Found this article in my threat intel feed:

https://asec.ahnlab.com/en/45312/

Looks like NetSupport RAT?

C2 domain/port: tradinghuy.duckdns[.]org:1488.

We have rules in the ETOPEN ruleset to catch NetSupport CnC Checkin, and the response from the server:

2035892 (NetSupport Remote Admin Checkin)
2035895 (NetSupport Remote Admin Response)

#threatintel #malware #netsupportrat #snort #suricata #iocsharing #ioc

Saw this today on birdsite - apparently there's a massive vidar stealer campaign with 1300+ domains registered with a good amount of typo squatting going on.

https://gist.github.com/qbourgue/a81873df59004858a107a7c10b3a3fd7/

credit to @crep1x@twitter.com

For the time being, they are all registered to a single IP address oddly enough, so instead of vomiting out a massive amount of DNS rules today, I opted to create a rule that catches the query response with the IP address in question.

Additionally, here is triage sandbox run: https://tria.ge/230107-vnc9bahd7x/behavioral2

Finally, suricata sid 2036316 is a part of the ET OPEN ruleset, and will detect Arkei/Vidar/Mars stealer variants -- tested against the pcap generated from the triage run.

Happy Monday, MFers.

#threatintel #malware #infostealer #snort #suricata #vidar #ioc #iocsharing

#infosec #CTI #IOCSharing Hey folks, I'm on vacation until next year. I don't take a lot of time off over the course of the year, and our work culture is such that we have management that encourages us to do so, so I elected to take off Christmas break to spend it with my wife.

I won't be available to to #snort or #suricata sigs until January 3rd of next year. I would be honored if you directed your threat intelligence to @et_labs on twitter, or community.emergingthreats.net to ensure that your requests for coverage, and your inquiries are being met.

Thank you so much. I hope you have a great holiday, and let us start the new year off together strong.

Found this in our threat feed:
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/l/linux-cryptocurrency-mining-attacks-enhanced-via-chaos-rat-/iocs-linux-cryptocurrency-mining-attacks-enhanced-via-chaos-rat.txt

Trend Micro found a campaign with chaos rat dropping XMRIG miners it looks like? The blog post is gone, but the file hashes and IOCs are still there. It looks like we have some coverage via:

2024897 ET USER_AGENTS Go HTTP Client User-Agent

2037145 ET MALWARE Win32/Khaosz.A!MTB Checkin

Of course the Go HTTP Client User-Agent rule is very generic coverage for software using the Go language HTTP library default user-agent. More often than not, that warrants looking at (hunting) but the results may not necessarily be malicious.

#Malware #ThreatIntel #iocs #iocsharing #Snort #Suricata #Cryptojacking #ChaosRAT

forgot to tag this: #Malware #ThreatIntel #iocs #iocsharing #Snort #Suricata #Mallox #Ransomware