Germán Fernández Profile picture
Sep 29, 2022 10 tweets 13 min read Read on X
1/ So, site impersonating @Fortinet downloads signed MSI that uses Powershell to run #BatLoader, if the user is connected to a domain (corporate network) it deploys:

1) #Ursnif (Bot)
2) #Vidar (Stealer)
3) #Syncro RMM (C2)
4) #CobaltStrike
And possibly
5) #Ransomware 💥 ImageImageImageImage
2/ For initial deployment they use NirCmd, NSudo and GnuPG (to encrypt payloads) among other utilities.

* Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
* Remove-Encryption -FolderPath $env:APPDATA -Password '105b' ImageImageImageImage
3/ The websites are boosted through SEO poisoning and impersonate brands such as @Zoom, @TeamViewer, @anydesk, @LogMeIn, @CCleaner, #FileZilla and #Winrar among others.

/teamviewclouds.com
/zoomcloudcomputing.tech
/logmein-cloud.com
/teamcloudcomputing.com
/anydeskos.com ImageImageImageImage
4/ Apparently this would be a "new" #Malsmoke campaign and these are the IoCs I saw:

#Ursnif aka #Gozi

C&C:
/45.8.158.104
/188.127.224.114
/weiqeqwns.com
/wdeiqeqwns.com
/weiqeqwens.com
/weiqewqwns.com
/iujdhsndjfks.com

[+] tria.ge/220928-xh5gqag… Image
5/ #Vidar is a thief that allows them to collect multiple valid credentials quickly from computers.

C2 from Telegram and Mastodon:
/t.me/trampapanam > 116.202.2.236
/nerdculture.de/yoxhyp > 88.198.89.6:80

[+] tria.ge/220928-vcwxaah… ImageImage
6/ Then the TA install #Syncro RMM (I didn't know this one) for C&C and persistence on the infected computers.

The installer sends a signal to:
/rmm.syncromsp.com/device_api/auth/?shop_api_key=HABB92nNT4_O5RPUFRDWwA&installer_version=1.0.161

[+] virustotal.com/gui/file/1988e… Image
7/ There are currently two #BatLoader C2 domains in use: updatea1[.]com and cloudupdatesss[.]com.

These were also being reported by @nosecurething who could see the usage of #SystemBC as well and @idclickthat on

/cc: @ViriBack ImageImageImage
8/ I couldn't get the #CobaltStrike beacon yet, but no doubt, these are some C2s to watch out for:

/pregabas.com
/msoftupdate.com
/sombrat.com
/callibry.to
/alojun.com
/sombrat.com
/fregiyu.com
/get-topservice.com
/service1ventures.com
/anbush.com
/ausija.com
/zominoz.com Image
9/ More information about this campaign:
- medium.com/walmartglobalt…
- mandiant.com/resources/blog…
New domains related to this campaign, now impersonating AnyDesk, SlackHQ, Evernote and Adobe Acrobat Reader 🥸

/anydesko.tech
/slackss.tech
/evernotes.tech
/adobee.tech

Yara rule for MSI files: github.com/CronUp/ReglasD…

#BatLoader C2:
/cloudupdatesss.com
ImageImageImageImage

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Germán Fernández

Germán Fernández Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @1ZRR4H

May 25, 2023
🚨 1/ Ongoing campaign primarily targeting security researchers here on Twitter.

Possibly they are trying to exploit some vulnerability in Internet Explorer and database tools like Navicat. I haven't been able to get the malicious payload yet, but something fishy is going on 🤔 ImageImageImageImage
2/ Tweets mention things like #0day, #databreach, #Kimsuky, #Lazarus and point to a file download on pan[.]baidu[.]com, just now removed.

There is also a repo on Github with connection data and credentials to supposed DBs and Web Apps that ask to use IE 🤭 ImageImageImageImage
3/ I tried 211.143.190.233:2222, at first glance harmless, but in the code we see that it points to a rather suspicious .JS.

When we deofuscate and clean, a hidden URL appears that could load the next stage, however I could not get it (maybe geofenced or some other trick). ImageImageImageImage
Read 7 tweets
May 14, 2023
Some recently registered .ZIP domains 🤭 Image
I liked this one too:
/keygen.zip Image
Okeyyyyyyyyy! 😏
/microsoft-office.zip Image
Read 7 tweets
Mar 20, 2023
1/ Part of the script used by #TA569 (Initial Access Broker) to inject the Keitaro TDS code into compromised sites 🚩

In this variant, if the IP is correct and the red_ok cookie is not declared, the injection is shown and the infection flow continues until #SocGholish or others. ImageImageImage
2/ Two #KeitaroTDS domains in use by #TA569:
- jqueryns[.]com
- jqscr[.]com "new"

In the IP of the latter there is also the domain jqueryj[.]com with a panel that at first sight I cannot recognize 🧐 but is some kind of bot/stealer/clipper, very likely related. / @ViriBack ImageImageImageImage
3/ To get an idea of the scope, if we search on publicwww for the domain "jqueryns[.]com" we get 2196 infected sites, for the domain "jqscr[.]com" we get another 196 compromised sites so far.

- publicwww.com/websites/%22jq…
- publicwww.com/websites/%22jq…

More results in Google too 🤦‍♂️ ImageImageImageImage
Read 5 tweets
Feb 27, 2023
1/ Entonces, "kung_liao" un nuevo actor de amenazas logró acceso y expuso información privada de varias empresas Chilenas 🇨🇱

1) DIGITALPROSERVER.COM | 21/01/23
2) TESORERIA.CL | 03/02/23
3) CMFCHILE.CL | 12/02/23
4) ARKAVIA.COM | 15/02/23
2/ Para DIGITALPROSERVER.COM, el atacante indica que vende acceso a más de 500 DBs y sitios que incluyen importantes medios digitales, noticieros, radios, etc.

Como muestra, el atacante publicó credenciales y una de las Webshell que tenía instalada en El Mostrador (reportado)
3/ Para TESORERIA.CL, el atacante al parecer explotó una vulnerabilidad de Inyección SQL y además obtuvo acceso a la Intranet a través de la VPN.

Una de las evidencias muestra al atacante modificando información personal de una persona de apellido "Piñera Echenique".
Read 6 tweets
Jan 21, 2023
1/ DEV-0569, current distribution via #GoogleAds.

1.- #Gozi aka #Ursnif (bot) ↓
2.- #RedLine (stealer) ↓
And if the conditions are right, possibly:
3.- #CobaltStrike (C2) ↓
4.- #Royal Ransomware 💥

(No more BatLoader in the infection chain)
2/ For deployment, they use Add-MpPreference to configure exclusions in Windows Defender (extensions, paths and processes), #NSudo to launch binaries with full privileges and #GnuPG to encrypt the payloads.

Initial MSI file has 0 hits in VT.
3/ All payloads are hosted on @Bitbucket, in a repository that was created in August 2022.

In just 3 days, #Gozi and #RedLine have been downloaded 2477 and 2503 times respectively.

ZLocal.gpg has been downloaded more than 48193 times since December 24, 2022 (potential victims).
Read 10 tweets
Sep 27, 2022
LockBit 3.0 post Leak 📈🤦‍♂️

2022/07 - 31 hits
2022/08 - 21 hits
2022/09 - 165 hits
REF: valhalla.nextron-systems.com/info/rule/MAL_…

H/T @cyb3rops Image
"Bl00dy Ransomware Gang" is one of the groups that already started using the builder (they use Telegram to continue their extortion scheme).
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(