#batloader — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #batloader, aggregated by home.social.
-
Malicious advertisement spoofing zooms website⚠️
Redirects the user to a fake site:
zoomus.onelink[.]me ->
zoonn.virtual-meetings.cn[.]comDownloads .msix payload and launches it with ms-appinstaller:
ms-appinstaller:?source=https[:]//scheta[.]site/apps.store/ZoomInstaller.msixDrops digitally signed malware "install.exe" (GlobalSign Code Signin)
Delivers #Batloader payload
#IOCs
🔗 https://www.virustotal.com/gui/file/462df2e4a633e57de0d5148060543576d7c1165bf90e6aec4183f430d8925a1c/
🔗 https://www.virustotal.com/gui/file/48aa2393ef590bab4ff2fd1e7d95af36e5b6911348d7674347626c9aaafa255e -
Malicious advertisement spoofing zooms website⚠️
Redirects the user to a fake site:
zoomus.onelink[.]me ->
zoonn.virtual-meetings.cn[.]comDownloads .msix payload and launches it with ms-appinstaller:
ms-appinstaller:?source=https[:]//scheta[.]site/apps.store/ZoomInstaller.msixDrops digitally signed malware "install.exe" (GlobalSign Code Signin)
Delivers #Batloader payload
#IOCs
🔗 https://www.virustotal.com/gui/file/462df2e4a633e57de0d5148060543576d7c1165bf90e6aec4183f430d8925a1c/
🔗 https://www.virustotal.com/gui/file/48aa2393ef590bab4ff2fd1e7d95af36e5b6911348d7674347626c9aaafa255e -
Malicious advertisement spoofing zooms website⚠️
Redirects the user to a fake site:
zoomus.onelink[.]me ->
zoonn.virtual-meetings.cn[.]comDownloads .msix payload and launches it with ms-appinstaller:
ms-appinstaller:?source=https[:]//scheta[.]site/apps.store/ZoomInstaller.msixDrops digitally signed malware "install.exe" (GlobalSign Code Signin)
Delivers #Batloader payload
#IOCs
🔗 https://www.virustotal.com/gui/file/462df2e4a633e57de0d5148060543576d7c1165bf90e6aec4183f430d8925a1c/
🔗 https://www.virustotal.com/gui/file/48aa2393ef590bab4ff2fd1e7d95af36e5b6911348d7674347626c9aaafa255e -
Malicious advertisement spoofing zooms website⚠️
Redirects the user to a fake site:
zoomus.onelink[.]me ->
zoonn.virtual-meetings.cn[.]comDownloads .msix payload and launches it with ms-appinstaller:
ms-appinstaller:?source=https[:]//scheta[.]site/apps.store/ZoomInstaller.msixDrops digitally signed malware "install.exe" (GlobalSign Code Signin)
Delivers #Batloader payload
#IOCs
🔗 https://www.virustotal.com/gui/file/462df2e4a633e57de0d5148060543576d7c1165bf90e6aec4183f430d8925a1c/
🔗 https://www.virustotal.com/gui/file/48aa2393ef590bab4ff2fd1e7d95af36e5b6911348d7674347626c9aaafa255e -
Malicious advertisement spoofing zooms website⚠️
Redirects the user to a fake site:
zoomus.onelink[.]me ->
zoonn.virtual-meetings.cn[.]comDownloads .msix payload and launches it with ms-appinstaller:
ms-appinstaller:?source=https[:]//scheta[.]site/apps.store/ZoomInstaller.msixDrops digitally signed malware "install.exe" (GlobalSign Code Signin)
Delivers #Batloader payload
#IOCs
🔗 https://www.virustotal.com/gui/file/462df2e4a633e57de0d5148060543576d7c1165bf90e6aec4183f430d8925a1c/
🔗 https://www.virustotal.com/gui/file/48aa2393ef590bab4ff2fd1e7d95af36e5b6911348d7674347626c9aaafa255e -
Как вредоносы распространялись через поддельный менеджер паролей KeePass: AsyncRAT, BATLoader
Приветствую, и снова я начну с вопроса. И достаточно непростого. Пользуетесь ли вы менеджерами паролей и считаете ли вы их полностью безопасными? Скорее всего, мнения читателей на этом моменте разделятся. Кто-то ответит, мол, пользуется блокнотом и ручкой, а кто-то ответит утвердительным «да». А к чему этот вопрос? Во-первых, замечу, что абсолютно ничто в нашем мире не может быть полностью безопасным: будь то программное обеспечение, какой-то ресурс или вовсе ваш телефон с тысячей защитных приложений. А во-вторых, менеджеры паролей в последнее время очень и очень часто стали подводить своих клиентов. Об одном таком инциденте и пойдет сегодня речь. Так совсем недавно специалистами из MalwareBytes была обнаружена целая схема фейковых ресурсов , через которые распространялись инфицированные версии приложения KeePass. И совсем не удивительным является тот факт, что эта кампания продвигалась посредством использования GoogleAds (да, это та самая надоедливая реклама, которая появляется при посещении различных сайтов) и SEO Poisoning. Казалось бы, удивительного здесь ничего нет, ведь это далеко не первый случай, когда вредонос распространяется подобным образом. Google, естественно, с этим борется, исправляет уязвимости, но пока что все без толку. Чего, кстати, не скажешь о человеческом факторе, ведь за последние несколько лет большинство пользователей сообразили, что поисковые системы не всегда выдают безопасные результаты из-за чего эффективность подобного метода атаки заметно поубавилась. Но в случае с KeePass произошло кое-что другое. Злоумышленники прибегли к использованию метода Punycode, чтобы сделать вредоносный домен практически идентичным оригинальному. В данном случае хакеры использовали Punycode «xn—eepass-vbb.info», что транслируется в адресной строке, как «ķeepass.info».
