HotRat, a dangerous variant of the #AsyncRAT #malware, is spreading through pirated versions of popular software and games.

https://thehackernews.com/2023/07/hotrat-new-variant-of-asyncrat-malware.html

#cybersecurity #informationsecurity #infosec

TOP10 last week's threats by uploads 📊

⬆️ #Redline 517 (478)
⬆️ #Amadey 287 (182)
⬇️ #Remcos 175 (212)
⬇️ #Emotet 150 (302)
⬆️ #Qbot 141 (111)
⬆️ #Asyncrat 133 (102)
⬆️ #Smoke 132 (67)
⬇️ #Snake 119 (143)
⬇️ #Njrat 96 (101)
⬆️ #Rhadamanthys 87 (26)

https://any.run/malware-trends/?utm_source=twitter&utm_medium=post&utm_campaign=statistics&utm_content=200323 #InfoSec #CyberSecurity #Ransomware

#XWorm are being spread with various programs!

Check out this paste to block these IOCs!
https://pastebin.com/8Duwfbm5

#malware #RAT #ransomware #darkweb #cybersecurity #security #infosec #threatintel #threatintelligence #socintel #OSINT #hack #cyberattack #asyncrat #xenarmor #TOR

This week's newsletter is hot off the press, get it here: https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-b16

The #ESXiArgs escapades have gone from bad to okay and back to bad again, after attackers revised their encryption routine to bypass CISA's recovery script, and launched a 2nd wave of attacks that resulted in the reinfection of hundreds of hosts. Worst yet - we don't know how they're doing it, as the OpenSLP service (believed to be their method of ingress) has been disabled in a number of reported infections.

PowerShell isn't dead - The DFIR Report published their analysis of an apparent attack by Iran's Oilrig/APT34, whose initial infection relied exclusively on PowerShell and remained undetected for a significant period of time.

Proofpoint have unveiled #TA866, a savvy threat group that leverages the 404 Traffic Distribution System and little known AutoHotKey scripting language to cherry pick their targets.

#RedTeam members might find the BokuLoader Reflective Loader for #CobaltStrike useful in their next engagements, as well as #LocalPotato - the latest PrivEsc technique to join the Potato family.

#BlueTeam - check out a list of resources that popped up last week to help analyse #ASyncRAT malware and infections, as well as some helpful how-tos on hunting IIS backdoors and DLL abuse techniques

Happy reading, and happy Monday!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-b16

#infosec #CyberAttack #Hacked #cyber #news #cybernews #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #redteam #soc #threatintel #threatintelligence #vmware #ESXi

This week's edition of SOC Goulash, our Weekend Wrap-Up of infosec news, is live and hot off the press!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-be1

Building on last week's flagging of the increase in abuse of #Malvertising, researchers have observed it being abused to deliver #ASyncRAT and #xworm payloads, as well as to harvest master passwords for Password Manager solutions like #Bitwarden and #1Password.

#Hive ransomware have had their infrastructure seized in a multi-national law enforcement operation. The authorities lurked in their infrastructure for six months, gathering communications & information on their members and stealing 1,300 decryption keys that enabled them to avert ~$130 million in potential ransom payments.

North Korea's crypto-hunting actors have been agile in adopting emerging tradecraft and developing novel payloads. With $1 billion worth of funds brought into the hermit kingdom in 2022, orgs in the #cryptocurrency and #DeFi space will need to be on guard coming into 2023.

#PlugX malware continues to be developed, with new variants spotted in the wild capable of spreading via USB, upgrading old installations, and pilfering documents from hosed computers.

#vulnerabilities in the Realtek SDK have been exploited nearly 130 million times between August and December last year alone by botnets seeking to grow their numbers.

Security researchers Horizon3 intend to release a PoC #exploit for CVSS 9.8 RCE vulnerabilities in VMWare's vRealize Log Insight product this week - make sure you're patched!

