Tommy M (TheAnalyst)
@ffforward
Followers
14,263
Following
192
Media
1,027
Statuses
4,458
Threat Researcher @proofpoint | @Cryptolaemus1
Joined May 2010
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Ohio
• 655922 Tweets
Apple
• 619554 Tweets
James Earl Jones
• 611195 Tweets
Springfield
• 428747 Tweets
Haitians
• 373966 Tweets
iPhone16
• 316450 Tweets
Wayne
• 315350 Tweets
Rest in Peace
• 185604 Tweets
Nicki
• 166823 Tweets
Tyreek
• 143047 Tweets
Cops
• 136078 Tweets
Darth Vader
• 133045 Tweets
Star Wars
• 111245 Tweets
SIEMPRE FURIA SCAGLIONE
• 93814 Tweets
Jets
• 82082 Tweets
#WWERaw
• 69327 Tweets
Fassi
• 69082 Tweets
49ers
• 63155 Tweets
Mufasa
• 62251 Tweets
Field of Dreams
• 54002 Tweets
Yunes
• 28956 Tweets
Bret
• 27525 Tweets
Sami
• 23429 Tweets
対象作品
• 22123 Tweets
Aaron Rodgers
• 21054 Tweets
#MartinFierro
• 18238 Tweets
ガチャチケット
• 15470 Tweets
#部長K
• 14867 Tweets
Goldberg
• 14646 Tweets
Deebo
• 12259 Tweets
Gunther
• 12056 Tweets
Purdy
• 11236 Tweets
#NYJvsSF
• 11204 Tweets
Pinned Tweet
So I have started a new job this week, as a Threat Researcher for
@proofpoint
. Can you imagine working with such an awesome team that finds and shares stuff like this? 🙌👏🥳
Proofpoint has identified a compromised private military email account delivering
#SunSeed
Lua malware. Threat research related to this activity is detailed in this blog.
3
70
105
33
13
250
#SUNBURST
#ProTip
You think you are safe because your security vendor says it detects the bad DLLs? First make sure you haven't followed
@solarwinds
advisory to exclude the folder where the DLLs reside 🤣😂🤯
12
185
489
Latest
#KaseyaVSA
#REvil
update from
@HuntressLabs
"[...] the threat actor used an authentication bypass in the web interface of Kaseya VSA to gain an authenticated session, upload the original payload, and then execute commands via SQL injection."
11
210
481
Emotet started spamming XLS and zipped XLS at 08:00 UTC sharp. All XLS are so far ef2ce641a4e9f270eea626e8e4800b0b97b4a436c40e7af30aeb6f02566b809c
5
88
211
TFW you just want to download a cracked TeamViewer from google top result, and instead get
#RedLine
#Vidar
#Raccoon
#SmokeLoader
#socelars
#gcleaner
#SilentXMRMiner
and a bunch of other unidentified stuff...
EXE:
HTTP/S IOCs:
4
41
197
Umm it seems like
#BazaLoader
just had a major opsec fail, their new Google Docs link for "Re: your document" shows this:
cc
@malwrhunterteam
@James_inthe_box
@GossiTheDog
@VK_Intel
@JAMESWT_MHT
11
75
199
You all have read how
#BazarLoader
#BazaLoader
leads to
#ransomware
, in particular
#conti
that doesn't care that they target healthcare etc? Does
@Microsoft
have any responsibility in this when they KNOWINGLY are hosting hundreds of files leading to this, now for over three days?