-
Как вредоносы распространялись через поддельный менеджер паролей KeePass: AsyncRAT, BATLoader
Приветствую, и снова я начну с вопроса. И достаточно непростого. Пользуетесь ли вы менеджерами паролей и считаете ли вы их полностью безопасными? Скорее всего, мнения читателей на этом моменте разделятся. Кто-то ответит, мол, пользуется блокнотом и ручкой, а кто-то ответит утвердительным «да». А к чему этот вопрос? Во-первых, замечу, что абсолютно ничто в нашем мире не может быть полностью безопасным: будь то программное обеспечение, какой-то ресурс или вовсе ваш телефон с тысячей защитных приложений. А во-вторых, менеджеры паролей в последнее время очень и очень часто стали подводить своих клиентов. Об одном таком инциденте и пойдет сегодня речь. Так совсем недавно специалистами из MalwareBytes была обнаружена целая схема фейковых ресурсов , через которые распространялись инфицированные версии приложения KeePass. И совсем не удивительным является тот факт, что эта кампания продвигалась посредством использования GoogleAds (да, это та самая надоедливая реклама, которая появляется при посещении различных сайтов) и SEO Poisoning. Казалось бы, удивительного здесь ничего нет, ведь это далеко не первый случай, когда вредонос распространяется подобным образом. Google, естественно, с этим борется, исправляет уязвимости, но пока что все без толку. Чего, кстати, не скажешь о человеческом факторе, ведь за последние несколько лет большинство пользователей сообразили, что поисковые системы не всегда выдают безопасные результаты из-за чего эффективность подобного метода атаки заметно поубавилась. Но в случае с KeePass произошло кое-что другое. Злоумышленники прибегли к использованию метода Punycode, чтобы сделать вредоносный домен практически идентичным оригинальному. В данном случае хакеры использовали Punycode «xn—eepass-vbb.info», что транслируется в адресной строке, как «ķeepass.info».
-
🤖 DanaBot Strikes: Threat actors are misusing Google Ads 🩸
🦠🔍 Webex Google Ads Malware Alert
Threat actors are misusing Google Ads to create fake Webex ads that lead users to malware-infested sites. Malwarebytes discovered this scheme, with the perpetrators likely based in Mexico. These deceptive ads, appearing genuine with the official Webex logo and URL, exploit a Google Ad platform loophole to redirect users.
Clicking the ad takes users to a site that screens out researchers. Targeted users are then led to a malware site. If they download from this site, they get the BatLoader malware, which subsequently installs the DanaBot trojan. DanaBot can steal passwords and provide attackers direct system access.
For safety, avoid promoted Google Search results and always download from trusted sources.
📌 Indicators of Compromise
Cloaking infrastructure
monoo3at[.]com
206.71.149[.]46Decoy site
webexadvertisingoffer[.]com
31.31.196[.]208BatLoader
fugas[.]site/debug/Installer90.2.msi
2727a418f31e8c0841f8c3e79455067798a1c11c2b83b5c74d2de4fb3476b654BatLoader C2
updatecorporatenetworks[.]ru
91.199.147[.]226DanaBot
7a1245584c0a12186aa7228c75a319ca7f57e7b0db55c1bd9b8d7f9b397bfac8
#Cybersecurity #MalwareAnalysis #DanaBot #BatLoader #Infosec #ThreatIntel #Webex
-
🤖 DanaBot Strikes: Threat actors are misusing Google Ads 🩸
🦠🔍 Webex Google Ads Malware Alert
Threat actors are misusing Google Ads to create fake Webex ads that lead users to malware-infested sites. Malwarebytes discovered this scheme, with the perpetrators likely based in Mexico. These deceptive ads, appearing genuine with the official Webex logo and URL, exploit a Google Ad platform loophole to redirect users.
