security researchers here on Twitter.

Possibly they are trying to exploit some vulnerability in Internet Explorer and database tools like Navicat. I haven't been able to get the malicious payload yet, but something fishy is going on 🤔 ImageImageImageImage
2/ Tweets mention things like #0day, #databreach, #Kimsuky, #Lazarus and point to a file download on pan[.]baidu[.]com, just now removed.

There is also a repo on Github with connection data and credentials to supposed DBs and Web Apps that ask to use IE 🤭 ImageImageImageImage
3/ I tried 211.143.190.233:2222, at first glance harmless, but in the code we see that it points to a rather suspicious .JS.

When we deofuscate and clean, a hidden URL appears that could load the next stage, however I could not get it (maybe geofenced or some other trick). ImageImageImageImage
Read 7 tweets
May 14, 2023
Some recently registered .ZIP domains 🤭 Image
I liked this one too:
/keygen.zip Image
Okeyyyyyyyyy! 😏
/microsoft-office.zip Image
Read 7 tweets
Mar 20, 2023
1/ Part of the script used by #TA569 (Initial Access Broker) to inject the Keitaro TDS code into compromised sites 🚩

In this variant, if the IP is correct and the red_ok cookie is not declared, the injection is shown and the infection flow continues until #SocGholish or others. ImageImageImage
2/ Two #KeitaroTDS domains in use by #TA569:
- jqueryns[.]com
- jqscr[.]com "new"

In the IP of the latter there is also the domain jqueryj[.]com with a panel that at first sight I cannot recognize 🧐 but is some kind of bot/stealer/clipper, very likely related. / @ViriBack ImageImageImageImage
3/ To get an idea of the scope, if we search on publicwww for the domain "jqueryns[.]com" we get 2196 infected sites, for the domain "jqscr[.]com" we get another 196 compromised sites so far.

- publicwww.com/websites/%22jq…
- publicwww.com/websites/%22jq…

More results in Google too 🤦‍♂️ ImageImageImageImage
Read 5 tweets
Feb 27, 2023
1/ Entonces, "kung_liao" un nuevo actor de amenazas logró acceso y expuso información privada de varias empresas Chilenas 🇨🇱

1) DIGITALPROSERVER.COM | 21/01/23
2) TESORERIA.CL | 03/02/23
3) CMFCHILE.CL | 12/02/23
4) ARKAVIA.COM | 15/02/23
2/ Para DIGITALPROSERVER.COM, el atacante indica que vende acceso a más de 500 DBs y sitios que incluyen importantes medios digitales, noticieros, radios, etc.

Como muestra, el atacante publicó credenciales y una de las Webshell que tenía instalada en El Mostrador (reportado)
3/ Para TESORERIA.CL, el atacante al parecer explotó una vulnerabilidad de Inyección SQL y además obtuvo acceso a la Intranet a través de la VPN.

Una de las evidencias muestra al atacante modificando información personal de una persona de apellido "Piñera Echenique".
Read 6 tweets
Jan 21, 2023
1/ DEV-0569, current distribution via #GoogleAds.

1.- #Gozi aka #Ursnif (bot) ↓
2.- #RedLine (stealer) ↓
And if the conditions are right, possibly:
3.- #CobaltStrike (C2) ↓
4.- #Royal Ransomware 💥

(No more BatLoader in the infection chain)
2/ For deployment, they use Add-MpPreference to configure exclusions in Windows Defender (extensions, paths and processes), #NSudo to launch binaries with full privileges and #GnuPG to encrypt the payloads.

Initial MSI file has 0 hits in VT.
3/ All payloads are hosted on @Bitbucket, in a repository that was created in August 2022.

In just 3 days, #Gozi and #RedLine have been downloaded 2477 and 2503 times respectively.

ZLocal.gpg has been downloaded more than 48193 times since December 24, 2022 (potential victims).
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(