home.social

#amadey — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #amadey, aggregated by home.social.

  1. Unknown malware using WebSockets for botnet command&control, spreading through #ClickFix ⤵️

    🖱️ClickFix -> 📃VBS -> ⚙️MSI

    Payload delivery host:
    🌐 urlhaus.abuse.ch/host/103.27.1

    Malware sample 🤖:
    bazaar.abuse.ch/sample/4d8e5e8

    Botnet C2 domains:
    📡 w2li .xyz
    📡 w2socks .xyz

    The same malware is also being spread by #Amadey pay-per-install (PPI):
    ➡️ urlhaus.abuse.ch/url/3733103/

  2. We’ve identified an interesting malware family 🔍, which we’ve named #GrokPy due to its use of a Grok LLM model 🤖 to solve and subsequently bypass CAPTCHAs 🔥

    The malware gets dropped by #Amadey and:

    🪝 collects information about the infected device, such as screen resolution, public IP & location, ram usage and CPU name
    💻 attempts to escalate privileges by running as admin or as a scheduled task

  3. Potential new stealer dropped by #Amadey, caught by @bitsight 🤖🔍Who can name it? ⤵️

    👉 hunting.abuse.ch/hunt/6919ec1c

    Botnet C2 domains:
    📡defender-temeerty .sbs
    📡telemetry-defender .lol

    Botnet C2 server:
    🛑185.100.157.69:443 (Partner Hosting 🇬🇧)

    Malware sample:
    📄 bazaar.abuse.ch/sample/903cdf6

    Dropped by Amadey via:
    🌐 urlhaus.abuse.ch/host/arabiana

  4. We encountered a new loader advertised as "Morpheus" in underground forums 🕵️, recently dropped by #Amadey ⬇️🪲. Morpheus' C2 protocol is based on HTTP and working with tasks, where each task consists of an ID and a command 📣

    Botnet C2: sophos-upd-srv .info 🇳🇱

    The #malware accepts two command line parameters:
    ➡️ log: Path where debug logs are stored
    ➡️ update-url: URL used by the self-update process

    #Morpheus has the following capabilities 💡:
    1️⃣ Persistence through the Windows registry. It copies itself to the AppData Roaming directory under "SysSvc64.exe" and creates a new registry Run key that points to its location.
    2️⃣ A host-based ID generated by collecting the current time, hostname and the MAC address of the compromised host.
    3️⃣ Collects system information of the compromised host and sends them to a botnet C2, both, in the form of "HeartBeat" but also as Task command
    4️⃣ A self update mechanism, where it will download a new version of itself, write it to disk with a ".tmp" suffix and immediately execute it. The current running instance will then exit.
    5️⃣ Execution of various actions based on the commands received from the #botnet C2

    The commands received from the botnet C2 come as a JSON object with two properties: "id" and "command". The following command-values are supported:
    ℹ️ sysinfo: Collects the following information from the compromised host:
    - Installed AV
    - CPU (number of cores, architecture)
    - Available Hard Disk (name, free space, total space)
    - Domain (is domain joined, domain name)
    - Available Memory (free, total)
    - Network ( addresses, MAC, name)
    - Processes (name, PID)
    - Installed Apps
    💥 selfdestruct: Deletes the Registry Run key and the executable from the disk running the command "/C ping 127.0.0.1 -n 3 > nul & del /f /q {sample_path}"

  5. Good day everyone!

    Cisco Talos researchers report on a malware-as-a-service (MaaS) operation that was targeting Ukrainian entities and involved the #Amadey trojan, known for "collecting system information and downloading secondary payloads" and the #Emmenhtal downloader.

    Behaviors that are observed in this attack include a BUNCH of powershell activity with obfuscation and dropping a legitimate copy of PuTTY.exe. Looking at the technical details, they also us some URLs that may look legitimate to their targets in Ukraine as they add the value "ukraine2" in the URL. Finally, the attack involved multiple variants of the Emmenhtal downloader that were masquerading as MP4 files.

    As usual, I glossed over many of the technical details so you can go enjoy the article without me spoiling it! Thanks to the researchers and authors and Happy Hunting!

    MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
    lnkd.in/gUisprru

    Intel 471 Cyborg Security, Now Part of Intel 471#ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

  6. Good day everyone!

    Cisco Talos researchers report on a malware-as-a-service (MaaS) operation that was targeting Ukrainian entities and involved the #Amadey trojan, known for "collecting system information and downloading secondary payloads" and the #Emmenhtal downloader.

    Behaviors that are observed in this attack include a BUNCH of powershell activity with obfuscation and dropping a legitimate copy of PuTTY.exe. Looking at the technical details, they also us some URLs that may look legitimate to their targets in Ukraine as they add the value "ukraine2" in the URL. Finally, the attack involved multiple variants of the Emmenhtal downloader that were masquerading as MP4 files.

