Colin Cowie · @th3_protoCOL
672 followers · 259 posts · Server infosec.exchange
Continuing #100DaysOfYara with Day 2️⃣7️⃣: More practice with the VT module, detecting JavaScript malware
🔗 https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/027/027.md
Recently proofpoint shared research about a new threat group they track as #TA886 that makes use of JavaScript malware:
📖https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me
Todays yara rule uses the VirusTotal module to detect JavaScript files that download a .msi sample in the same way TA886's malware does. This rule dug up a lot of low detected samples from this recent campaign!
#IOCs from retrohunting can be found here:
🔗
https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/027/retrohuntin_results.csv
securityaffairs · @securityaffairs
416 followers · 322 posts · Server infosec.exchangeNew #TA886 group targets companies with custom #Screenshotter #malware
https://securityaffairs.com/142077/cyber-crime/ta886-group-screenshotter-malware.html
#securityaffairs #hacking
#ta886 #screenshotter #malware #securityaffairs #hacking