Clicking the ad takes users to a site that screens out researchers. Targeted users are then led to a malware site. If they download from this site, they get the BatLoader malware, which subsequently installs the DanaBot trojan. DanaBot can steal passwords and provide attackers direct system access.
For safety, avoid promoted Google Search results and always download from trusted sources.
📌 Indicators of Compromise
Cloaking infrastructure
monoo3at[.]com
206.71.149[.]46Decoy site
webexadvertisingoffer[.]com
31.31.196[.]208BatLoader
fugas[.]site/debug/Installer90.2.msi
2727a418f31e8c0841f8c3e79455067798a1c11c2b83b5c74d2de4fb3476b654BatLoader C2
updatecorporatenetworks[.]ru
91.199.147[.]226DanaBot
7a1245584c0a12186aa7228c75a319ca7f57e7b0db55c1bd9b8d7f9b397bfac8
#Cybersecurity #MalwareAnalysis #DanaBot #BatLoader #Infosec #ThreatIntel #Webex
-
🤖 DanaBot Strikes: Threat actors are misusing Google Ads 🩸
🦠🔍 Webex Google Ads Malware Alert
Threat actors are misusing Google Ads to create fake Webex ads that lead users to malware-infested sites. Malwarebytes discovered this scheme, with the perpetrators likely based in Mexico. These deceptive ads, appearing genuine with the official Webex logo and URL, exploit a Google Ad platform loophole to redirect users.
Clicking the ad takes users to a site that screens out researchers. Targeted users are then led to a malware site. If they download from this site, they get the BatLoader malware, which subsequently installs the DanaBot trojan. DanaBot can steal passwords and provide attackers direct system access.
For safety, avoid promoted Google Search results and always download from trusted sources.
📌 Indicators of Compromise
Cloaking infrastructure
monoo3at[.]com
206.71.149[.]46Decoy site
webexadvertisingoffer[.]com
31.31.196[.]208BatLoader
fugas[.]site/debug/Installer90.2.msi
2727a418f31e8c0841f8c3e79455067798a1c11c2b83b5c74d2de4fb3476b654BatLoader C2
updatecorporatenetworks[.]ru
91.199.147[.]226DanaBot
7a1245584c0a12186aa7228c75a319ca7f57e7b0db55c1bd9b8d7f9b397bfac8
#Cybersecurity #MalwareAnalysis #DanaBot #BatLoader #Infosec #ThreatIntel #Webex
-
🤖 DanaBot Strikes: Threat actors are misusing Google Ads 🩸
🦠🔍 Webex Google Ads Malware Alert
Threat actors are misusing Google Ads to create fake Webex ads that lead users to malware-infested sites. Malwarebytes discovered this scheme, with the perpetrators likely based in Mexico. These deceptive ads, appearing genuine with the official Webex logo and URL, exploit a Google Ad platform loophole to redirect users.
Clicking the ad takes users to a site that screens out researchers. Targeted users are then led to a malware site. If they download from this site, they get the BatLoader malware, which subsequently installs the DanaBot trojan. DanaBot can steal passwords and provide attackers direct system access.
For safety, avoid promoted Google Search results and always download from trusted sources.
📌 Indicators of Compromise
Cloaking infrastructure
monoo3at[.]com
206.71.149[.]46Decoy site
webexadvertisingoffer[.]com
31.31.196[.]208BatLoader
fugas[.]site/debug/Installer90.2.msi
2727a418f31e8c0841f8c3e79455067798a1c11c2b83b5c74d2de4fb3476b654BatLoader C2
updatecorporatenetworks[.]ru
91.199.147[.]226DanaBot
7a1245584c0a12186aa7228c75a319ca7f57e7b0db55c1bd9b8d7f9b397bfac8
#Cybersecurity #MalwareAnalysis #DanaBot #BatLoader #Infosec #ThreatIntel #Webex
-
🤖 DanaBot Strikes: Threat actors are misusing Google Ads 🩸
🦠🔍 Webex Google Ads Malware Alert
Threat actors are misusing Google Ads to create fake Webex ads that lead users to malware-infested sites. Malwarebytes discovered this scheme, with the perpetrators likely based in Mexico. These deceptive ads, appearing genuine with the official Webex logo and URL, exploit a Google Ad platform loophole to redirect users.