    As usual, I glossed over many of the technical details so you can go enjoy the article without me spoiling it! Thanks to the researchers and authors and Happy Hunting!

    MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
    lnkd.in/gUisprru

    Intel 471 Cyborg Security, Now Part of Intel 471#ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

  7. Good day everyone!

    Cisco Talos researchers report on a malware-as-a-service (MaaS) operation that was targeting Ukrainian entities and involved the #Amadey trojan, known for "collecting system information and downloading secondary payloads" and the #Emmenhtal downloader.

    Behaviors that are observed in this attack include a BUNCH of powershell activity with obfuscation and dropping a legitimate copy of PuTTY.exe. Looking at the technical details, they also us some URLs that may look legitimate to their targets in Ukraine as they add the value "ukraine2" in the URL. Finally, the attack involved multiple variants of the Emmenhtal downloader that were masquerading as MP4 files.

    As usual, I glossed over many of the technical details so you can go enjoy the article without me spoiling it! Thanks to the researchers and authors and Happy Hunting!

    MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
    lnkd.in/gUisprru

    Intel 471 Cyborg Security, Now Part of Intel 471#ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

  8. Good day everyone!

    Cisco Talos researchers report on a malware-as-a-service (MaaS) operation that was targeting Ukrainian entities and involved the #Amadey trojan, known for "collecting system information and downloading secondary payloads" and the #Emmenhtal downloader.

    Behaviors that are observed in this attack include a BUNCH of powershell activity with obfuscation and dropping a legitimate copy of PuTTY.exe. Looking at the technical details, they also us some URLs that may look legitimate to their targets in Ukraine as they add the value "ukraine2" in the URL. Finally, the attack involved multiple variants of the Emmenhtal downloader that were masquerading as MP4 files.

    As usual, I glossed over many of the technical details so you can go enjoy the article without me spoiling it! Thanks to the researchers and authors and Happy Hunting!

    MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
    lnkd.in/gUisprru

    Intel 471 Cyborg Security, Now Part of Intel 471#ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

  9. Good day everyone!

    Cisco Talos researchers report on a malware-as-a-service (MaaS) operation that was targeting Ukrainian entities and involved the #Amadey trojan, known for "collecting system information and downloading secondary payloads" and the #Emmenhtal downloader.

    Behaviors that are observed in this attack include a BUNCH of powershell activity with obfuscation and dropping a legitimate copy of PuTTY.exe. Looking at the technical details, they also us some URLs that may look legitimate to their targets in Ukraine as they add the value "ukraine2" in the URL. Finally, the attack involved multiple variants of the Emmenhtal downloader that were masquerading as MP4 files.

    As usual, I glossed over many of the technical details so you can go enjoy the article without me spoiling it! Thanks to the researchers and authors and Happy Hunting!

    MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
    lnkd.in/gUisprru

    Intel 471 Cyborg Security, Now Part of Intel 471#ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

  10. Another day, another #Amadey 📅👀 This time dropping #SystemBC ⤵️

    Amadey botnet C2:
    📡cobolrationumelawrtewarms .com
    📡107.189.27.66 (AS14956 ROUTERHOSTING 🇳🇱)

    Dropping SystemBC from the following URL:
    🌐urlhaus.abuse.ch/url/3470633/

    SystemBC payload:
    📄bazaar.abuse.ch/sample/c13d59d

    SystemBC botnet C2:
    📡towerbingobongoboom .com
    📡213.209.150.137:4086 (AS42821 RAPIDNET 🇩🇪)

  11. We have observed #Amadey (botnet ID: 092155) dropping #BumbleBee on an infected device, leveraging a new DGA seed 🔥 It leverages nTLD click and does not only use a new seed (e5774fe6340da26c) but also changed the domain length from 10 to 11 👀

    Amadey C2 (AS57678 Cat Technologies 🇭🇰):
    👉threatfox.abuse.ch/ioc/1437914

    Active BumbleBee C2s 🛰️:
    109.205.195.228 RockHoster 🇩🇪
    194.127.179.88 Clouvider 🇳🇱
    84.200.17.29 First Colo 🇩🇪
    192.121.22.92 EDIS 🇩🇪
    103.214.68.110 ExtraVM 🇳🇱

    DGA domains:
    🌐threatfox.abuse.ch/browse/tag/

    BumbleBee malware sample:
    📄bazaar.abuse.ch/sample/f39ac7d

  12. This June saw the return of #Vidar, in at #9 with a +2,358% increase in samples shared on abuse.ch's URLhaus. But it's no match for fellow stealers, #StealC and #Amadey, with 2,6,28 and 1,771 samples shared respectively (!) 😲