Large
#BazarISO
>
#BazarLoader
>
#BazarBackdoor
inc from /muppetcast.com, started yesterday. Direct links to
@onedrive
. Iso contains dll+lnk running dll with entrypoint "EnterDll", your EDR might have problems detecting this, and less obvious for most users than maldocs... >
4
50
154
7
57
180
Large
#BazarISO
>
#BazarLoader
>
#BazarBackdoor
inc from /muppetcast.com, started yesterday. Direct links to
@onedrive
. Iso contains dll+lnk running dll with entrypoint "EnterDll", your EDR might have problems detecting this, and less obvious for most users than maldocs... >
4
50
154
I have observed a recent uptick in html attachments abusing "Right-to-Left override" Unicode in the file name, for example the recent Oauth
#phishing
consent campaign. This is a good detection opportunity that MDO seems to miss, so please check your environment. Regex "\u202E"
6
52
140
Awesome to hear that my intelligence is appreciated, and in my turn I would like to thank the whole
@Cryptolaemus1
team for being so fantastic that it gives me time to look at other odd stuff!
@JRoosen
@0xtadavie
@abuse_ch
@devnullnoop
@dms1899
@executemalware
@James_inthe_box
>
Been extremely impressed with the phishing intelligence
@ffforward
is generating. World-class by the hours stuff.
3
5
91
7
15
134
Guess who hasn't acted on abuse reports at all today?
@Microsoft
@onedrive
. Guess who is using
@onedrive
today?
#Hancitor
. Guess what happens if you run a
#Hancitor
maldoc? You Get
#Cuba
#Ransomare
Yay!
Yep, today TR has discovered that
@onedrive
is a perfect bulletproof host, and have 300+ files there, just as
#BazarLoader
. The fun thing is that TR stuff (
#QakBot
etc) is known to also lead to
#Conti
. So
@microsoft
has roughly doubled your chances to get
#ransomware
in a week!
4
35
99
1
39
123
So who agrees that I should sue
@MsftSecIntel
@MSThreatProtect
for attempted murder by heart attack? Woke up to this today:
15
22
120
Can confirm that we have seen the recent
#Qbot
#Quakbot
#Qakbot
activity. PDFs/URLs has been used since at least November 28, but can't confirm what payload it was earlier than December 11.
URL example:
MSI/DLL:
MalwareBazaar - Tag teorema505
Hunt for malware samples tagged with tag 'teorema505'
bazaar.abuse.ch
2
49
122
TFW the
#BazaLoader
#BazarLoader
crew accidentally adds the access logs for one of their distros as comments (yes, that is actually a thing) in a zip they spam... 🤷♂️
6
48
107
Oh no, to be able to view this shipping document in OneNote I must update my flash player ☹️
3
12
109
Right about when I started at PFPT my awesome coworkers released an awesome blog about
#TA416
. Now two months later TALOS releases a blog almost 1:1 with our blog without citing previous research, and
@TheHackersNews
picks it up as "Experts Uncover New Espionage Attacks". 🤷♂️
7
30
106
I can confirm that we see live malspam with inc with xlsm directly dropping
#Emotet
without
#TrickBot
intermediary. Stolen email threads as usual, this thing is propagating fast.
Update on
#Emotet
. We are noticing now that bots are starting to spam on what we are calling the Epoch 4 botnet. There is only attachment based malspam seen so far with .docm or .xlsm(really XLSM with a lame AF Template "Excell") or password protected ZIPs(operation ZipLock). 1/x
11
173
302
2
52
99
How about the North Korean
#APT
#Lazarus
using
@Microsoft
@onedrive
to distribute malicious zip with lnk? MSHTA > wscript > new LNK in startup > Reboot > MSHTA > wscript.
C2 /share.stablemarket.org
URL:
ZIP:
3
52
98
Interesting
#TrickBot
gtag rob139. Obfuscated HTML attachment with encrypted zip with obfuscated js in blob (HTML smuggling). HTML redirects to /abc.com if it doesn't like the browser. JS > PS > EXE. EXE requires vcredist to run.
4
37
98
Yep, today TR has discovered that
@onedrive
is a perfect bulletproof host, and have 300+ files there, just as
#BazarLoader
. The fun thing is that TR stuff (
#QakBot
etc) is known to also lead to
#Conti
. So
@microsoft
has roughly doubled your chances to get
#ransomware
in a week!