Clicking the ad takes users to a site that screens out researchers. Targeted users are then led to a malware site. If they download from this site, they get the BatLoader malware, which subsequently installs the DanaBot trojan. DanaBot can steal passwords and provide attackers direct system access.
For safety, avoid promoted Google Search results and always download from trusted sources.
📌 Indicators of Compromise
Cloaking infrastructure
monoo3at[.]com
206.71.149[.]46Decoy site
webexadvertisingoffer[.]com
31.31.196[.]208BatLoader
fugas[.]site/debug/Installer90.2.msi
2727a418f31e8c0841f8c3e79455067798a1c11c2b83b5c74d2de4fb3476b654BatLoader C2
updatecorporatenetworks[.]ru
91.199.147[.]226DanaBot
7a1245584c0a12186aa7228c75a319ca7f57e7b0db55c1bd9b8d7f9b397bfac8
#Cybersecurity #MalwareAnalysis #DanaBot #BatLoader #Infosec #ThreatIntel #Webex
-
A malvertising campaign targeting corporate users looking to download Webex has been running for almost a week.
This blog shares the details: https://www.malwarebytes.com/blog/threat-intelligence/2023/09/ongoing-webex-malvertising-drops-batloader
-
A malvertising campaign targeting corporate users looking to download Webex has been running for almost a week.
This blog shares the details: https://www.malwarebytes.com/blog/threat-intelligence/2023/09/ongoing-webex-malvertising-drops-batloader
-
A malvertising campaign targeting corporate users looking to download Webex has been running for almost a week.
This blog shares the details: https://www.malwarebytes.com/blog/threat-intelligence/2023/09/ongoing-webex-malvertising-drops-batloader
-
A malvertising campaign targeting corporate users looking to download Webex has been running for almost a week.
This blog shares the details: https://www.malwarebytes.com/blog/threat-intelligence/2023/09/ongoing-webex-malvertising-drops-batloader
-
A malvertising campaign targeting corporate users looking to download Webex has been running for almost a week.
This blog shares the details: https://www.malwarebytes.com/blog/threat-intelligence/2023/09/ongoing-webex-malvertising-drops-batloader
-
The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html #CyberSecurity #GoogleAds #BATLOADER #malware #VidarStealer #Ursnif
-
The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html #CyberSecurity #GoogleAds #BATLOADER #malware #VidarStealer #Ursnif
-
The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html #CyberSecurity #GoogleAds #BATLOADER #malware #VidarStealer #Ursnif
-
The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html #CyberSecurity #GoogleAds #BATLOADER #malware #VidarStealer #Ursnif
-
Happy Monday folks, I hope you had a restful weekend and managed to take a breather from all things cyber! Time to get back into it though, so let me give you hand - catch up on the week’s infosec news with the latest issue of our newsletter:
https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf
#Emotet are back and are using…OneNote lures? ISO disk images? Malvertising? Nah – they’re sticking with tier tried and true TTPs – their Red Dawn maldoc template from last year; macro-enabled documents as lures, and null-byte padding to evade automated scanners.
We’ve highlighted a report on the Xenomorph #Android Banking Trojan, which added support for targeting accounts of over 400 banks; automated bypassing of MFA-protected app logins, and a Session Token stealer module. With capabilities like these becoming the norm, is it time to take a closer look at the threat Mobile Malware could pose to enterprise networks?
North Korean hackers have demonstrated yet again that they’re tracking and integrating the latest techniques, and investing in malware development. A recent campaign saw eight new pieces of malware distributed throughout the kill chain, leveraging #Microsoft #InTune to deliver payloads and an in-memory dropper to abuse the #BYOVD technique and evade EDR solutions.
A joint investigation by #Mandiant and #SonicWall has unearthed a two-year campaign by Chinese actors, enabled through exploitation of unpatched SMA100 appliances and delivery of tailored payloads. A critical vulnerability reported by #Fortinet this week helps reinforce the point that perimeter devices need to be patched with urgency, as it’s a well-documented target for Chinese-affiliated actors.
#HiatusRAT is a novel malware targeting #DrayTek routers, sniffing network traffic and proxying C2 traffic to forward-deployed implants. TTPs employed in recent #BatLoader and #Qakbot campaigns are also worth taking note of, as is #GoBruteforcer, a new malware family targeting specific web server applications to brute force logins and deploy an IRC bot for C2.
