Cyble: Sneaky XWorm Uses MultiStaged Attack https://cybleinc.wpcomstaging.com/2023/07/28/sneaky-xworm-uses-multistaged-attack/ #Multi-stagedattack #BATloader #Malware #malware #LOLBin #WebDAV #XWorm

Cyble: Sneaky XWorm Uses MultiStaged Attack https://blog.cyble.com/2023/07/28/sneaky-xworm-uses-multistaged-attack/ #Multi-stagedattack #BATloader #Malware #malware #LOLBin #WebDAV #XWorm

Cyble: Sneaky XWorm Uses MultiStaged Attack https://blog.cyble.com/2023/07/28/sneaky-xworm-uses-multistaged-attack/ #Multi-stagedattack #BATloader #Malware #malware #LOLBin #WebDAV #XWorm

The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html #CyberSecurity #GoogleAds #BATLOADER #malware #VidarStealer #Ursnif

Happy Monday folks, I hope you had a restful weekend and managed to take a breather from all things cyber! Time to get back into it though, so let me give you hand - catch up on the week’s infosec news with the latest issue of our newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf

#Emotet are back and are using…OneNote lures? ISO disk images? Malvertising? Nah – they’re sticking with tier tried and true TTPs – their Red Dawn maldoc template from last year; macro-enabled documents as lures, and null-byte padding to evade automated scanners.

We’ve highlighted a report on the Xenomorph #Android Banking Trojan, which added support for targeting accounts of over 400 banks; automated bypassing of MFA-protected app logins, and a Session Token stealer module. With capabilities like these becoming the norm, is it time to take a closer look at the threat Mobile Malware could pose to enterprise networks?

North Korean hackers have demonstrated yet again that they’re tracking and integrating the latest techniques, and investing in malware development. A recent campaign saw eight new pieces of malware distributed throughout the kill chain, leveraging #Microsoft #InTune to deliver payloads and an in-memory dropper to abuse the #BYOVD technique and evade EDR solutions.

A joint investigation by #Mandiant and #SonicWall has unearthed a two-year campaign by Chinese actors, enabled through exploitation of unpatched SMA100 appliances and delivery of tailored payloads. A critical vulnerability reported by #Fortinet this week helps reinforce the point that perimeter devices need to be patched with urgency, as it’s a well-documented target for Chinese-affiliated actors.

#HiatusRAT is a novel malware targeting #DrayTek routers, sniffing network traffic and proxying C2 traffic to forward-deployed implants. TTPs employed in recent #BatLoader and #Qakbot campaigns are also worth taking note of, as is #GoBruteforcer, a new malware family targeting specific web server applications to brute force logins and deploy an IRC bot for C2.

Those in Vulnerability Management should take particular note of the #Veeam vulnerability, which appears trivial to exploit and actually delivers plaintext credentials to the attacker. CISA have also taken note of nearly 40k exploit attempts of a 2 year old code-exec-as-root vulnerability in the #VMWare Cloud Foundation product in the last two months, so make sure you’re patched against it.

#Redteam members have some excellent reading to look forward to, looking at HTTP request smuggling to harvest AD credentials and persisting with a MitM Exchange server, as well as a detailed post that examines #CobaltStrike’s reflective loading capability;

The #blueteam has some great tradecraft tips from @inversecos on #Azure DFIR, as well as tools to help scan websites for malicious objects, and to combat the new #Stealc #infostealer and well-established Raccoon Stealer.

Catch all this and much more in this week's newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #newsletter #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #DarkWeb #mdm #dprk #FortiOS #FortiProxy

BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads
https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html #Cybercrime #Malware #Batloader

The Hacker News: BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads

https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html

#cybersecurity #malware #Batloader #VidarStealers #ursnif

OneNote Attachment Used to Deliver New Variant of #BATLoader

Source: https://blog.cyble.com/2023/02/02/new-batloader-disseminates-rats-and-stealers/

Targeted Industries: Manufacturing, Retail Trade; Potential to target all industries

Cyble recently observed a #cybercriminal using a OneNote attachment (.one) in spam emails to deliver a .bat file that exhibits the same behavior as a new variant of #BATLoader. Deepwatch has observed cybercriminals using OneNote attachments to deliver #Qakbot #malwarere ATI's Cyber Threat Intel team cannot find any reference to BatLoader being sold or offered through publicly available sources, which may suggest that a single cybercriminal or group operates BATLoader; this may indicate that the cybercriminal behind the phishing campaign is the same cybercriminal behind BATLoader. Cybercriminals using OneNote attachments could be an emerging trend. However, as of yet, it appears to be an isolated usage and not a widespread threat and may indicate that cybercriminals are testing out this distribution method.

#CTI #threatintelligence #ThreatIntel

New blog post! In this one I look at a #BATLoader MSI sample referenced by @malwrhunterteam which resulted in #Ursnif and #Redline execution. Some fun twists and turns in this. https://forensicitguy.github.io/batloader-ursnif-redline-oh-my/

#malware

Found this new #BatLoader C&C Server - statisticpixels[.]com . Doesn't appear to be in use yet...

Day 7️⃣​​ of #100DaysOfYara: Detecting #Batloader JavaScript malware

🔗​ https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/007/007.md

Todays rule was created using samples (from november) mentioned in Trend's new blog post:
📖​ "https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html

I used the yara count module to help out with the detection!

#threatintel #batloader

installationsoftware1.]com/0ssdt1/index/login

#BatLoader new c2 installationupgrade6[.]com

@Viss True that :)

I actually forgot to tag this one as #BatLoader. Have fixed now.

C2 grammarlycheck2[.]com #BatLoader

More undetected #batloader
🎣 zoomfree[.]org

⬇️ File Download: ZoomInstallerFull_IIS_1.msi (hosted on 4sync)

🌐​ C2s:
archiverportal[.]space
onepdfreader[.]com

🔗 ​https://www.virustotal.com/gui/file/4fb32b409b425fc8607e197927d88ced39f197638198b837eef465329869e623
🔗 ​https://urlscan.io/result/6fb2da6c-3416-4b65-b896-22bd8a87955a/
#malware #threatintel #CTI

CC @1ZRR4H

Delivery of #BATLOADER #malware via #GoogleAds by #DEV0569 in malvertising campaign. This threat actor has used BATLOADER -> #CobaltStrike Beacon -> Royal #ransomware.

Ref: https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/

Footnote: adblocking solutions (e.g. #ublockorigin, #adblock, #pihole @Raspberry_Pi) can prevent similar attacks

Undetected #batloader campaign themed around winrar ⚠️​

🎣​ extractor-rar[.]website/downlaod-1.html

⬇️ File Download: WinRar_ISS_6.1.11.msi

🌐​ C2: archiverportal[.]space

🔗 https://www.virustotal.com/gui/file/49a7402dc4249f583c54f1a79a742608cedd5a86cc23e7387b98b6d080a7428d/details
🔗 https://www.virustotal.com/gui/domain/archiverportal.space/relations

#ThreatIntel #Malware #Ransomware #IOCs #IOC

It's not the first time #GOOGLEADS are used to distribute malware or some such malign code. The malware downloader, a strain referred to as #BATLOADER, is a dropper that functions as a conduit to distribute next-stage payloads. It…https://lnkd.in/eZd29MNg https://lnkd.in/egKgUtMT

#MSTIC updates out today regarding DEV-0569 / Royal #ransomware
+ DEV-0569 likely to continue malvertising and phishing for Initial Access
+ #Batloader posed as installers for TeamViewer, Zoom, and AnyDesk
+ Malvertising campaign observed leveraging Google Ads to deliver Batloader selectively
#threatintel #infosec

https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/