Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Deutsche Telekom CERT Profile picture
@DTCERT
Feb 16 4 tweets 2 min read Read on X
⚠️ This week, threat actor #TA577 introduced a rather interesting new approach to distribute their #Pikabot malware. Victim users received an #Excel spreadsheet prompting them to click on the contained button to view "files from the cloud". 🧵1/4 Image
Further inspection of the file reveals that the document contains a hyperlink 🔗 to a remote SMB share, which hosts a Javascript file that triggers the Pikabot infection chain. 🧵2/4 Image
When the button is clicked 🖱️, Excel will run wscript.exe and pass the SMB address as a commandline parameter. Subsequently, the infection script downloads and executes the #Pikabot DLL from another remote server. 🧵3/4 Image
In the sample we analyzed, the Javascript was hosted on 85[.]195[.]115[.]20 and the Pikabot DLL was downloaded from https[:]//globalpanelinc[.]com/wnx/fGb 🧵4/4

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Deutsche Telekom CERT

Deutsche Telekom CERT Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @DTCERT

Deutsche Telekom CERT Profile picture
Mar 24, 2023
#Qakbot threat actors are on fire 🔥 recently. We observed a high volume of attacks both internally and through external sources. Here is a brief summary of their current attack chain. 🧵1/6
Qakbot's main initial access vector is still through malspam campaigns ✉️. They use email thread hijacking for their spam messages to increase the likelihood that the victim user will interact on the message. 🧵2/6 Image
After a short excursion to OneNote files, both main active #Qakbot botnets have currently returned to using HTML smuggling to deliver the initial attack payload. This technique has already been seen in many campaigns last year. 🧵3/6
Read 6 tweets
Deutsche Telekom CERT Profile picture
Jan 20, 2023
⚠️ WARNING: There is currently a high volume of so-called #Malvertising attacks. Threat actors are placing ads in search engines like Google to to distribute their malware payloads. 🧵1/7
Their fraudulent web pages mimic the look of legitimate download pages for common software products. For example, here is a search advertisement and the corresponding fake website pretending to offer the software GIMP. 🧵2/7
However, instead of the benign software package, information stealers and other malware 🔥 are contained in the downloaded files. Once a victim user downloads and opens such a file, sensitive information such as browser profiles, email messages and more is stolen. 🧵3/7
Read 7 tweets
Deutsche Telekom CERT Profile picture
Nov 18, 2022
#Qakbot once again had some surprises 🎁 for us this week. See below for a brief overview of what we found. 🧵 1/6
First and foremost, #Qakbot seems to have departed from their usual use of LNK files to trigger execution. Instead they now present .vbs or .js files at the root folder of the disk image 💿. 🧵 2/6 Image
This alone would not be significant, since we have observed 🔍 .js and .vbs files in Qakbots infection chain before. Now however these files also contain a signature that apparently bypasses Windows MotW / SmartScreen warnings. 🧵 3/6 Image
Read 6 tweets
Deutsche Telekom CERT Profile picture
Sep 2, 2022
Raspberry Robin is a malware that has been around for some time now and spreads via infected USB drives.
Here is what we have seen over the last 10 months. 🧵 1/12 #RaspberryRobin #malware

via @lazy_daemon
@sekoia_io and @redcanary have already published excellent technical analyses of this malware, so we won't go into more detail about it.

7095517.fs1.hubspotusercontent-na1.net/hubfs/7095517/…

redcanary.com/blog/raspberry…

🧵 2/12
Since December, 2021, we've seen several cases mostly in Hungary🇭🇺 and Germany🇩🇪 but also a few in Russia🇷🇺 and India🇮🇳.
The user always clicked the malicious link, so no automatic infection when the USB drive was plugged in. 🧵 3/12
Read 12 tweets
Deutsche Telekom CERT Profile picture
Aug 25, 2022
🚨CAUTION🚨 : Attackers send invoice themed emails impersonating german companies to deliver #NetSupport #RAT. 🐀 via @lazy_daemon 🧵1/5
Attached to the email is a HTML file which tries to download and execute malicious Javascript code. 🧵2/5
The malicious Javascript code is heavily obfuscated and executes Powershell Code to download and execute an additional Payload. 🧵3/5
Read 6 tweets
Deutsche Telekom CERT Profile picture
May 6, 2022
Here are some lessons learned from our past engagements; see it as an easy checklist on what not to do. #LessonsLearned
1) MFA (Multi-Factor-Authentication) being not fully implemented or non-existent at all
While some attackers steal MFA tokens, it is rare! 📱 #MFA
2) Bad user privilege management
Does HR really need a domain admin? 👑 #UserPrivilegeManagement
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(