Those in Vulnerability Management should take particular note of the #Veeam vulnerability, which appears trivial to exploit and actually delivers plaintext credentials to the attacker. CISA have also taken note of nearly 40k exploit attempts of a 2 year old code-exec-as-root vulnerability in the #VMWare Cloud Foundation product in the last two months, so make sure you’re patched against it.
#Redteam members have some excellent reading to look forward to, looking at HTTP request smuggling to harvest AD credentials and persisting with a MitM Exchange server, as well as a detailed post that examines #CobaltStrike’s reflective loading capability;
The #blueteam has some great tradecraft tips from @inversecos on #Azure DFIR, as well as tools to help scan websites for malicious objects, and to combat the new #Stealc #infostealer and well-established Raccoon Stealer.
Catch all this and much more in this week's newsletter:
https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf
#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #newsletter #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #DarkWeb #mdm #dprk #FortiOS #FortiProxy
-
Happy Monday folks, I hope you had a restful weekend and managed to take a breather from all things cyber! Time to get back into it though, so let me give you hand - catch up on the week’s infosec news with the latest issue of our newsletter:
https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf
#Emotet are back and are using…OneNote lures? ISO disk images? Malvertising? Nah – they’re sticking with tier tried and true TTPs – their Red Dawn maldoc template from last year; macro-enabled documents as lures, and null-byte padding to evade automated scanners.
We’ve highlighted a report on the Xenomorph #Android Banking Trojan, which added support for targeting accounts of over 400 banks; automated bypassing of MFA-protected app logins, and a Session Token stealer module. With capabilities like these becoming the norm, is it time to take a closer look at the threat Mobile Malware could pose to enterprise networks?
North Korean hackers have demonstrated yet again that they’re tracking and integrating the latest techniques, and investing in malware development. A recent campaign saw eight new pieces of malware distributed throughout the kill chain, leveraging #Microsoft #InTune to deliver payloads and an in-memory dropper to abuse the #BYOVD technique and evade EDR solutions.
A joint investigation by #Mandiant and #SonicWall has unearthed a two-year campaign by Chinese actors, enabled through exploitation of unpatched SMA100 appliances and delivery of tailored payloads. A critical vulnerability reported by #Fortinet this week helps reinforce the point that perimeter devices need to be patched with urgency, as it’s a well-documented target for Chinese-affiliated actors.
#HiatusRAT is a novel malware targeting #DrayTek routers, sniffing network traffic and proxying C2 traffic to forward-deployed implants. TTPs employed in recent #BatLoader and #Qakbot campaigns are also worth taking note of, as is #GoBruteforcer, a new malware family targeting specific web server applications to brute force logins and deploy an IRC bot for C2.
Those in Vulnerability Management should take particular note of the #Veeam vulnerability, which appears trivial to exploit and actually delivers plaintext credentials to the attacker. CISA have also taken note of nearly 40k exploit attempts of a 2 year old code-exec-as-root vulnerability in the #VMWare Cloud Foundation product in the last two months, so make sure you’re patched against it.
#Redteam members have some excellent reading to look forward to, looking at HTTP request smuggling to harvest AD credentials and persisting with a MitM Exchange server, as well as a detailed post that examines #CobaltStrike’s reflective loading capability;
The #blueteam has some great tradecraft tips from @inversecos on #Azure DFIR, as well as tools to help scan websites for malicious objects, and to combat the new #Stealc #infostealer and well-established Raccoon Stealer.
Catch all this and much more in this week's newsletter:
https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf
#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #newsletter #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #DarkWeb #mdm #dprk #FortiOS #FortiProxy
-
Happy Monday folks, I hope you had a restful weekend and managed to take a breather from all things cyber! Time to get back into it though, so let me give you hand - catch up on the week’s infosec news with the latest issue of our newsletter:
https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf
#Emotet are back and are using…OneNote lures? ISO disk images? Malvertising? Nah – they’re sticking with tier tried and true TTPs – their Red Dawn maldoc template from last year; macro-enabled documents as lures, and null-byte padding to evade automated scanners.
We’ve highlighted a report on the Xenomorph #Android Banking Trojan, which added support for targeting accounts of over 400 banks; automated bypassing of MFA-protected app logins, and a Session Token stealer module. With capabilities like these becoming the norm, is it time to take a closer look at the threat Mobile Malware could pose to enterprise networks?
North Korean hackers have demonstrated yet again that they’re tracking and integrating the latest techniques, and investing in malware development. A recent campaign saw eight new pieces of malware distributed throughout the kill chain, leveraging #Microsoft #InTune to deliver payloads and an in-memory dropper to abuse the #BYOVD technique and evade EDR solutions.
