Share this page!

Deutsche Telekom CERT Profile picture
Twitter logo
Nov 18 6 tweets 3 min read
#Qakbot once again had some surprises 🎁 for us this week. See below for a brief overview of what we found. 🧵 1/6
First and foremost, #Qakbot seems to have departed from their usual use of LNK files to trigger execution. Instead they now present .vbs or .js files at the root folder of the disk image 💿. 🧵 2/6 Image
This alone would not be significant, since we have observed 🔍 .js and .vbs files in Qakbots infection chain before. Now however these files also contain a signature that apparently bypasses Windows MotW / SmartScreen warnings. 🧵 3/6 Image
It most likely comes as a response to Microsoft's recent patch that propagates MotW to mounted ISO/IMG virtual disks 🧵 4/6
The malformed Authenticode signatures that #Qakbot is now using have first been seen as part of the #Magniber ransomware. Here is a good writeup that explains how these signatures seem to confuse SmartScreen: blog.0patch.com/2022/10/free-m… 🧵 5/6
Hopefully, Microsoft will fix this issue soon. Until then, security teams should pay special attention ⚠️ to .js and .vbs files run via wscript.exe from a virtual disk drive! 🧵 6/6

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Deutsche Telekom CERT

Deutsche Telekom CERT Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @DTCERT

Deutsche Telekom CERT Profile picture
Sep 2
Raspberry Robin is a malware that has been around for some time now and spreads via infected USB drives.
Here is what we have seen over the last 10 months. 🧵 1/12 #RaspberryRobin #malware

via @lazy_daemon
@sekoia_io and @redcanary have already published excellent technical analyses of this malware, so we won't go into more detail about it.

7095517.fs1.hubspotusercontent-na1.net/hubfs/7095517/…

redcanary.com/blog/raspberry…

🧵 2/12
Since December, 2021, we've seen several cases mostly in Hungary🇭🇺 and Germany🇩🇪 but also a few in Russia🇷🇺 and India🇮🇳.
The user always clicked the malicious link, so no automatic infection when the USB drive was plugged in. 🧵 3/12
Read 12 tweets
Deutsche Telekom CERT Profile picture
Aug 25
🚨CAUTION🚨 : Attackers send invoice themed emails impersonating german companies to deliver #NetSupport #RAT. 🐀 via @lazy_daemon 🧵1/5
Attached to the email is a HTML file which tries to download and execute malicious Javascript code. 🧵2/5
The malicious Javascript code is heavily obfuscated and executes Powershell Code to download and execute an additional Payload. 🧵3/5
Read 6 tweets
Deutsche Telekom CERT Profile picture
May 6
Here are some lessons learned from our past engagements; see it as an easy checklist on what not to do. #LessonsLearned
1) MFA (Multi-Factor-Authentication) being not fully implemented or non-existent at all
While some attackers steal MFA tokens, it is rare! 📱 #MFA
2) Bad user privilege management
Does HR really need a domain admin? 👑 #UserPrivilegeManagement
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(