4
35
99
FWIW this has nothing to do with any qbot actors. Attribution would be easy if several different unrelated actors didn't use the same tooling.
Mine and
@selenalarson
's writeup on this Knight Lite Ransomware campaign (that came in via HTML attachments):
Despite a recent takedown from the FBI, our research indicates that the actor behind
#Qakbot
is still active with its spamming operations, and is still delivering the
#RansomKnight
#malware
0
45
87
0
21
87
We saw new
#Qbot
#Qakbot
"tchk07" from PDF > URLs today. MSI > AdobeAC.dll w/ export EditOwnerInfo.
This is still very low volume and targeted.
Huge shout out to our fantastic
@Myrtus0x0
for the RE and config extraction. IOCs in original thread.
Samples:
Proofpoint has observed new
#Qbot
MSIs being distributed signed "Clover Field ApS".
MSI: e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115
DLL: 12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305
2
19
50
2
35
91
Can we please ignore log4shell for a moment and go back to patching exchange for
#ProxyShell
, to avoid what's happened to this 🇮🇹 Italian gov agency that just had their om-prem exchange popped to send TR
#Qakbot
malspam in reply chains?
DM me a gov,it address for details.
5
36
89
So
@solarwinds
have finally decided that it's a good idea to list the hashes for the malicious DLLs (hidden in their FAQ). The problem is that they only list 7, while
@MsftSecIntel
now is up to 17. If compromised, you should only investigate if you have the expertise🤡
#SunBurst
7
35
87
#Phishing
#BEC
#Whaling
via malicous Oath app "Upgrade" signed "Cardthartic LLC". Looks like it has been going on for a month. Related domain /viox.dev
Make sure you don't allow users to consent apps in
@azure
@Office365
!
6
43
84
So again
@Microsoft
@onedrive
hasn't acted on abuse reports since Thursday. Now
#Hancitor
is using it for doc delivery and
#BazaLoader
#BazarLoader
is using it for zip > iso > lnk/DLL. 374 files not acted on, every single one will lead to
#ransomware
several times over!
4
39
85
I can confirm the
#TA505
#MirrorBlast
KiXtart > REBOL >
#ReflectiveGnome
>
#FlawedGrace
/
#GraceWire
chain.
Latter drops from > BIN
C2 /cdn-wfs-nspod.com on 46.161.40.87 since June 🔥
H/T
@ET_Labs
for awesome sigs!
4
31
85
Don't you just love it when you multi-vendor cloud
#phishing
operation just works?
🇺🇸Sent from compromised
@Office365
accounts
🇺🇸Redirects via
@Google
🇺🇸Domains by
@Namecheap
🇺🇸Hosting by
@awscloud
52.214.58.200 &
@digitalocean
142.93.233.42 64.225.82.48 143.244.209.177
4
27
81
#TA544
back using
#Remcos
after using
#SystemBC
briefly last week. Unique page,link URLs redir to .url file with file://.zip/.vhd SMB target abusing CVE-2023-36025 so it will mount the VHD by just opening the .URL. Exe using
#DOILoader
#IDATLoader
w. local payload. cc
@wdormann
3
25
82
Speaking of which, today we see
#IcedID
via the same
#OneNote
template that
#qbot
actors
#TA570
&
#TA577
has been using the last few days. New obfuscation in the HTA though.
Proofpoint's Tommy Madjar,
@cocaman
,
@joewise34
,
@selenalarson
& Chris Talib warn about the increasing use of Microsoft OneNote documents to deliver malware via email as multiple threat actors (such as TA577 & TA570) start to use this delivery method.
2
16
26
4
32
79
Me,
@selenalarson
and
@k3dg3
and the rest of the
@threatinsight
team released a short writeup of the
#TA577
NTLM hash theft campaign from last week.