A joint investigation by #Mandiant and #SonicWall has unearthed a two-year campaign by Chinese actors, enabled through exploitation of unpatched SMA100 appliances and delivery of tailored payloads. A critical vulnerability reported by #Fortinet this week helps reinforce the point that perimeter devices need to be patched with urgency, as it’s a well-documented target for Chinese-affiliated actors.
#HiatusRAT is a novel malware targeting #DrayTek routers, sniffing network traffic and proxying C2 traffic to forward-deployed implants. TTPs employed in recent #BatLoader and #Qakbot campaigns are also worth taking note of, as is #GoBruteforcer, a new malware family targeting specific web server applications to brute force logins and deploy an IRC bot for C2.
Those in Vulnerability Management should take particular note of the #Veeam vulnerability, which appears trivial to exploit and actually delivers plaintext credentials to the attacker. CISA have also taken note of nearly 40k exploit attempts of a 2 year old code-exec-as-root vulnerability in the #VMWare Cloud Foundation product in the last two months, so make sure you’re patched against it.
#Redteam members have some excellent reading to look forward to, looking at HTTP request smuggling to harvest AD credentials and persisting with a MitM Exchange server, as well as a detailed post that examines #CobaltStrike’s reflective loading capability;
The #blueteam has some great tradecraft tips from @inversecos on #Azure DFIR, as well as tools to help scan websites for malicious objects, and to combat the new #Stealc #infostealer and well-established Raccoon Stealer.
Catch all this and much more in this week's newsletter:
https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf
#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #newsletter #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #DarkWeb #mdm #dprk #FortiOS #FortiProxy
-
Happy Monday folks, I hope you had a restful weekend and managed to take a breather from all things cyber! Time to get back into it though, so let me give you hand - catch up on the week’s infosec news with the latest issue of our newsletter:
https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf
#Emotet are back and are using…OneNote lures? ISO disk images? Malvertising? Nah – they’re sticking with tier tried and true TTPs – their Red Dawn maldoc template from last year; macro-enabled documents as lures, and null-byte padding to evade automated scanners.
We’ve highlighted a report on the Xenomorph #Android Banking Trojan, which added support for targeting accounts of over 400 banks; automated bypassing of MFA-protected app logins, and a Session Token stealer module. With capabilities like these becoming the norm, is it time to take a closer look at the threat Mobile Malware could pose to enterprise networks?
North Korean hackers have demonstrated yet again that they’re tracking and integrating the latest techniques, and investing in malware development. A recent campaign saw eight new pieces of malware distributed throughout the kill chain, leveraging #Microsoft #InTune to deliver payloads and an in-memory dropper to abuse the #BYOVD technique and evade EDR solutions.
A joint investigation by #Mandiant and #SonicWall has unearthed a two-year campaign by Chinese actors, enabled through exploitation of unpatched SMA100 appliances and delivery of tailored payloads. A critical vulnerability reported by #Fortinet this week helps reinforce the point that perimeter devices need to be patched with urgency, as it’s a well-documented target for Chinese-affiliated actors.
#HiatusRAT is a novel malware targeting #DrayTek routers, sniffing network traffic and proxying C2 traffic to forward-deployed implants. TTPs employed in recent #BatLoader and #Qakbot campaigns are also worth taking note of, as is #GoBruteforcer, a new malware family targeting specific web server applications to brute force logins and deploy an IRC bot for C2.
Those in Vulnerability Management should take particular note of the #Veeam vulnerability, which appears trivial to exploit and actually delivers plaintext credentials to the attacker. CISA have also taken note of nearly 40k exploit attempts of a 2 year old code-exec-as-root vulnerability in the #VMWare Cloud Foundation product in the last two months, so make sure you’re patched against it.
#Redteam members have some excellent reading to look forward to, looking at HTTP request smuggling to harvest AD credentials and persisting with a MitM Exchange server, as well as a detailed post that examines #CobaltStrike’s reflective loading capability;
The #blueteam has some great tradecraft tips from @inversecos on #Azure DFIR, as well as tools to help scan websites for malicious objects, and to combat the new #Stealc #infostealer and well-established Raccoon Stealer.
Catch all this and much more in this week's newsletter:
https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf
#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #newsletter #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #DarkWeb #mdm #dprk #FortiOS #FortiProxy
-
Happy Monday folks, I hope you had a restful weekend and managed to take a breather from all things cyber! Time to get back into it though, so let me give you hand - catch up on the week’s infosec news with the latest issue of our newsletter:
https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf
#Emotet are back and are using…OneNote lures? ISO disk images? Malvertising? Nah – they’re sticking with tier tried and true TTPs – their Red Dawn maldoc template from last year; macro-enabled documents as lures, and null-byte padding to evade automated scanners.
