📌 1/ I find this technique very interesting, it's a LNK file that executes a payload that hides in the remnant data of the same LNK file, so, if you only look at the shortcut properties you might miss something. [+] Document.pdf.lnk: bazaar.abuse.ch/sample/1eaec3a….

▪ 1) "powershell -W Hidden -e [Base64]" > http://raw.githubusercontent[.]com/MyPrincessAkira/Jarvas/main/Alej.exe.
▪ 2) PDF decoy from http://files.catbox[.]moe/p1yr9i.pdf.

Then, "Alej.exe" (bazaar.abuse.ch/sample/e974fde…) downloads the next stage from https://qu[.]ax/Gvlc.pdf (404 now).

Thanks to @malwrhunterteam for sharing the initial sample 🦾

T1204.001 User Execution: Malicious Link


2/ The Github repository gives us more clues about the possible propagation method: Youtube videos (including positive comments made by fraudulent accounts).

https://github[.]com/MyPrincessAkira/Jarvas/

- "engagement.txt":
https://www[.]youtube[.]com/watch?v=tYMUm7rabFM
https://www[.]youtube[.]com/watch?v=ccTKARJiM5c
https://www[.]youtube[.]com/watch?v=HL3Q9e5J3aU
https://www[.]youtube[.]com/watch?v=jQWB3zuhtEQ
https://www[.]youtube[.]com/watch?v=oADMNyZxrYM
https://www[.]youtube[.]com/watch?v=BtUdfVU0Tpc
https://www[.]youtube[.]com/watch?v=bGNibYNYFZ4
https://www[.]youtube[.]com/watch?v=o7lLqcEX96A
https://www[.]youtube[.]com/watch?v=zIXGazKWIT0
https://www[.]youtube[.]com/watch?v=QUvdG3g_a1s
https://www[.]youtube[.]com/watch?v=Cwzrzddv8qY
https://www[.]youtube[.]com/watch?v=c49YKB5dkEA
https://www[.]youtube[.]com/watch?v=V3zEF2v60mk
https://www[.]youtube[.]com/watch?v=8sacRZJrQgw
https://www[.]youtube[.]com/watch?v=BiRXvDc9zLE
https://www[.]youtube[.]com/watch?v=iGla02rqxJs
https://www[.]youtube[.]com/watch?v=Zb6FHscJPGM

- "videos_redirect.txt":
http://files[.]catbox[.]moe/o5w3yq[.]zip
http://files[.]catbox[.]moe/g6mac3[.]zip
http://files[.]catbox[.]moe/ab4uzt[.]zip
http://files[.]catbox[.]moe/j697j3[.]zip
http://files[.]catbox[.]moe/xhdjzs[.]zip
http://files[.]catbox[.]moe/gt2njt[.]zip

🚨 1/ Ongoing campaign primarily targeting security researchers here on Twitter.

Possibly they are trying to exploit some vulnerability in Internet Explorer and database tools like Navicat. I haven't been able to get the malicious payload yet, but something fishy is going on 🤔 2/ Tweets mention things like #0day, #databreach, #Kimsuky, #Lazarus and point to a file download on pan[.]baidu[.]com, just now removed.

There is also a repo on Github with connection data and credentials to supposed DBs and Web Apps that ask to use IE 🤭

Some recently registered .ZIP domains 🤭 I liked this one too:
/keygen.zip

1/ Part of the script used by #TA569 (Initial Access Broker) to inject the Keitaro TDS code into compromised sites 🚩

In this variant, if the IP is correct and the red_ok cookie is not declared, the injection is shown and the infection flow continues until #SocGholish or others. 2/ Two #KeitaroTDS domains in use by #TA569:
- jqueryns[.]com
- jqscr[.]com "new"

In the IP of the latter there is also the domain jqueryj[.]com with a panel that at first sight I cannot recognize 🧐 but is some kind of bot/stealer/clipper, very likely related. / @ViriBack

1/ Entonces, "kung_liao" un nuevo actor de amenazas logró acceso y expuso información privada de varias empresas Chilenas 🇨🇱

1) DIGITALPROSERVER.COM | 21/01/23
2) TESORERIA.CL | 03/02/23
3) CMFCHILE.CL | 12/02/23
4) ARKAVIA.COM | 15/02/23 2/ Para DIGITALPROSERVER.COM, el atacante indica que vende acceso a más de 500 DBs y sitios que incluyen importantes medios digitales, noticieros, radios, etc.

Como muestra, el atacante publicó credenciales y una de las Webshell que tenía instalada en El Mostrador (reportado)

1/ DEV-0569, current distribution via #GoogleAds.

