Share this page!

ESET research Profile picture
Twitter logo
Jan 27 3 tweets 2 min read
#BREAKING On January 25th #ESETResearch discovered a new cyberattack in 🇺🇦 Ukraine. Attackers deployed a new wiper we named #SwiftSlicer using Active Directory Group Policy. The #SwiftSlicer wiper is written in Go programing language. We attribute this attack to #Sandworm. 1/3
Once executed it deletes shadow copies, recursively overwrites files located in %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS and other non-system drives and then reboots computer. For overwriting it uses 4096 bytes length block filled with randomly generated byte 2/3
IoCs:
📄7346E2E29FADDD63AE5C610C07ACAB46B2B1B176
ESET Detection names:
🚨 WinGo/KillFiles.C trojan 3/3

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ESET research

ESET research Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ESETresearch

ESET research Profile picture
Nov 30, 2022
#ESETesearch discovered Dolphin, a sophisticated backdoor extending the arsenal of the #ScarCruft APT group. Dolphin has a wide range of spying capabilities and is deployed on selected targets only.
welivesecurity.com/2022/11/30/who… 1/6
The backdoor was used as the final payload of a multistage attack in early 2021, involving a watering-hole attack on a South Korean online newspaper, an Internet Explorer exploit, and another ScarCruft backdoor, named BLUELIGHT, previously reported by Volexity and Kaspersky. 2/6
While BLUELIGHT performs basic reconnaissance, Dolphin actively searches the drives of compromised systems for files of interest and exfiltrates them to Google Drive. Its other capabilities include keylogging, taking screenshots and stealing credentials from browsers. 3/6
Read 6 tweets
ESET research Profile picture
Nov 25, 2022
#ESETResearch discovered an ongoing Android RAT campaign that uses #FIFAWorldCup in Qatar🇶🇦 as a lure and already infected over 750 devices. It spreads via Facebook page linking to a website distributing the RAT. Downloaded RAT also offers World Cup news and live broadcasts 1/4 ImageImageImage
The RAT has extensive capabilities like exfiltrating SMS, call logs, contact list, photos, clipboard, files with particular extensions, record phone calls, take pictures, etc. Exfiltrated data is encrypted and uploaded to attacker’s server. 2/4 ImageImage
IoCs:
Distribution website: kora442[.]com
C&C server: firebasecrashanalyticz[.]com
APK hash: 60B1DA6905857073C4C46E7E964699D9C7A74EC7
ESET detection: Android/Spy.Agent.BOC 3/4
Read 4 tweets
ESET research Profile picture
Nov 25, 2022
On November 21st #ESETResearch detected and alerted @_CERT_UA of a wave of ransomware we named #RansomBoggs, deployed in multiple organizations in Ukraine🇺🇦. While the malware written in .NET is new, its deployment is similar to previous attacks attributed to #Sandworm. 1/9
@_CERT_UA Its authors make multiple references to Monsters, Inc., the 2001 movie by Pixar. The ransom note (SullivanDecryptsYourFiles.txt) shows the authors impersonate James P. Sullivan, the main character of the movie, whose job is to scare kids. 2/9
@_CERT_UA The executable file is also named Sullivan.<version?>.exe and references are present in the code as well. 3/9
Read 9 tweets
ESET research Profile picture
Nov 23, 2022
#ESETresearch discovered an active #Android campaign conducted by the hack-for-hire group #Bahamut. The campaign has been active since January 2022, with malicious apps are distributed through a fake #SecureVPN website
@LukasStefanko welivesecurity.com/2022/11/23/bah… 1/6
We discovered at least 8 versions of the spyware, all trojanized versions of legitimate VPN apps SoftVPN and OpenVPN; none have been available on Google Play. The fake SoftVPN triggered our YARA rules; we also got a DM from @malwrhunterteam about the sample. TY folks!
2/6 Image
The fake website was registered on 2022-01-27 and created based on a free web template. It was most likely used by the threat actor as an inspiration, as it required only small changes and looks trustworthy.
3/6 Image
Read 6 tweets
ESET research Profile picture
Nov 22, 2022
#ESETResearch discovered that #LuckyMouse/#APT27 used a code-signing certificate belonging to VMPsoft, the developer of the VMProtect packer. The signed file is a loader for the SysUpdate backdoor (aka Soldier). We notified VMPSoft of this compromise 1/4
virustotal.com/gui/file/a8527… Image
Pivoting on the certificate, we found genuine VMPsoft binaries and a sample of SysUpdate signed and packed with VMProtect. Since LuckyMouse rarely use VMProtect, it is possible that they also stole VMProtect packer when they got the digi certificate. 2/4
virustotal.com/gui/file/cc196…
While the certificate is still valid, we have notified GlobalSign.

Thumbprint: 6EF192CBD6E540F1D740D1BD96317ACAE8C6AF9D

Subject: Permyakov Ivan Yurievich IP, Ekaterinburg, Sverdlovskaya oblast, RU

Valid from: 2022-05-17 11:18:43

Valid to: 2023-05-18 11:18:43 3/4
Read 4 tweets
ESET research Profile picture
Nov 9, 2022
#ESETResearch discovered and reported to the manufacturer 3 vulnerabilities in the #UEFI firmware of several Lenovo Notebooks. The vulnerabilities allow disabling UEFI Secure Boot or restoring factory default Secure Boot databases (incl. dbx): all simply from an OS. @smolar_m 1/9
Reported vulnerabilities – #CVE-2022-3430, #CVE-2022-3431, and #CVE-2022-3432 – affect various Lenovo Yoga, IdeaPad and ThinkBook devices. All affected devices with an active development support have been fixed after we reported them to the manufacturer. 2/9
While disabling UEFI Secure Boot allows direct execution of unsigned UEFI apps, restoring factory default dbx enables the use of known vulnerable bootloaders (e.g., #CVE-2022-34301 found by @eclypsium) to bypass Secure Boot, while keeping it enabled.
eclypsium.com/2022/08/11/vul… 3/9
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(