We’ve highlighted a report on the Xenomorph #Android Banking Trojan, which added support for targeting accounts of over 400 banks; automated bypassing of MFA-protected app logins, and a Session Token stealer module. With capabilities like these becoming the norm, is it time to take a closer look at the threat Mobile Malware could pose to enterprise networks?
North Korean hackers have demonstrated yet again that they’re tracking and integrating the latest techniques, and investing in malware development. A recent campaign saw eight new pieces of malware distributed throughout the kill chain, leveraging #Microsoft #InTune to deliver payloads and an in-memory dropper to abuse the #BYOVD technique and evade EDR solutions.
A joint investigation by #Mandiant and #SonicWall has unearthed a two-year campaign by Chinese actors, enabled through exploitation of unpatched SMA100 appliances and delivery of tailored payloads. A critical vulnerability reported by #Fortinet this week helps reinforce the point that perimeter devices need to be patched with urgency, as it’s a well-documented target for Chinese-affiliated actors.
#HiatusRAT is a novel malware targeting #DrayTek routers, sniffing network traffic and proxying C2 traffic to forward-deployed implants. TTPs employed in recent #BatLoader and #Qakbot campaigns are also worth taking note of, as is #GoBruteforcer, a new malware family targeting specific web server applications to brute force logins and deploy an IRC bot for C2.
Those in Vulnerability Management should take particular note of the #Veeam vulnerability, which appears trivial to exploit and actually delivers plaintext credentials to the attacker. CISA have also taken note of nearly 40k exploit attempts of a 2 year old code-exec-as-root vulnerability in the #VMWare Cloud Foundation product in the last two months, so make sure you’re patched against it.
#Redteam members have some excellent reading to look forward to, looking at HTTP request smuggling to harvest AD credentials and persisting with a MitM Exchange server, as well as a detailed post that examines #CobaltStrike’s reflective loading capability;
The #blueteam has some great tradecraft tips from @inversecos on #Azure DFIR, as well as tools to help scan websites for malicious objects, and to combat the new #Stealc #infostealer and well-established Raccoon Stealer.
Catch all this and much more in this week's newsletter:
https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf
#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #newsletter #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #DarkWeb #mdm #dprk #FortiOS #FortiProxy
-
BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads
https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html #Cybercrime #Malware #Batloader -
BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads
https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html #Cybercrime #Malware #Batloader -
BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads
https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html #Cybercrime #Malware #Batloader -
BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads
https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html #Cybercrime #Malware #Batloader -
BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads
https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html #Cybercrime #Malware #Batloader -
New blog post! In this one I look at a #BATLoader MSI sample referenced by @malwrhunterteam which resulted in #Ursnif and #Redline execution. Some fun twists and turns in this. https://forensicitguy.github.io/batloader-ursnif-redline-oh-my/
-
New blog post! In this one I look at a #BATLoader MSI sample referenced by @malwrhunterteam which resulted in #Ursnif and #Redline execution. Some fun twists and turns in this. https://forensicitguy.github.io/batloader-ursnif-redline-oh-my/
-
New blog post! In this one I look at a #BATLoader MSI sample referenced by @malwrhunterteam which resulted in #Ursnif and #Redline execution. Some fun twists and turns in this. https://forensicitguy.github.io/batloader-ursnif-redline-oh-my/
-
New blog post! In this one I look at a #BATLoader MSI sample referenced by @malwrhunterteam which resulted in #Ursnif and #Redline execution. Some fun twists and turns in this. https://forensicitguy.github.io/batloader-ursnif-redline-oh-my/
-
New blog post! In this one I look at a #BATLoader MSI sample referenced by @malwrhunterteam which resulted in #Ursnif and #Redline execution. Some fun twists and turns in this. https://forensicitguy.github.io/batloader-ursnif-redline-oh-my/
-
Day 7️⃣ of #100DaysOfYara: Detecting #Batloader JavaScript malware
🔗 https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/007/007.md
Todays rule was created using samples (from november) mentioned in Trend's new blog post:
📖 "https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.htmlI used the yara count module to help out with the detection!
-
Day 7️⃣ of #100DaysOfYara: Detecting #Batloader JavaScript malware
🔗 https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/007/007.md
Todays rule was created using samples (from november) mentioned in Trend's new blog post:
📖 "https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.htmlI used the yara count module to help out with the detection!