2
33
80
#Conti
has just claimed
@VolvoGroup
-owned
@MackDefense
, who deliver military trucks worldwide, as a
#ransomware
victim 💥
3
32
76
This actor has just switched to a new OAuth consent
#Phishing
app. This one is also called "Upgrade" with the same icon, but has a new verified publisher "Counseling Services Yuma PC". Related domain /queues.me
Microsoft is tracking a recent consent phishing campaign, reported by
@ffforward
, that abuses OAuth request links to trick users into granting consent to an app named ‘Upgrade’. The app governance feature in Microsoft Defender for Cloud Apps flagged the app’s unusual behavior.
9
188
295
2
34
75
Heads up, very low detected new
#BazaLoader
doc inc as zip attachment. Word > splwow64.exe > CMD > PS > Rundll32
doc:
dll:
Payload URL:
Nice
@hatching_io
run:
2
42
75
Today I got both
#SquirrelWaffle
and
#Qakbot
from the same TR distro (payload URL).
Downloads at as usual.
#qbot
config:
#SquirrelWaffle
config:
👏
@hatching_io
2
27
74
#qbot
#qakbot
#quakbot
is back after the traditional summer break. Right now it seems to be dropped by
#Smokeloader
(according to "DAS-Security Orcas" sandbox, I have no clue who they are) probably from fake installers. Botnet snow01.
2
33
72
Heads up,
#TrickBot
rob129 inc via Link > zip > .lnk > curl > exe as png. H/T
@Scoobs_McGee
Zip⏬
Zip
Png⏬
Exe
Config
cc
@VK_Intel
2
22
73
Now this is pretty cool. The
#BazarCall
campaign switched back to a XLS fully undetected on VT for almost four weeks(!!!) and just switched the file on the drop URL.
XLS:
EXE:
cc
@James_inthe_box
@JAMESWT_MHT
@VK_Intel
4
22
72
I'm working on my
@KaseyaCorp
decoder ring. So far we know that:
Sophisticated attack = Simple attack
and
Very minimal impact = Huge impact
But now we also know that:
Good progress = No progress
And this is just for their SaaS that they say wasn't impacted. So wasn't = was?
🙃
3
20
70
Heads up,
#MirrorBlast
coming in hot with
@Google
feedproxy links > /dzikic-my-sharepoint.com
C2 185.202.93.201
URL:
XLS:
2
27
68
Swedish fintech
@Klarna
bank (valued at $31 billion, currently planning for an IPO on London Stock Exchange) had a major break down today, where users would end up in other peoples accounts when signing in to the app. Full purchase history, payments plans, everything.
3
38
68
This have been talked about thousand of times before. But I still think that if Microsoft finds that Microsoft hosts malicious files, Microsoft should notify Microsoft so Microsoft can remove the files.
But no, still alive and well a week later.
4
17
66
1/? Very interesting campaign targeting 🇮🇹. Russian girl looking for an Italian man to marry. Includes a txt in an encrypted zip w. URL s/centrale.casa/immagine.pic. URL is geofenced and downloads an obfuscated .js PS loader.
2
27
61
Dear Threat Actor,
If you are going to send us encrypted zips with exes in them, could you at least supply the password?
Have a great day!
Best regards,
Victim
11
7
69
Alright, maybe not totally objective here, but this blog on
#Bumblebee
by my awesome coworkers
@k3dg3
and
@Myrtus0x0
are really great!
Starting in March 2022, Proofpoint observed campaigns delivering a new downloader called
#Bumblebee
.
Threat actors using Bumblebee are associated with
#malware
payloads that have been linked to follow-on
#ransomware
campaigns.
🐝...🐝... Learn more:
0
52
98
1
17
67
Some
#TA576
stuff I worked with last week.
Benign Message > Reply > Actor Reply wi. web,app URL > Redir> ZIP > LNK > SyncAppvPublishingServer.vbs LOLBAS > PowerShell > MSHTA from URL > Encrypted PowerShell > Obfusc. PowerShell > Download and Run EXE > Heaven's Gate > Parallax RAT
As Americans gear up for
#taxseason
, cybercriminals are preparing malicious tax-themed lures.
