🚨 On February 26th and 27th Telekom Security and Bayern-CERT observed threat actor #TA577 phishing campaigns. This time the actor is not spreading malware, but apparently uses NTLMv2 handshakes to steal user credentials/hashes. 🧵1/7 Victims received a zipped HTML document that would relay them to the attacker SMB server via the contained "file://..." link. ⚠️ Please note that if such a file is opened in Edge or Chrome, the browser connects to the attacker server without prompting for confirmation! 🧵2/7

⚠️ This week, threat actor #TA577 introduced a rather interesting new approach to distribute their #Pikabot malware. Victim users received an #Excel spreadsheet prompting them to click on the contained button to view "files from the cloud". 🧵1/4 Further inspection of the file reveals that the document contains a hyperlink 🔗 to a remote SMB share, which hosts a Javascript file that triggers the Pikabot infection chain. 🧵2/4

#Qakbot threat actors are on fire 🔥 recently. We observed a high volume of attacks both internally and through external sources. Here is a brief summary of their current attack chain. 🧵1/6 Qakbot's main initial access vector is still through malspam campaigns ✉️. They use email thread hijacking for their spam messages to increase the likelihood that the victim user will interact on the message. 🧵2/6

⚠️ WARNING: There is currently a high volume of so-called #Malvertising attacks. Threat actors are placing ads in search engines like Google to to distribute their malware payloads. 🧵1/7 Their fraudulent web pages mimic the look of legitimate download pages for common software products. For example, here is a search advertisement and the corresponding fake website pretending to offer the software GIMP. 🧵2/7

#Qakbot once again had some surprises 🎁 for us this week. See below for a brief overview of what we found. 🧵 1/6 First and foremost, #Qakbot seems to have departed from their usual use of LNK files to trigger execution. Instead they now present .vbs or .js files at the root folder of the disk image 💿. 🧵 2/6

Raspberry Robin is a malware that has been around for some time now and spreads via infected USB drives.
Here is what we have seen over the last 10 months. 🧵 1/12 #RaspberryRobin #malware

via @lazy_daemon @sekoia_io and @redcanary have already published excellent technical analyses of this malware, so we won't go into more detail about it.

7095517.fs1.hubspotusercontent-na1.net/hubfs/7095517/…

redcanary.com/blog/raspberry…

🧵 2/12

🚨CAUTION🚨 : Attackers send invoice themed emails impersonating german companies to deliver #NetSupport #RAT. 🐀 via @lazy_daemon 🧵1/5 Attached to the email is a HTML file which tries to download and execute malicious Javascript code. 🧵2/5

Here are some lessons learned from our past engagements; see it as an easy checklist on what not to do. #LessonsLearned ✅ 1) MFA (Multi-Factor-Authentication) being not fully implemented or non-existent at all
While some attackers steal MFA tokens, it is rare! 📱 #MFA