All y'all know phishing season is year round, and financial/business themed phishes are always popular. Tax season makes them even more popular (if that's possible) and more likely to be effective.

Here at RC we've seen #GuLoader dropping #Remcos using tax-themed phishing emails, so we put out a mid-month insight on it & included some spiffy guidance on how to protect against malicious script execution for any threat, not just GuLoader

https://redcanary.com/blog/tax-season-phishing/

Proofpoint had a nice birdsite thread on this last week as well, here's a link to their observations

https://twitter.com/threatinsight/status/1629150189310058497?s=20

Activity from threat actors exploiting tax-related services is keeping at a steady stream. Last week, #Sophos observed a #guloader infection hitting a public accounting firm.

⬇️Sample (encrypted): hxxps://www.dropbox[.]com/s/dl/jtz566dm5lu2c3j/SARAHKNAPP_USRETURN[.]zip
➡️Shortcut (.lnk) file is executed from%APPDATA%\local\temp\ following extraction

➡️wscript executes a dropped VBS script, and invokes a WebRequest to hxxp://0xC2[.]11808979/fresh/fordl.vbs & hxxp://0xC2[.]11808979/fresh/info.pdf. These hex encoded URIs resolve to hxxp://194.180.48[.]211/fresh/fordl.vbs and hxxp://194.180.48[.]211/fresh/info.pdf respectively.

forl.vbs performs the following:

• Registry modification ➡ HKEY_CURRENT_USER\Unikumernes\Naturs\Spndkraft57
• Injected into ieinstal.exe
• Connects to URI ➡️ hxxp://194.180.48[.]211/fresh/bENSeAN192.psd to gather next stage payload, decode, & inject into legitimate process ieinstal.exe
• Injected payload is #Remcos malware

#threatintel

Activity from threat actors exploiting tax-related services is keeping at a steady stream. Last week, #Sophos observed a #guloader infection hitting a public accounting firm.

⬇️Sample (encrypted): hxxps://www.dropbox[.]com/s/dl/jtz566dm5lu2c3j/SARAHKNAPP_USRETURN[.]zip
➡️Shortcut (.lnk) file is executed from%APPDATA%\local\temp\ following extraction

➡️wscript executes a dropped VBS script, and invokes a WebRequest to hxxp://0xC2[.]11808979/fresh/fordl.vbs & hxxp://0xC2[.]11808979/fresh/info.pdf. These hex encoded URIs resolve to hxxp://194.180.48[.]211/fresh/fordl.vbs and hxxp://194.180.48[.]211/fresh/info.pdf respectively.

forl.vbs performs the following:

• Registry modification ➡ HKEY_CURRENT_USER\Unikumernes\Naturs\Spndkraft57Injected into ieinstal.exe
• Connects to URI ➡️ hxxp://194.180.48[.]211/fresh/bENSeAN192.psd to gather next stage payload, decode, & inject into legitimate process ieinstal.exe
• Injected payload is #Remcos malware#threatintel

Activity from threat actors exploiting tax-related services is keeping at a steady stream. Last week, #Sophos observed a #guloader infection hitting a public accounting firm.

⬇️Sample (encrypted): hxxps://www.dropbox[.]com/s/dl/jtz566dm5lu2c3j/SARAHKNAPP_USRETURN[.]zip
➡️Shortcut (.lnk) file is executed from%APPDATA%\local\temp\ following extraction

➡️wscript executes a dropped VBS script, and invokes a WebRequest to hxxp://0xC2[.]11808979/fresh/fordl.vbs & hxxp://0xC2[.]11808979/fresh/info.pdf. These hex encoded URIs resolve to hxxp://194.180.48[.]211/fresh/fordl.vbs and hxxp://194.180.48[.]211/fresh/info.pdf respectively.

forl.vbs performs the following:

• Registry modification ➡️HKEY_CURRENT_USER\Unikumernes\Naturs\Spndkraft57
• Injected into ieinstal.exe
  • Connects to URI ➡️ hxxp://194.180.48[.]211/fresh/bENSeAN192.psd to gather next stage payload, decode, & inject into legitimate process ieinstal.exe
• Injected payload is #Remcos malware