Proofpoint researchers recently identified the return of TA576, a cybercriminal actor that uses tax-themed lures to target accounting and finance organizations.
2
9
17
2
16
64
"Hmm, all the cool kids are working on Log4j exploits, what am I supposed to do with this
#BazaLoader
#BazarLoader
exe? Wait, I remember this trick from the 90s!"
C2s: 185.183.98.39 194.15.112.35 /storage/actual/request
Docx:
Pif:
8
19
64
So anyone seen this xls
#loader
before? Never seen anything like it.
cc
@James_inthe_box
@JAMESWT_MHT
@VK_Intel
@JRoosen
3
24
62
And then
#TrickBot
was like "lol, who cares about
#emotet
anyway?" and then everything was back to normal.
gtag rob42
xls:
dll:
Config
cc
@James_inthe_box
@JAMESWT_MHT
@VK_Intel
2
25
63
Update regarding Coop and Visma Esscom. As usual each computer needs to be addressed on-site after a ransomware incident, no matter if they decrypt or restore in any other way. As many of you know, Sweden is quite large.
3
18
63
Anyone got something on this 🇧🇷
#trojan
?
✅ZIP > MSI from many fresh
@github
accounts
✅Drops over-sized (800MB) trickortreat.exe
✅Persistence via "Startup\setudo_product.lnk"
✅C2 traffic via DoH > TXT records on *.lamboarrived.com *.lamboarrivesssd.com
@Namecheap
More IOCs>
8
17
60
.
@MsftSecIntel
has published an article on the recent
#zloader
campaigns sent from /aol.com. They claim they have seen maldoc >
#CobaltStrike
>
#ZeroLogon
>
#Ryuk
fully deployed in 45 mins. Haven't seen this reported elsewhere.
cc
@JAMESWT_MHT
@James_inthe_box
@VK_Intel
6
22
60
TR being predictable and targeting 🇫🇷 with
#SquirrelWaffle
today. Some changes:
doc > xls with new template
$WebClient.DownloadFile > urlmon
rundll32 > regsvr32
@ET_Labs
has some new rules 💪
URLs:
XLS/DLL:
2
34
58
Large
#TrickBot
gtag leg1 campaign on
@onedrive
. ISO with lnk+tmp (dll), similar to what has been seen from
#BazaLoader
previously, but new stuff in the lnk.
Links: (incorrect tag)
iso+lnk:
3
22
59
#BazaLoader
#BazarLoader
back again today with their Universal apps
#signed
"Systems Accounting Limited". Look for mail with URLs ending with /report.html on
@Google
or
@Azure
infra.
Installer:
DLL:
1
24
58
Here we go,
#TA505
with
#MirrorBlast
DL URL:
XLS:
Payload: 185.225.19.246
C2: 185.176.220.198
Guess there will be a new
#MirrorBlast
wave soon. Found the following potential domain:
- cdn03664-dl-fileshare[.]com
The pattern reminds me of
#TA505
. "cdn", "dl" and "fileshare" were quite common keywords. Also, the use of a minus to compound the words is very familiar.
3
16
50
4
25
59
A story in four parts:
Ah, so it looks like CVE-2024-21412 is to address a bypass for CVE-2023-36025, which was the fact that remote targets inside of a ZIP didn't get SmartScreen love. The fix for CVE-2023-36025 didn't consider the case where a .URL file points to a .URL file.
4
15
55
1
17
58
TR having a particularly bad day with XLS delivering
#SquirrelWaffle
>
#CobaltStrike
to
@joe4security
and
#QakBot
to
@hatching_io
😂
Both DLLs up at
Extra low detections on XLS and both DLLs today though, so watch out for
#ransomware
...
