π¬ XLoader: macOS-Malware tarnt sich als OfficeNote-Anwendung
#ITSicherheit #Malware #DineshDevadoss #Formbook #Keylogger #macOS #macOSMalware #OfficeNote #PhilStokes #SentinelOne #XLoader https://tarnkappe.info/artikel/it-sicherheit/xloader-macos-malware-tarnt-sich-als-officenote-anwendung-279902.html
#itsicherheit #malware #dineshdevadoss #formbook #keylogger #macos #macosmalware #officenote #philstokes #sentinelone #XLoader
URLhaus is operational for over 5 years, notifying hosting providers + network operators about malware hosted in their network πͺ² It's a shame that some hosting providers ignore abuse reports, spreading malware for over four years π€―
Here's our current π©-list π
AS38841 kbro πΉπΌ, spreading #hajime:
π https://urlhaus.abuse.ch/url/86646/
AS23520 Columbus Networks π§πΈ, spreading #hajime:
π https://urlhaus.abuse.ch/url/91891/
AS29873 Newfold Digital πΊπΈ, spreading #FormBook:
π https://urlhaus.abuse.ch/url/117832/
AS58955 Bangmod πΉπ, spreading #Emotet:
π https://urlhaus.abuse.ch/url/200073/
Today in our section on "uncoventional #Malware delivery": #ARJ archives! π¦
ARJ (Archived by Robert Jung) has been around since the MS-DOS days and is occasionally used to deliver e.g. #AgentTesla, #Formbook or #Guloader
You can recognize ARJ archives by their Magic: 60 EA
Extraction can be handled with 7zip for example.
For more information on the file format check out Ange Albertini's excellent graphic representation: https://twitter.com/angealbertini/status/1619006171360395264
As an example we dug up a #Lokibot sample from last year where the delivery chain looked like this: ARJ --> RAR --> EXE
To fool the victims into opening the next file they used the common #doubleExtension tick, e.g. .pdf.exe
IoC for those playing along at home:
162.0.223[.]13
kbfvzoboss[.]bid
alphastand[.]trade
alphastand[.]win
alphastand[.]top
β‘οΈ/alien/fre.php
PO_Payment for invoice[...].eml.arj
d0c8824d1e19ca1af0b88a477fa4cad6
SHIPPING_DL-PL-EXPRESS_EXPORT.PDF.exe
88bdf4f8fe035276da984c370e4cda2c
#malware #arj #agenttesla #formbook #GuLoader #lokibot #doubleextension #infosec #cybersecurity #blueteam
#formbook
-> RE_ AL HARAM MAKKAH PROJECT.msg
-> RFQ-4536789234.doc
-> sheiform2.1.exe
17f6df036368cca2f2edf4b44295bb02
π¬ Virtualisierte Malware versteckt sich in Google-Werbung fΓΌr Blender
#Malware #AntivirenSoftware #Blender #Formbook #GoogleAds #GoogleWerbeanzeigen #Infostealer #KoiVM #MalVirt #MalwareAnalyse #MalwareLoader #virtualisierteMalware https://tarnkappe.info/artikel/malware/virtualisierte-malware-versteckt-sich-in-google-werbung-fuer-blender-264651.html
#virtualisiertemalware #malwareloader #Malwareanalyse #malvirt #koivm #infostealer #googlewerbeanzeigen #googleads #formbook #blender #antivirensoftware #malware
Quick Tip π οΈ: Threat Actors like to use archiving tools for #malware delivery to avoid #detection and reduce file size. Today we spotted a .ace Archive containing #Formbook #infostealer. This technique is not new and also occasionally used for #AgentTesla, #RedLine etc.
ACE is a proprietary, legacy compression format. Unpacking these archives is dependend on the ACE version, e.g. "unace" v1.2 cannot handle ACE 2.0. We recommend https://github.com/droe/acefile by @droe if you ever come across such a file (screenshots see below).
FormBook #IoC
Files:
Archive e91b62f7952825d6a87775166301d018
Executable d539fcc11b4f5b96a1d89928f1ef87e7
C2:
allthekey[.]com
mgconsultantlogistics[.]com
bonaccorso[.]online
vowlashes[.]co[.]uk
#malware #detection #formbook #infostealer #agenttesla #redline #ioc
Day 3οΈβ£βof #100DaysOfYara: Detecting OneNote files
πβhttps://github.com/colincowie/100DaysOfYara_2023/blob/main/January/003/003.md
In December TrustWave reported on OneNote being used to drop #FormBook
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/
Todays rule is designed to just detect OneNote files. In the future I'll expand on this to start detecting suspicious OneNote files
trying to learn https://binref.github.io/#refinery.hexload tool. :) this tool is awesome
good starting example is decoding simple string obfuscation of #formbook #int3 #malwareanalysis #reverseengineering
#formbook #int3 #malwareanalysis #reverseengineering
trying to learn https://binref.github.io/#refinery.hexload tool. :) this tool is awesome
good starting example is decoding simple string obfuscation of #formbook #int3 #malwareanalysis #reverseengineering
#formbook #int3 #malwareanalysis #reverseengineering
Threat Roundup for July 17 to July 24 - Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 17 ... more: http://feedproxy.google.com/~r/feedburner/Talos/~3/kLTTDsrY6cA/threat-roundup-0717-0724.html #vulnerabilities #threatroundup #ciscotalos #cryptbot #formbook #hawkeye #malware #ramnit #tofsee #socks #talos
#talos #socks #tofsee #ramnit #malware #hawkeye #formbook #cryptbot #ciscotalos #threatroundup #vulnerabilities
RATicate Group Hits Industrial Firms With Revolving Payloads - A new threat group uses NSIS as an installer to target industrial companies with revolving payload... more: https://threatpost.com/raticate-group-industrial-firms-revolving-payloads/155775/ #malwarecampaign #nsisinstaller #agenttesla #formbook #nsisfile #raticate #malware #betabot #lokibot #netwire #payload #sophos #hacks #nsis
#nsis #hacks #sophos #payload #netwire #lokibot #betabot #malware #raticate #nsisfile #formbook #agenttesla #nsisinstaller #malwarecampaign
Threat Roundup for January 3 to January 10 - Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 3 a... more: http://feedproxy.google.com/~r/feedburner/Talos/~3/3Oy-ebGe3yQ/threat-roundup-0103-0110.html #vulnerabilities #threatroundup #ciscotalos #teslacrypt #zeroaccess #formbook #trickbot #malware #tofsee #upatre #ursnif #talos #razy
#razy #talos #ursnif #upatre #tofsee #malware #trickbot #formbook #zeroaccess #teslacrypt #ciscotalos #threatroundup #vulnerabilities