Kevin Beaumont · @GossiTheDog
22975 followers · 873 posts · Server cyberplace.social
Kevin Beaumont · @GossiTheDog
16363 followers · 1251 posts · Server cyberplace.socialAnother #zippyreads with #defenderexplode, Defender miss. https://www.virustotal.com/gui/search/8ff4a018d35c2c0f127784601b53048c83a541e20789fc7399ea0f645a0e50fa
Kevin Beaumont · @GossiTheDog
14002 followers · 811 posts · Server cyberplace.socialA bit of #threatintel - MSTIC are tracking DEV-0408 using #ZippyReads and #DefenderExplode (well, they should be, they might not realise it but they’re tracking same actors).
#threatintel #zippyreads #defenderexplode
Kevin Beaumont · @GossiTheDog
22668 followers · 656 posts · Server cyberplace.social
@buffaloverflow Rich strikes again :O #DefenderExplode and #ZippyReads PoC, if anybody wants to have a play.
- Adds the read only flag on file in ZIP to bypass MOTW without November OS patches.
- Inflates file size on unzip, to evade logging in telemetry/detection.
https://gist.github.com/rxwx/8299693ac9f3f7118dc813da29e4d782
Kevin Beaumont · @GossiTheDog
22547 followers · 616 posts · Server cyberplace.social
UK energy supply trojan #threatintel
#Octopus Energy themed trojan using #ZippyReads MOTW bypass and #DefenderExplode Defender AV telemetry bypass
Riffing off UK energy supply issues
IoCs
C2 docusign-octopus-energy.com
Filename OctopusEnergyS.pdf..lnk
Hash 7ff60dd9d6b5de8f5235d4d3975d8fcfbc96ceaec9aafb9ab9bd40f192490ff9
Size 300mb
Filename %AppData%\Local\Temp\.hta
Writes self using certutil decode.
Trojan DLL, 323mb:
\AppData\Local\Temp\x.dll
#threatintel #octopus #zippyreads #defenderexplode
Kevin Beaumont · @GossiTheDog
22197 followers · 536 posts · Server cyberplace.social
Kevin Beaumont · @GossiTheDog
21230 followers · 318 posts · Server cyberplace.socialAs found by @buffaloverflow, #ZippyReads and #DefenderExplode have been used in the wild since early October. Might write a blog on the Defender issue later as this stuff is just sailing through MS suite still. https://infosec.exchange/@buffaloverflow/109393786384764390
Kevin Beaumont · @GossiTheDog
21185 followers · 294 posts · Server cyberplace.social
#threatintel COVID restrictions email targeting Tsinghua University in China. Exploits #ZippyReads to bypass Mark of the Web.
Encoded HTA file if you're on certain IPs: https://privatebin.net/?dd5316ff29194d24#mgo7zce7BXJGReWWhFQARa2w1J7uEfFQYJU1gtuGfk5
IoCs
C2 mailtsinghua.sinacn.co f946663a780806693ea3fb034215bd6da25971eb07d28fe9c209594c90ec3225
21733711a098785e9df7f7ec0afe6b9d9a80b417b256255667dd8747702da74f
Kevin Beaumont · @GossiTheDog
14604 followers · 156 posts · Server cyberplace.socialGreat #malware sample caught by @k3dg3 #threatintel
Exploits #ZippyReads (read only file for bypass of Mark-of-the-Web) and #DefenderExplode, a large file zero day in Microsoft Defender AV which breaks their telemetry and detection.
Targets Italy. Calls michaelpagerecruitment-ukoffers.]com
https://www.virustotal.com/gui/file/13846a9778f224ae692edddcc90746d0e619f872733c2c880188c36797b2c4e7
#malware #threatintel #zippyreads #defenderexplode