1.- #Gozi aka #Ursnif (bot) ↓
2.- #RedLine (stealer) ↓
And if the conditions are right, possibly:
3.- #CobaltStrike (C2) ↓
4.- #Royal Ransomware 💥

(No more BatLoader in the infection chain) 2/ For deployment, they use Add-MpPreference to configure exclusions in Windows Defender (extensions, paths and processes), #NSudo to launch binaries with full privileges and #GnuPG to encrypt the payloads.

Initial MSI file has 0 hits in VT.

1/ So, site impersonating @Fortinet downloads signed MSI that uses Powershell to run #BatLoader, if the user is connected to a domain (corporate network) it deploys:

1) #Ursnif (Bot)
2) #Vidar (Stealer)
3) #Syncro RMM (C2)
4) #CobaltStrike
And possibly
5) #Ransomware 💥 2/ For initial deployment they use NirCmd, NSudo and GnuPG (to encrypt payloads) among other utilities.

* Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
* Remove-Encryption -FolderPath $env:APPDATA -Password '105b'

LockBit 3.0 post Leak 📈🤦‍♂️

2022/07 - 31 hits
2022/08 - 21 hits
2022/09 - 165 hits
REF: valhalla.nextron-systems.com/info/rule/MAL_…

H/T @cyb3rops "Bl00dy Ransomware Gang" is one of the groups that already started using the builder (they use Telegram to continue their extortion scheme).

https://twitter.com/malwrhunterteam/status/1574260677597925376

19/SEPT: El grupo hacktivista #Guacamaya filtró 366 GB de correos internos del Estado Mayor Conjunto de las Fuerza Armadas de Chile (EMCO) 🇨🇱

La operación #FuerzasRepresivas corresponde a una serie de ataques a fuerzas policiales y militares en LATAM.

1/ El grupo estuvo explotando la vulnerabilidad #ProxyShell para acceder a los servidores Microsoft Exchange de las organizaciones.

Algunas IPs en las imágenes corresponden a servidores vulnerables alertados desde al menos el 09/Agosto/2021. REF: cronup.com/proxyshell-el-…

2/

1/ Interesting toolkit currently used by #Ransomware affiliates 💣

- 1.bat > Disabler (UAC/NLA/IFEOs)
- 1.msi > Anydesk wrapped using exemsi[.]com (persistence/C2)
- aswArPot.sys > Avast Anti-Rootkit driver used to disable AV/EDR (BYOVD)
- terminat.exe > #BURNTCIGAR (?) 2/ The artifacts were available until today on a server with #opendir (80.209.241.3:8888) that was active for at least 15 days.

You may want to block/monitor this hash: 4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1 (aswArPot.sys)

[+] bazaar.abuse.ch/browse/tag/80-…

🚨 Cuidado con las descargas desde #Anonfiles (utilizado por muchos actores maliciosos), puede que en vez del archivo que querías, termines instalando, no solo 1, sino que 7 clases distintas de #Malware 👀

Revisemos por ejemplo: /anonfiles.com/7c62z4s9ob/Youtube_Viewer_rar

1/X Al hacer click en "download" se descarga automaticamente un archivo que tiene de nombre "YouTube+Viewer.rar[.]zip" pero la descarga se realiza desde /yfilesstorage.com/Youtube+Viewer.rar.zip?c=AISJk2FCGQUA4ksCAENMFwAMAMyKTf0A (.ZIP protegido con contraseña) 🤔

2/X

Un nuevo actor de amenazas puso en venta, múltiples DBs de Eleven Paths y Telefónica Chile 🇨🇱 (SOC)

El origen del Leak pareciera ser un sistema de tickets tipo BCM Remedy y podría afectar a otras 18 organizaciones ⚠️

[1/2] El atacante adjunta correo de este 17 de Abril y se registró hoy solo para subir esto, es probable que haya tenido/tenga acceso a la plataforma.

Todo indica que seguiremos viendo este tipo de Leaks en Chile si siguen compartiendo las URLs de estos foros 🤦‍♂️

A revisar!!

[2/2]

Nueva víctima de #Egregor
CENCOSUD 🇨🇱🇦🇷

Posible vector de acceso:
- RDP Expuesto a Internet
- También se habla de un INSIDER (?) 😬

OJO, en Chile otra empresa del RETAIL se encuentra infectada com #Emotet.

[#Ransomware] ALERTADOS el 15 oct. 2020 👇

https://twitter.com/1ZRR4H/status/1316845448720777219

Más info:
- laopiniononline.cl/cencosud-regis…
- blog.segu-info.com.ar/2020/11/nuevo-…

⚠️ Atacantes generan dominios fraudulentos para software de uso masivo como #Zoom, la recomendación:

NUNCA instales software o aplicaciones desde sitios NO oficiales como los que te muestro en las imágenes ☝️

Listado de dominios maliciosos: pastebin.com/iWfCNxkf

[1/3] 🔽 [2/3] #Phishing