-
Day 7️⃣ of #100DaysOfYara: Detecting #Batloader JavaScript malware
🔗 https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/007/007.md
Todays rule was created using samples (from november) mentioned in Trend's new blog post:
📖 "https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.htmlI used the yara count module to help out with the detection!
-
Day 7️⃣ of #100DaysOfYara: Detecting #Batloader JavaScript malware
🔗 https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/007/007.md
Todays rule was created using samples (from november) mentioned in Trend's new blog post:
📖 "https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.htmlI used the yara count module to help out with the detection!
-
Day 7️⃣ of #100DaysOfYara: Detecting #Batloader JavaScript malware
🔗 https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/007/007.md
Todays rule was created using samples (from november) mentioned in Trend's new blog post:
📖 "https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.htmlI used the yara count module to help out with the detection!
-
installationsoftware1.]com/0ssdt1/index/login
-
More undetected #batloader
🎣 zoomfree[.]org⬇️ File Download: ZoomInstallerFull_IIS_1.msi (hosted on 4sync)
🌐 C2s:
archiverportal[.]space
onepdfreader[.]com🔗 https://www.virustotal.com/gui/file/4fb32b409b425fc8607e197927d88ced39f197638198b837eef465329869e623
🔗 https://urlscan.io/result/6fb2da6c-3416-4b65-b896-22bd8a87955a/
#malware #threatintel #CTICC @1ZRR4H
-
More undetected #batloader
🎣 zoomfree[.]org⬇️ File Download: ZoomInstallerFull_IIS_1.msi (hosted on 4sync)
🌐 C2s:
archiverportal[.]space
onepdfreader[.]com🔗 https://www.virustotal.com/gui/file/4fb32b409b425fc8607e197927d88ced39f197638198b837eef465329869e623
🔗 https://urlscan.io/result/6fb2da6c-3416-4b65-b896-22bd8a87955a/
#malware #threatintel #CTICC @1ZRR4H
-
More undetected #batloader
🎣 zoomfree[.]org⬇️ File Download: ZoomInstallerFull_IIS_1.msi (hosted on 4sync)
🌐 C2s:
archiverportal[.]space
onepdfreader[.]com🔗 https://www.virustotal.com/gui/file/4fb32b409b425fc8607e197927d88ced39f197638198b837eef465329869e623
🔗 https://urlscan.io/result/6fb2da6c-3416-4b65-b896-22bd8a87955a/
#malware #threatintel #CTICC @1ZRR4H
-
More undetected #batloader
🎣 zoomfree[.]org⬇️ File Download: ZoomInstallerFull_IIS_1.msi (hosted on 4sync)
🌐 C2s:
archiverportal[.]space
onepdfreader[.]com🔗 https://www.virustotal.com/gui/file/4fb32b409b425fc8607e197927d88ced39f197638198b837eef465329869e623
🔗 https://urlscan.io/result/6fb2da6c-3416-4b65-b896-22bd8a87955a/
#malware #threatintel #CTICC @1ZRR4H
-
More undetected #batloader
🎣 zoomfree[.]org⬇️ File Download: ZoomInstallerFull_IIS_1.msi (hosted on 4sync)
🌐 C2s:
archiverportal[.]space
onepdfreader[.]com🔗 https://www.virustotal.com/gui/file/4fb32b409b425fc8607e197927d88ced39f197638198b837eef465329869e623
🔗 https://urlscan.io/result/6fb2da6c-3416-4b65-b896-22bd8a87955a/
#malware #threatintel #CTICC @1ZRR4H
-
Delivery of #BATLOADER #malware via #GoogleAds by #DEV0569 in malvertising campaign. This threat actor has used BATLOADER -> #CobaltStrike Beacon -> Royal #ransomware.
Footnote: adblocking solutions (e.g. #ublockorigin, #adblock, #pihole @Raspberry_Pi) can prevent similar attacks
-
Delivery of #BATLOADER #malware via #GoogleAds by #DEV0569 in malvertising campaign. This threat actor has used BATLOADER -> #CobaltStrike Beacon -> Royal #ransomware.
Footnote: adblocking solutions (e.g. #ublockorigin, #adblock, #pihole @Raspberry_Pi) can prevent similar attacks
-
Delivery of #BATLOADER #malware via #GoogleAds by #DEV0569 in malvertising campaign. This threat actor has used BATLOADER -> #CobaltStrike Beacon -> Royal #ransomware.
Footnote: adblocking solutions (e.g. #ublockorigin, #adblock, #pihole @Raspberry_Pi) can prevent similar attacks