📬 XLoader: macOS-Malware tarnt sich als OfficeNote-Anwendung
#ITSicherheit #Malware #DineshDevadoss #Formbook #Keylogger #macOS #macOSMalware #OfficeNote #PhilStokes #SentinelOne #XLoader https://tarnkappe.info/artikel/it-sicherheit/xloader-macos-malware-tarnt-sich-als-officenote-anwendung-279902.html

URLhaus is operational for over 5 years, notifying hosting providers + network operators about malware hosted in their network 🪲 It's a shame that some hosting providers ignore abuse reports, spreading malware for over four years 🤯

Here's our current 💩-list 👇

AS38841 kbro 🇹🇼, spreading #hajime:
🌐 https://urlhaus.abuse.ch/url/86646/

AS23520 Columbus Networks 🇧🇸, spreading #hajime:
🌐 https://urlhaus.abuse.ch/url/91891/

AS29873 Newfold Digital 🇺🇸, spreading #FormBook:
🌐 https://urlhaus.abuse.ch/url/117832/

AS58955 Bangmod 🇹🇭, spreading #Emotet:
🌐 https://urlhaus.abuse.ch/url/200073/

Today in our section on "uncoventional #Malware delivery": #ARJ archives! 📦
ARJ (Archived by Robert Jung) has been around since the MS-DOS days and is occasionally used to deliver e.g. #AgentTesla, #Formbook or #Guloader

You can recognize ARJ archives by their Magic: 60 EA
Extraction can be handled with 7zip for example.
For more information on the file format check out Ange Albertini's excellent graphic representation: https://twitter.com/angealbertini/status/1619006171360395264

As an example we dug up a #Lokibot sample from last year where the delivery chain looked like this: ARJ --> RAR --> EXE
To fool the victims into opening the next file they used the common #doubleExtension tick, e.g. .pdf.exe

IoC for those playing along at home:
162.0.223[.]13
kbfvzoboss[.]bid
alphastand[.]trade
alphastand[.]win
alphastand[.]top
➡️/alien/fre.php

PO_Payment for invoice[...].eml.arj
d0c8824d1e19ca1af0b88a477fa4cad6

SHIPPING_DL-PL-EXPRESS_EXPORT.PDF.exe
88bdf4f8fe035276da984c370e4cda2c

#infosec #cybersecurity #blueteam

#formbook
-> RE_ AL HARAM MAKKAH PROJECT.msg
-> RFQ-4536789234.doc
-> sheiform2.1.exe
17f6df036368cca2f2edf4b44295bb02

📬 Virtualisierte Malware versteckt sich in Google-Werbung für Blender
#Malware #AntivirenSoftware #Blender #Formbook #GoogleAds #GoogleWerbeanzeigen #Infostealer #KoiVM #MalVirt #MalwareAnalyse #MalwareLoader #virtualisierteMalware https://tarnkappe.info/artikel/malware/virtualisierte-malware-versteckt-sich-in-google-werbung-fuer-blender-264651.html

Quick Tip 🛠️: Threat Actors like to use archiving tools for #malware delivery to avoid #detection and reduce file size. Today we spotted a .ace Archive containing #Formbook #infostealer. This technique is not new and also occasionally used for #AgentTesla, #RedLine etc.

ACE is a proprietary, legacy compression format. Unpacking these archives is dependend on the ACE version, e.g. "unace" v1.2 cannot handle ACE 2.0. We recommend https://github.com/droe/acefile by @droe if you ever come across such a file (screenshots see below).

FormBook #IoC

Files:
Archive e91b62f7952825d6a87775166301d018
Executable d539fcc11b4f5b96a1d89928f1ef87e7

C2:
allthekey[.]com
mgconsultantlogistics[.]com
bonaccorso[.]online
vowlashes[.]co[.]uk

Day 3️⃣​of #100DaysOfYara: Detecting OneNote files

🔗​https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/003/003.md

In December TrustWave reported on OneNote being used to drop #FormBook
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/

Todays rule is designed to just detect OneNote files. In the future I'll expand on this to start detecting suspicious OneNote files

trying to learn https://binref.github.io/#refinery.hexload tool. :) this tool is awesome

good starting example is decoding simple string obfuscation of #formbook #int3 #malwareanalysis #reverseengineering

trying to learn https://binref.github.io/#refinery.hexload tool. :) this tool is awesome

good starting example is decoding simple string obfuscation of #formbook #int3 #malwareanalysis #reverseengineering

Threat Roundup for July 17 to July 24 - Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 17 ... more: http://feedproxy.google.com/~r/feedburner/Talos/~3/kLTTDsrY6cA/threat-roundup-0717-0724.html #vulnerabilities #threatroundup #ciscotalos #cryptbot #formbook #hawkeye #malware #ramnit #tofsee #socks #talos

RATicate Group Hits Industrial Firms With Revolving Payloads - A new threat group uses NSIS as an installer to target industrial companies with revolving payload... more: https://threatpost.com/raticate-group-industrial-firms-revolving-payloads/155775/ #malwarecampaign #nsisinstaller #agenttesla #formbook #nsisfile #raticate #malware #betabot #lokibot #netwire #payload #sophos #hacks #nsis

Threat Roundup for January 3 to January 10 - Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 3 a... more: http://feedproxy.google.com/~r/feedburner/Talos/~3/3Oy-ebGe3yQ/threat-roundup-0103-0110.html #vulnerabilities #threatroundup #ciscotalos #teslacrypt #zeroaccess #formbook #trickbot #malware #tofsee #upatre #ursnif #talos #razy