    👉 Read the Malware Digest stats here: spamhaus.org/malware-digest/#u

    #Malware #URLHaus #ThreatIntelligence

  13. @RecklessPush38671 The initial “bearDemm” loader was downloaded by this sample, which is classified by TrendMicro as #Amadey:

    • 83c6f7d8026e3b966329e8c39a2c9e73
    • hxxp://193.233.132[.]167/lend/laryyyyy.exe

    These additional sandbox executions confirms this behavior:
    hybrid-analysis.com/sample/d96
    tria.ge/240301-ksr8xseh59/stat

    The C2 traffic from the downloaded sample looks nothing like Amadey though.

  14. Unveiling Socks5Systemz: The Rise of a New Proxy Service via PrivateLoader and Amadey

    Bitsight has uncovered a proxy botnet delivered by PrivateLoader and Amadey, two loaders frequently employed by threat actors to distribute malware and build their botnets.

    Pulse ID: 65496ba01d87131cbc5a6484
    Pulse Link: otx.alienvault.com/pulse/65496
    Pulse Author: AlienVault
    Created: 2023-11-06 22:41:35

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #OTX #OpenThreatExchange #InfoSec #bot #CyberSecurity #malware #Socks5Systemz #proxy #Amadey #botnet #AlienVault

  15. "🚨 Rise of #SOCKS5Systemz: A New Proxy Menace 🌐"

    The BitSight investigation found that PrivateLoader and the Amadey botnet are now working together, making it easier to distribute malware. This partnership is a big threat because it simplifies how malware is spread.

    We also looked into SOCKS5Systemz, a proxy service, and discovered a concerning trend in proxy services. PrivateLoader and Amadey, which used to be separate threats, are now connected, showing a change in how cybercriminals cooperate.

    BitSight's latest findings reveal a new proxy service called Socks5Systemz. It's being distributed through PrivateLoader and Amadey, which are common tools for cybercriminals to spread malware. This service sells access to about 10,000 infected systems globally, with no victims in Russia, suggesting the operators may be located there. They offer different subscription levels, paid in cryptocurrency, letting clients hide their internet activity, which poses risks to network security. The botnet spans several European countries and provides standard and VIP subscriptions, meeting various user demands for anonymity.🤝💻🔗

    Source: BitSight Blog

    Tags: #CyberSecurity #ProxyServices #PrivateLoader #Amadey #CyberThreats #CyberCollaboration #InfoSec #ThreatIntelligence #Malware 🛡️🔍

  16. "🚨 Rise of #SOCKS5Systemz: A New Proxy Menace 🌐"

    The BitSight investigation found that PrivateLoader and the Amadey botnet are now working together, making it easier to distribute malware. This partnership is a big threat because it simplifies how malware is spread.

    We also looked into SOCKS5Systemz, a proxy service, and discovered a concerning trend in proxy services. PrivateLoader and Amadey, which used to be separate threats, are now connected, showing a change in how cybercriminals cooperate.

    BitSight's latest findings reveal a new proxy service called Socks5Systemz. It's being distributed through PrivateLoader and Amadey, which are common tools for cybercriminals to spread malware. This service sells access to about 10,000 infected systems globally, with no victims in Russia, suggesting the operators may be located there. They offer different subscription levels, paid in cryptocurrency, letting clients hide their internet activity, which poses risks to network security. The botnet spans several European countries and provides standard and VIP subscriptions, meeting various user demands for anonymity.🤝💻🔗

    Source: BitSight Blog

    Tags: #CyberSecurity #ProxyServices #PrivateLoader #Amadey #CyberThreats #CyberCollaboration #InfoSec #ThreatIntelligence #Malware 🛡️🔍

  17. "🚨 Rise of #SOCKS5Systemz: A New Proxy Menace 🌐"

    The BitSight investigation found that PrivateLoader and the Amadey botnet are now working together, making it easier to distribute malware. This partnership is a big threat because it simplifies how malware is spread.

    We also looked into SOCKS5Systemz, a proxy service, and discovered a concerning trend in proxy services. PrivateLoader and Amadey, which used to be separate threats, are now connected, showing a change in how cybercriminals cooperate.