Geofenced German malspam
#squirrelwaffle
(DATOP loader) downloading and running the dll via regsvr, injecting into explorer and adding itself to MS exclude path.
Finally leading to CobaltStrike C2 /tuxsecuritybiness.com
Latin malzip URL has 1/89 VT
2
25
42
3
27
58
Heads up,
#IcedID
campaign yesterday where the actor is using
#PrometheusTDS
URLs directly in the email. If approved by pTDS (anti-bot, IP filtering) the target will be redirected to a page using
@reCAPTCHA
that will redirect to a second pTDS URL that will smuggle a JavaScript.
1
19
55
New blog out with
@selenalarson
and the rest of the
@threatinsight
team. Deep dive, but yet just a surface touch of the recent campaigns where the victim needs to run a PowerShell script to initiate the compromise.
#TA571
#ClearFake
#Lumma
#DarkGate
1
22
58
#TeslaCrypt
ext 0l0lqq
#Ransomware
via pwd protected xls 🔥
XLS:
⏬
@googlecloud
EXE1
EXE2
Config:
@hatching_io
nails it again:
cc
@JAMESWT_MHT
@James_inthe_box
5
16
55
🔥
#UNC2529
tries to deliver
#DoubleBack
, but I don't think they will get many clicks with this mail template 🧐😂
XLS&DLL:
DLL D/L:
Very nice run and ID by
@hatching_io
:
0
18
55
#Emotet
spinning up again via stolen mail threats and attached encrypted zips. Only english seen so far.
cc
@James_inthe_box
@JAMESWT_MHT
@JRoosen
@cocaman
5
25
54
(Thread 1/many) Looking at probably the most advanced
#phishing
setup I have seen. Sending in limited rate from compromised
@Office365
accounts. Uses both redirect and phish on *.app-[nnn].cloud registered with
@Namecheap
and
@namesilo
. Undetected by
@Office365
@MSThreatProtect
3
22
55
New week, new
#BazarLoader
from
#TA551
/
#Shathak
. Usual passworded zip with doc. DLL from /brookscargos.com
DOC:
DLL:
Perfect
@hatching_io
run:
"Thanks in advance ?" and "f*ck u" 🤣
1
17
53
1
13
55
TR back to dropping
#QakBot
from their
#EtterSilent
sheets again. Some changes in this version so config extractors needs to be fixed,
@hatching_io
was very fast to fix it as usual 💪
XLSB:
DLL:
Config:
5
22
53
@RonnyTNL
@GossiTheDog
@JAMESWT_MHT
@1ZRR4H
@malwrhunterteam
@verovaleros
@fr0s7_
@guelfoweb
@lazyactivist192
@Arkbird_SOLG
@sugimu_sec
@struppigel
@pr0xylife
Yep, this top google ad in certain regions seems like a good candidate 🤣
5
10
54
TR targeting 🇮🇹 with
#SquirrelWaffle
today. Very picky on who they deliver the DLL to.
#SquirrelWaffle
is know to drop
#CobaltStrike
, so watch out for
#ransomware
.
2
18
54
I'm so proud of my coworkers and friends in both
@proofpoint
@threatinsight
and
@Cryptolaemus1
and the rest of the community to make this happen. By working together, we cannot only protect our customers, but people and organizations everywhere!
0
13
54
1/4🔥
#BazarLoader
>
#BazarBackdoor
#KEGTAP
via social engineering. Email from /mail.com and /gmx.com senders contains fake PDF flower invoice that mentions (not links) /roseworld.us. The website is completely fake too, and asks you do download an xlsm to change your order.
1
29
53
Friday
#zloader
from /aol.com switched to xlsm, made wonders to AV detections.
s/b-dvs.com/server.php
s/b-design.studio/errors.php
s/taigen-landscape.com/wp-crunch.php
s/taigen-landspace.com/logs.php
cc
@James_inthe_box
@JAMESWT_MHT
@VK_Intel
@JRoosen
1
15
53
File with similar basic behavior uploaded from UA as "Crypted.exe" on the 14th:
Needs to be run from %temp% as Stage1.exe, however I'm only getting a loop of Stage1 > Stage2 > Stage1 etc and no traffic, so no confirmation it's the real thing.