#threatintel

Today in our section on "uncoventional #Malware delivery": #ARJ archives! 📦
ARJ (Archived by Robert Jung) has been around since the MS-DOS days and is occasionally used to deliver e.g. #AgentTesla, #Formbook or #Guloader

You can recognize ARJ archives by their Magic: 60 EA
Extraction can be handled with 7zip for example.
For more information on the file format check out Ange Albertini's excellent graphic representation: https://twitter.com/angealbertini/status/1619006171360395264

As an example we dug up a #Lokibot sample from last year where the delivery chain looked like this: ARJ --> RAR --> EXE
To fool the victims into opening the next file they used the common #doubleExtension tick, e.g. .pdf.exe

IoC for those playing along at home:
162.0.223[.]13
kbfvzoboss[.]bid
alphastand[.]trade
alphastand[.]win
alphastand[.]top
➡️/alien/fre.php

PO_Payment for invoice[...].eml.arj
d0c8824d1e19ca1af0b88a477fa4cad6

SHIPPING_DL-PL-EXPRESS_EXPORT.PDF.exe
88bdf4f8fe035276da984c370e4cda2c

#infosec #cybersecurity #blueteam

2023-01-05 (Thursday) - malspam pushing #AgentTesla

email --> attached .iso image --> extracted .exe --> guloader-style traffic --> Agent Tesla email data exfitration

Email available at: https://app.any.run/tasks/e906d78f-156e-498d-9a3b-79956d87e4d6

ISO available at: https://app.any.run/tasks/f66ff4ba-a97c-4ab4-bc11-b7030d85c4e1

Analysis of EXE available at: https://tria.ge/230105-28w1gsdf29

This is a #guloader-style EXE that loads an XOR-encoded binary from hxxp://savory.com[.]bd/sav/Ztvfo.png every time the infected host is logged in or rebooted.

Analysis of decoded DLL from savory.com[.]bd available at: https://tria.ge/230105-3xms4shc6s

GuLoader Malware Utilizing New Techniques to Evade Security Software
https://thehackernews.com/2022/12/guloader-malware-utilizing-new.html #Cybercrime #Malware #GuLoader

#GuLoader implements new evasion techniques. Checks to see if it’s running in a VM. Article from @securityaffairs https://securityaffairs.com/140028/cyber-crime/guloader-evasion-techniques.html

#GuLoader implements new evasion techniques
https://securityaffairs.co/wordpress/140028/cyber-crime/guloader-evasion-techniques.html
#securityaffairs #hacking #malware

GuLoader implements new evasion techniques https://securityaffairs.co/wordpress/140028/cyber-crime/guloader-evasion-techniques.html #informationsecuritynews #ITInformationSecurity #PierluigiPaganini #SecurityAffairs #BreakingNews #hackingnews #CyberCrime #Cybercrime #GuLoader #Hacking #malware #Mobile

#GuLoader implements new evasion techniques
https://securityaffairs.co/wordpress/140028/cyber-crime/guloader-evasion-techniques.html
#securityaffairs #hacking #malware

📬Phishing-Mails: Vermeintlicher „Jens Spahn“ verschickt Schadsoftware📬 https://tarnkappe.info/phishing-mails-vermeintlicher-jens-spahn-verschickt-schadsoftware/ #Trojan.GuLoader #Phishing-Mails #GüntherEnnen #JensSpahn #GuLoader #Hacking #CERT

Malspam hitting mailboxes in Germany , distributing #GuLoader -> #AZORult

GuLoader payload:

https://bazaar.abuse.ch/sample/98c39c41a62349078a4b09ae665ed9945dd207b7c02b38fa58a639089721bc5e/ …

AZORult payload URL:

https://urlhaus.abuse.ch/url/366085/ 

AZORult C2:

http://infosales.duckdns\.org/index.phppic.twitter.com/AC8wbTgMNV