Just Another Blue Teamer · @LeeArchinal
121 followers · 182 posts · Server ioc.exchange

Good day everyone! The ReliaQuest Threat Research team recently provided a wrap up of the most commonly used loaders, the top 80% which comprised of only three different malware! These big three are , , and . THEN, they not only provided the data sheet to provide to your management or C-suite, they broke them down even further to include technical details as well! Thank you to the Threat Research team for such a great report, I hope you enjoy it as much as I did, and Happy Hunting!

The 3 Malware Loaders Behind 80% of Incidents
reliaquest.com/blog/the-3-malw

#qbot #SocGholish #RaspberryRobin #cybersecurity #itsecurity #infosec #blueteam #threatintel #threathunting #ThreatDetection #happyhunting #readoftheday

Last updated 1 year ago

Jérôme Segura · @malwareinfosec
736 followers · 131 posts · Server infosec.exchange

One malicious injection would have been enough (this is the "sczriptzzbn" campaign).

Same domain also triggers

Fake template: accountability[.]thefenceanddeckguys[.]com

C2:
tool[.]pearldentalgroup[.]ca

#SocGholish

Last updated 2 years ago

securityaffairs · @securityaffairs
461 followers · 404 posts · Server infosec.exchange
Stef Rand · @techieStef
137 followers · 9 posts · Server infosec.exchange

Our monthly Intelligence Insight for February is out!

Last month we saw a pretty notable increase in activity, hit the top 10 for the first time in awhile, and of course all the OneNote shenanigans started in January too.

redcanary.com/blog/intelligenc

#SocGholish #icedid

Last updated 2 years ago

Jérôme Segura · @malwareinfosec
728 followers · 126 posts · Server infosec.exchange

/#FakeUpdates

Theme: telemetry[.]usacyberpages[.]net

C2: distributor[.]techsavvyauto[.]com

#SocGholish

Last updated 2 years ago

Just Another Blue Teamer · @LeeArchinal
42 followers · 35 posts · Server ioc.exchange

Todays morning read is brought to you by ReliaQuest! It covers the malware distribution framework! Enjoy and Happy Hunting!

SocGholish: A Tale of FakeUpdates
reliaquest.com/i/blog/socgholi

#SocGholish #cybersecurity #itsecurity #infosec #threatintel #threathunting #ThreatDetection #blueteam #happyhunting

Last updated 2 years ago

Opalsec :verified: · @Opalsec
103 followers · 53 posts · Server infosec.exchange

This week's wrap-up of infosec news is out, just in time for your morning commute: opalsec.substack.com/p/soc-gou

have gotten in on the action - turns out so too has every other threat actor under the sun.

Iran's /#APT34 has been caught in the act, abusing the legitimate Password Filters feature to siphon creds, and exfiltrating them via compromised mail channels.

Some interesting techniques were observed in a recent campaign, including passively enumerating usera through event logs and disabling Restricted Admin mode to enable the theft of creds from memory.

A series of vulnerabilities in the Fortran GoAnywhere MFT file transfer application, QNAP NAS appliances, and VMWare ESXi servers should be top of your list this morning - make sure you're not exposed!

All that and much more, to help you shake off the cobwebs this Monday morning: opalsec.substack.com/p/soc-gou

#qakbot #onenote #oilrig #SocGholish #infosec #cyberattack #cyber #news #cybernews #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #redteam #soc #threatintel #threatintelligence #vmware #poc

Last updated 2 years ago

Kevin · @CyberThreat
48 followers · 30 posts · Server infosec.exchange

New

perspective[.]abcbarbecue[.]xyz
exclusive[.]milonopensky[.]store
extcourse[.]zurvio[.]com
internship[.]ojul[.]com
navyseal[.]digijump[.]online
group5[.]corralphacap[.]com
office[.]cdsigner[.]com
*[.]shrubs[.]emptyisland[.]pics

#SocGholish #evebox

Last updated 2 years ago

imlordoftherings · @Imlordofthering
271 followers · 550 posts · Server infosec.exchange

A colleague of mine discovered a pattern in the downloaded stage 3 SocGholish payload. We've seen a few examples of this file in the most recent campaign where they use special characters in their file name such as:

Chromе.Uрdatе.zip

We've noticed a pattern though - in all of our SIEM queries the TargetFilePath always had the characters 'dat' as a filename.

As such we wrote a simple Sigma rule that can identify that file name. This of course is only useful for this current campaign and the TA can easily adjust file names - but it may be helpful for threat hunting!

TargetFileName|contains:
- "dat\\ufffd\\ufffd.zip"

github.com/joshnck/Sigma_Rules

#SocGholish #thrunting #threathunting #ioc

Last updated 2 years ago

Kevin · @CyberThreat
33 followers · 19 posts · Server infosec.exchange

New

*[.]fate[.]truelance[.]com

#SocGholish #urlscanio

Last updated 2 years ago

identifying basic activity as malicious! Kudos cc @GossiTheDog

#chatgpt #SocGholish

Last updated 2 years ago

Part 1: SocGholish, a very real threat from a very fake update

"SocGholish is a malware variant which continues to thrive in the current information security landscape. By utilizing an extensive variety of stages, eligibility checks, and obfuscation routines, it remains one of the most elusive malware families to date.

SocGholish was observed in the wild as early as 2018. The absence of details surrounding target selection, evasion logic, and specific procedures employed by TA569 and their use of SocGholish in the intermediary phases of infection contributes to this shroud of mystery."

proofpoint.com/us/blog/threat-

#SocGholish #proofpoint #threatintel

Last updated 2 years ago

Part 1: SocGholish, a very real threat from a very fake update

SocGholish is a malware variant which continues to thrive in the current information security landscape. By utilizing an extensive variety of stages, eligibility checks, and obfuscation routines, it remains one of the most elusive malware families to date.

SocGholish was observed in the wild as early as 2018. The absence of details surrounding target selection, evasion logic, and specific procedures employed by TA569 and their use of SocGholish in the intermediary phases of infection contributes to this shroud of mystery.

proofpoint.com/us/blog/threat-

#SocGholish #proofpoint #threatintel

Last updated 2 years ago

**Part 1: SocGholish, a very real threat from a very fake update**

> SocGholish is a malware variant which continues to thrive in the current information security landscape. By utilizing an extensive variety of stages, eligibility checks, and obfuscation routines, it remains one of the most elusive malware families to date. SocGholish was observed in the wild as early as 2018. The absence of details surrounding target selection, evasion logic, and specific procedures employed by TA569 and their use of SocGholish in the intermediary phases of infection contributes to this shroud of mystery.

proofpoint.com/us/blog/threat-

#SocGholish #proofpoint #threatintel

Last updated 2 years ago

Kevin · @CyberThreat
28 followers · 14 posts · Server infosec.exchange

perspective[.]cdsignner[.]com
wiki[.]clotheslane[.]com

#SocGholish #urlscanio

Last updated 2 years ago

imlordoftherings · @Imlordofthering
241 followers · 388 posts · Server infosec.exchange

Oh and this is a sample of that @rmceoin helped me work through - but I'm doing it on my own this time to really cement in the learnings.

#SocGholish

Last updated 2 years ago

Jérôme Segura · @malwareinfosec
413 followers · 42 posts · Server infosec.exchange

Lots of changes with recently.

There are some new URI patterns (no more report?r=).

Updated regexes for Fiddler's extension can be found here: github.com/malwareinfosec/EKFi

#SocGholish #ekfiddle

Last updated 2 years ago

#SocGholish #infosec

Last updated 2 years ago