Microsoft identified a unique destructive malware operated by an actor tracked as DEV-0586 targeting Ukrainian organizations. Observed activity, TTPs, and IOCs shared in this new MSTIC blog. We'll update the blog as our investigation unfolds.
62
1K
2K
2
18
54
The
#Bumblebee
MSI that is dropped is this:
It contains this PS1 that contains the Base64-encoded and compressed payload:
#TA581
returned to the email threat landscape after an almost month-long absence to distribute Cisco Meraki security alert themed emails delivering
#Bumblebee
malware.
4
22
45
1
21
53
Very interesting
#IcedID
distro. A fake
@WordPress
plugin "wp-roilbask" that is spoofing the "WP Rollback" plugin. They even took the time to edit the readme (where they call it roilback instead). So far I have found 18 compromised sites with this!
As mentioned previously, I received a few emails with links that download .xll files. I was unable to launch the payload in my lab so I couldn't get many IOCs. Identified earlier by
@ffforward
as likely
#icedid
#bokbot
Here what I saw:
1
8
23
4
25
53
#Conti
choose to publish victims today after a period of low activity. Sure, the gangs starts to come back from Old New Year holidays, but it is really just a way to show that they don't care about yesterdays
#REvil
#ransomware
raids?
1
19
52
#QakBot
obama137 has been hitting hard today. Just like last two weeks they are running link-based zip > xlsb instead of attachments. URL is domain.tld/doc/*.zip where * is wildcard including dirs.
zip+dll URLs:
xlsb+dll:
3
18
52
Early
#BazarStrike
delivering
#CobaltStrike
beacon today.
*.getresponsepages.com > Google drive again. Low detections as usual.
#Signed
"Orca System"
EXE
Config flawless by
@hatching_io
as usual:
cc
@JAMESWT_MHT
@James_inthe_box
1
30
53
The current
#emotet
spam level very high, and the percentage of encrypted zips is very high too. All orgs need to detect and/or block these. For
@Office365
you either need Safe Attachments (MDO/E5 needed) enabled or handle encrypted attachments in mail flow manually.
1
17
50
I get it, new year and you expect new threats. So how about a new
#zloader
from .docm attachment with macro on close?
DOCM:
DLL:
Full config:
cc
@James_inthe_box
@JAMESWT_MHT
@VK_Intel
3
17
51
2
18
53
❤️To all my fellow researchers out there❤️
Roses are red
Violets are blue
Threat actors feel fear
Because of you
0
5
51
Speaking of which, here is an
#Ousaban
🇧🇷 banker w.
@policiafederal
lure that uses
@Azure
both as a redirect and landing, and the landing page has the zipped malware stored as a blob in the html itself.
2nd stage:
There has been a spike in email campaigns using HTML smuggling to deploy banking Trojans, RATs, and ransomware. Attackers use this technique to build malware on a device via the browser instead of passing payloads directly through the network. Details:
10
287
552
4
20
48
#Bazarloader
#Bazaloader
#Baza
#KEGTAP
inc Google Docs > Drive. Subject "Re: [company] termination list"
EXE
#Signed
"OOO Inversum"
IOC /cleancarwashlla.org /thecarwash-zone.com /envirodedge.com
h/t
@Scoobs_McGee
cc
@James_inthe_box
@JAMESWT_MHT
@VK_Intel
4
17
49
Heads up,
#emotet
is back from old new year holiday and has started spamming. Seeing encrypted zips targeting 🇪🇸and 🇮🇹 so far.
cc
@JAMESWT_MHT
@James_inthe_box
@JRoosen
@Cryptolaemus1
3
20
48