Good day everyone! The ReliaQuest Threat Research team recently provided a wrap up of the most commonly used loaders, the top 80% which comprised of only three different malware! These big three are #QBot, #SocGholish, and #RaspberryRobin. THEN, they not only provided the data sheet to provide to your management or C-suite, they broke them down even further to include technical details as well! Thank you to the Threat Research team for such a great report, I hope you enjoy it as much as I did, and Happy Hunting!

The 3 Malware Loaders Behind 80% of Incidents
https://www.reliaquest.com/blog/the-3-malware-loaders-behind-80-of-incidents/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

One malicious injection would have been enough (this is the "sczriptzzbn" campaign).

Same domain also triggers #SocGholish

Fake template: accountability[.]thefenceanddeckguys[.]com

C2:
tool[.]pearldentalgroup[.]ca

Threat actors target law firms with #GootLoader and #SocGholish #malware
https://securityaffairs.com/142888/cyber-crime/law-firms-gootloader-socgholish-malware.html
#securityaffairs #hacking

Our monthly Intelligence Insight for February is out!

Last month we saw a pretty notable increase in #SocGholish activity, #IcedID hit the top 10 for the first time in awhile, and of course all the OneNote shenanigans started in January too.

https://redcanary.com/blog/intelligence-insights-february-2023/

#SocGholish/#FakeUpdates

Theme: telemetry[.]usacyberpages[.]net

C2: distributor[.]techsavvyauto[.]com

Todays morning read is brought to you by ReliaQuest! It covers the #SocGholish malware distribution framework! Enjoy and Happy Hunting!

SocGholish: A Tale of FakeUpdates
https://www.reliaquest.com/i/blog/socgholish-fakeupdates/

#cybersecurity #itsecurity #infosec #threatintel #threathunting #threatdetection #blueteam #HappyHunting

This week's wrap-up of infosec news is out, just in time for your morning commute: https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-4af

#Qakbot have gotten in on the #OneNote action - turns out so too has every other threat actor under the sun.

Iran's #OilRig/#APT34 has been caught in the act, abusing the legitimate Password Filters feature to siphon creds, and exfiltrating them via compromised mail channels.

Some interesting techniques were observed in a recent #SocGholish campaign, including passively enumerating usera through event logs and disabling Restricted Admin mode to enable the theft of creds from memory.

A series of vulnerabilities in the Fortran GoAnywhere MFT file transfer application, QNAP NAS appliances, and VMWare ESXi servers should be top of your list this morning - make sure you're not exposed!

All that and much more, to help you shake off the cobwebs this Monday morning: https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-4af

#infosec #CyberAttack #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #redteam #soc #threatintel #threatintelligence #vmware #poc

New #SocGholish

perspective[.]abcbarbecue[.]xyz
exclusive[.]milonopensky[.]store
extcourse[.]zurvio[.]com
internship[.]ojul[.]com
navyseal[.]digijump[.]online
group5[.]corralphacap[.]com
office[.]cdsigner[.]com
*[.]shrubs[.]emptyisland[.]pics

#EveBox

A colleague of mine discovered a pattern in the downloaded stage 3 SocGholish payload. We've seen a few examples of this file in the most recent campaign where they use special characters in their file name such as:

Chromе.Uрdatе.zip

We've noticed a pattern though - in all of our SIEM queries the TargetFilePath always had the characters 'dat' as a filename.

As such we wrote a simple Sigma rule that can identify that file name. This of course is only useful for this current campaign and the TA can easily adjust file names - but it may be helpful for threat hunting!

TargetFileName|contains:
- "dat\\ufffd\\ufffd.zip"

https://github.com/joshnck/Sigma_Rules/blob/main/apt_socgholish_fakeupdate.yml

#SocGholish #thrunting #threathunting #ioc

https://bazaar.abuse.ch/sample/387f67b9b47806e165edca02dfb33120d9291f87b798403ae048641d984d3684/ #SocGholish

New #SocGholish

*[.]fate[.]truelance[.]com

#urlscanio

#ChatGPT identifying basic #Socgholish activity as malicious! Kudos cc @GossiTheDog

Part 1: SocGholish, a very real threat from a very fake update

"SocGholish is a malware variant which continues to thrive in the current information security landscape. By utilizing an extensive variety of stages, eligibility checks, and obfuscation routines, it remains one of the most elusive malware families to date.

SocGholish was observed in the wild as early as 2018. The absence of details surrounding target selection, evasion logic, and specific procedures employed by TA569 and their use of SocGholish in the intermediary phases of infection contributes to this shroud of mystery."

https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update

#SOCGholish #ProofPoint #ThreatIntel

Part 1: SocGholish, a very real threat from a very fake update

SocGholish is a malware variant which continues to thrive in the current information security landscape. By utilizing an extensive variety of stages, eligibility checks, and obfuscation routines, it remains one of the most elusive malware families to date.

SocGholish was observed in the wild as early as 2018. The absence of details surrounding target selection, evasion logic, and specific procedures employed by TA569 and their use of SocGholish in the intermediary phases of infection contributes to this shroud of mystery.

https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update

#SOCGholish #ProofPoint #ThreatIntel

**Part 1: SocGholish, a very real threat from a very fake update**

> SocGholish is a malware variant which continues to thrive in the current information security landscape. By utilizing an extensive variety of stages, eligibility checks, and obfuscation routines, it remains one of the most elusive malware families to date. SocGholish was observed in the wild as early as 2018. The absence of details surrounding target selection, evasion logic, and specific procedures employed by TA569 and their use of SocGholish in the intermediary phases of infection contributes to this shroud of mystery.

https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update

#SOCGholish #ProofPoint #ThreatIntel

https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update

#SOCGholish #ProofPoint #ThreatIntel

#SocGholish

perspective[.]cdsignner[.]com
wiki[.]clotheslane[.]com

#urlscanio

Oh and this is a sample of #SocGholish that @rmceoin helped me work through - but I'm doing it on my own this time to really cement in the learnings.

Lots of changes with #SocGholish recently.

There are some new URI patterns (no more report?r=).

Updated regexes for Fiddler's #EKFiddle extension can be found here: https://github.com/malwareinfosec/EKFiddle

infected site > myfood.silverspringfoodproject[.]org >
Auto.Uрdаtе.zip

#socgholish #infosec

https://bazaar.abuse.ch/sample/6327980bf380ad765b53f7b3411471c9069e0ad2a7ec3f247b8a8bd3fc8b6fde/