home.social
Sign in Create account

#arj — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #arj, aggregated by home.social.

  1. SECUINFRA Falcon Team @[email protected] ·

    Today in our section on "uncoventional #Malware delivery": #ARJ archives! 📦
    ARJ (Archived by Robert Jung) has been around since the MS-DOS days and is occasionally used to deliver e.g. #AgentTesla, #Formbook or #Guloader

    You can recognize ARJ archives by their Magic: 60 EA
    Extraction can be handled with 7zip for example.
    For more information on the file format check out Ange Albertini's excellent graphic representation: twitter.com/angealbertini/stat

    As an example we dug up a #Lokibot sample from last year where the delivery chain looked like this: ARJ --> RAR --> EXE
    To fool the victims into opening the next file they used the common #doubleExtension tick, e.g. .pdf.exe

    IoC for those playing along at home:
    162.0.223[.]13
    kbfvzoboss[.]bid
    alphastand[.]trade
    alphastand[.]win
    alphastand[.]top
    ➡️/alien/fre.php

    PO_Payment for invoice[...].eml.arj
    d0c8824d1e19ca1af0b88a477fa4cad6

    SHIPPING_DL-PL-EXPRESS_EXPORT.PDF.exe
    88bdf4f8fe035276da984c370e4cda2c

    #infosec #cybersecurity #blueteam

    #malware #arj #agenttesla #formbook #guloader #lokibot