For our paid subscribers, we've got some additional articles on:
1. The adoption of OneNote for payload delivery, and tips for analysis;
2. An overview of CVE-2022-34689, a critical Windows vulnerability that could be abused to intercept & decrypt encrypted communications or spoof code-signing of malicious executables;
3. A vulnerability/not-vulnerability in #KeePass, with no patch and an unknown scope of impact, allowing attackers to dump plaintext credentials from the Password Manager.

As always, there's a tonne of additional goodies to be found in the newsletter that I couldn't cover here, so check it out here: https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-be1

#infosec #CyberAttack #Hacked #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #redteam #soc #threatintel #threatintelligence #malvertising #passwordmanager #vmware #poc

been seeing a bat-crypter being used by #asyncrat #redline #dcrat and other malware as a loader. so might be this analysis and my simple python script to extract the enc payload on that .bat file might help. 😊 1/4 #int3 #malwareanalysis

https://github.com/tccontre/KnowledgeBase/tree/main/malware_re_tools/asyncrat-bat-crypter-extractor

2/4 the .bat crypter create a series of env variable containing a string that will be concatenated to generate the powershell that will decode, decrypt and load the actual payload. we can dump pwh in process or just exploit the technique by simple 'echo' 😊

3/4 upon running the modified .bat it will dump the pwh that will decode, decrypt (aes) and decompress the actual payload. you can either modified the actual powershell or use cyber chef to decrypt the actual payload.

4/4 doing it 1 by 1 might be exhausting, so I creates a simple python script (shared above) to automatically decrypt and extract the payload from this bat-crypter loader. (specifically designed for this bat-crypter format) it also generate dbg log.

Josh Stroschein (Twitter @jstrosch) just released a new video about the detailed analysis of a malicious #OneNote file leading to #AsyncRAT. Thank you for referencing our #Yara hunting rule from last week 👍
Check out the video here: https://www.youtube.com/watch?v=kK6Tsmr_wCY

#AsyncRAT
eee4117e630dccd591635c26e6109a5f

Day 4️⃣​​ of #100DaysOfYara: Suspicious OneNote scripting!
​
During the evaluation of todays rule I found some interesting results including: #ASyncRAT & #Remcos #InfoStealer

A few #IOCs can be found here:
🔗​https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/004/004.md

Keep an eye on those .one files coming in.....some contains nasty things (like an .hta file)

https://app.any.run/tasks/8bd63423-0ecb-4836-8e46-6ef6028d5f3c

#AsyncRAT c2: mulla2022[.]hopto[.]org

I've been messing around with dnlib lately for config extractors for .NET malware so I can avoid using byte sequences, offsets, YARA, etc. By using dnlib, I can have it directly find the class/method containing the config and extract the strings.

I can now add #AsyncRAT to my list of completions.

Also, after working on another RAT, I have more knowledge in dnlib to improve on this script and make it more reliable but I'm gonna save that for another day.

https://github.com/Krkn-Sec/AsyncRAT-Config-Extractor/blob/main/asyncrat-extract.py

📬 Prynt Stealer Malware stiehlt Hackern ihre Beute
#Hacking #Malware #Softwareentwicklung #AsyncRAT #Backdoor #DarkEye #MalwareasaService #StormKitty #TelegramToken #WorldWind https://tarnkappe.info/artikel/malware/prynt-stealer-malware-stiehlt-hackern-ihre-beute-255168.html

New blog analysing an #AsyncRAT sample & taking down the TAs infra

https://blog.bushidotoken.net/2021/07/attack-campaign-analysis-and.html

“Ciblant les secteurs de l’ #aérospatial et du #voyage”, #Microsoft met en garde contre #Snip3, un crypter-as-a-service diffusé dans des campagnes de #spearhishing !

https://blog.sosordi.net/2021/05/ciblant-les-secteurs-de-laerospatial-et-du-voyage-microsoft-met-en-garde-contre-snip3-un-crypter-as-a-service-diffuse-dans-des-campagnes-de-spear-phishing.html

#securite #CrypterAsAService #RevengeRAT #AsyncRAT