    BitSight's latest findings reveal a new proxy service called Socks5Systemz. It's being distributed through PrivateLoader and Amadey, which are common tools for cybercriminals to spread malware. This service sells access to about 10,000 infected systems globally, with no victims in Russia, suggesting the operators may be located there. They offer different subscription levels, paid in cryptocurrency, letting clients hide their internet activity, which poses risks to network security. The botnet spans several European countries and provides standard and VIP subscriptions, meeting various user demands for anonymity.🤝💻🔗

    Source: BitSight Blog

    Tags: #CyberSecurity #ProxyServices #PrivateLoader #Amadey #CyberThreats #CyberCollaboration #InfoSec #ThreatIntelligence #Malware 🛡️🔍

  18. "🚨 Rise of #SOCKS5Systemz: A New Proxy Menace 🌐"

    The BitSight investigation found that PrivateLoader and the Amadey botnet are now working together, making it easier to distribute malware. This partnership is a big threat because it simplifies how malware is spread.

    We also looked into SOCKS5Systemz, a proxy service, and discovered a concerning trend in proxy services. PrivateLoader and Amadey, which used to be separate threats, are now connected, showing a change in how cybercriminals cooperate.

    BitSight's latest findings reveal a new proxy service called Socks5Systemz. It's being distributed through PrivateLoader and Amadey, which are common tools for cybercriminals to spread malware. This service sells access to about 10,000 infected systems globally, with no victims in Russia, suggesting the operators may be located there. They offer different subscription levels, paid in cryptocurrency, letting clients hide their internet activity, which poses risks to network security. The botnet spans several European countries and provides standard and VIP subscriptions, meeting various user demands for anonymity.🤝💻🔗

    Source: BitSight Blog

    Tags: #CyberSecurity #ProxyServices #PrivateLoader #Amadey #CyberThreats #CyberCollaboration #InfoSec #ThreatIntelligence #Malware 🛡️🔍

  19. "🚨 Rise of #SOCKS5Systemz: A New Proxy Menace 🌐"

    The BitSight investigation found that PrivateLoader and the Amadey botnet are now working together, making it easier to distribute malware. This partnership is a big threat because it simplifies how malware is spread.

    We also looked into SOCKS5Systemz, a proxy service, and discovered a concerning trend in proxy services. PrivateLoader and Amadey, which used to be separate threats, are now connected, showing a change in how cybercriminals cooperate.

    BitSight's latest findings reveal a new proxy service called Socks5Systemz. It's being distributed through PrivateLoader and Amadey, which are common tools for cybercriminals to spread malware. This service sells access to about 10,000 infected systems globally, with no victims in Russia, suggesting the operators may be located there. They offer different subscription levels, paid in cryptocurrency, letting clients hide their internet activity, which poses risks to network security. The botnet spans several European countries and provides standard and VIP subscriptions, meeting various user demands for anonymity.🤝💻🔗

    Source: BitSight Blog

    Tags: #CyberSecurity #ProxyServices #PrivateLoader #Amadey #CyberThreats #CyberCollaboration #InfoSec #ThreatIntelligence #Malware 🛡️🔍

  20. #WormsWeeklyIoC have been released. This week features #RecordBreaker/#racconv2, #Amadey #Botnet, and a rework of my #Rhadamanthys #Stealer #IoC gathering.

    Find all indicators here:
    github.com/Gi7w0rm/MalwareConf

    The proudest release this week is 85 new #Rhadamanthys #Stealer #C2s not prior known to #Threatfox.

    I invite you all to vet those to make sure my new method of gathering works correctly :)
    Together with this week's #Raccoon #IoC, they are all in #OTX as well.

    otx.alienvault.com/user/@Gi7w0

    Interesting side note: One of the #IoC for #Rhadamanthys #Stealer is IP: 104.156.149[.]126.

    This IP has been attributed as an Indicator of #Sandworm / GRU Unit 74455 by Google:
    blog.google/threat-analysis-gr

    Stay safe out there <3

  21. #WormsWeeklyIoC have been released. This week features #RecordBreaker/#racconv2, #Amadey #Botnet, and a rework of my #Rhadamanthys #Stealer #IoC gathering.

    Find all indicators here:
    github.com/Gi7w0rm/MalwareConf

    The proudest release this week is 85 new #Rhadamanthys #Stealer #C2s not prior known to #Threatfox.

    I invite you all to vet those to make sure my new method of gathering works correctly :)
    Together with this week's #Raccoon #IoC, they are all in #OTX as well.

    otx.alienvault.com/user/@Gi7w0

    Interesting side note: One of the #IoC for #Rhadamanthys #Stealer is IP: 104.156.149[.]126.

    This IP has been attributed as an Indicator of #Sandworm / GRU Unit 74455 by Google:
    blog.google/threat-analysis-gr

    Stay safe out there <3

  22. In November, 2022 the most observed payload distributed through malware sites was #Amadey followed by #AgentTesla 🔥

    Having a look at unique malware sites reported to URLhaus, we see #Emotet being at the very top of our ranking ⏫

    Read more in our monthly malware digest:
    👉 t.co/4Yg710BJa2