Can't wait
2024-11-04 Securonix: CRON#TRAP: Emulated Linux Environments as the Latest Tactic in Malware Staging Attackers distribute a custom QEMU-emulated Linux environment via a malicious .lnk file within a phishing email. When executed, this file installs and initiates a QEMU instance to run a Tiny Core Linux backdoor, enabling covert persistence on the victim's machine. The .lnk file activates PowerShell to extract and run QEMU, renamed as fontdiag.exe, from a large, concealed zip archive. This QEMU instance connects to a C2 server, maintaining a hidden presence through an emulated environment undetectable by most antivirus tools. The emulated environment includes "PivotBox" settings with command aliases for direct interaction with the host, and command logs reveal steps like SSH setup, payload execution, and persistence configurations. Attackers use legitimate software (QEMU) renamed and executed from uncommon directories, alongside SSH keys and script modifications, ensuring reliable access and minimal detection. crondx, a Chisel-based backdoor, establishes a secure C2 channel via websockets, enabling encrypted data exfiltration and further payload deployment. Download Download. Email me if you need the password scheme. File Information ├── 002f9cd9ffa4b81301d003acd9fb3fbba1262e593b4f2e56a085b62a50e76510 start.bat ├── 0618bb997462f350bc4402c1a5656b38bedc278455823ac249fd5119868d3df4 OneAmerica Survey.lnk ├── 3e6a47da0a226a4c98fb53a06ec1894b4bfd15e73d0cea856b7d2a001cada7e9 crondx ├── 82a9747485fdd60360d28cd73671f171a8312b7d68b26fe1e2d472eb97c4fe59 mydata.tar ├── 9a33ea831edf83cb8775311963f52299f1488a89651bd3471cc8f1c70f08a36c crondx ├── bc7a34379602f9f061bdb94ec65e8e46da0257d511022a17d2555adbd4b1dd38 FontDiag.zip ├── ce26aac9ba7be60bfb998ba6add6b34da5a68506e9fea9844dc44bafe3cab676 OneAmerica Survey.zip └── f4229128ef642d299f7ab5fbcb6de75a17d12f30f22a3985044c8b1b44f1768f mydata.tar Malware Repo Links Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
2024-10-30 EclecticIQ: Inside Intelligence Center: LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute Ratel C4 and Latrodectus LUNAR SPIDER’s recent campaign used Latrodectus, a heavily obfuscated JavaScript loader, to deliver Brute Ratel C4 payloads targeting the financial sector. Key technical observations include: Malvertising and SEO Poisoning: Victims searching tax-related content are redirected to download malicious JavaScript files like Document-16-32-50.js. These scripts retrieve an MSI installer, which deploys Brute Ratel C4 (BRc4) by disguising the payload as legitimate software (vierm_soft_x64.dll under rundll32 execution). This method exemplifies advanced evasion tactics to bypass detection. Command and Control (C2) Infrastructure: BRc4 communicates with multiple C2 domains, such as bazarunet[.]com and tiguanin[.]com, allowing remote access and command execution on compromised systems. Persistent infrastructure overlaps include SSL certificates with issuer fields "AU," "Some-State," and "Internet Widgits Pty Ltd," frequently linked to LUNAR SPIDER’s IcedID operations. Additionally, ASN 395092 (SHOCK-1) consistently hosts both IcedID and Latrodectus campaigns, indicating a shared resource pool across malware families. The BRc4 payload modifies the Windows registry, specifically adding an entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run for persistence across reboots. Intelligence indicates LUNAR SPIDER shares infrastructure and malware services with other groups like ALPHV/BlackCat and WIZARD SPIDER. For instance, domains such as peronikilinfer[.]com and jkbarmossen[.]com were both hosted on IP 173[.]255[.]204[.]62, serving as C2s for IcedID and Latrodectus, respectively. This infrastructure overlap, along with passive DNS correlations, suggests tight operational ties and indicates LUNAR SPIDER’s role as a critical access broker for ransomware operators. The Document-16-32-50.js script was obfuscated to evade detection. Analysts de-obfuscated the script, revealing its function to download and execute the MSI payload from 45[.]14[.]244[.]124/dsa.msi. The script checks for Windows installer processes (WindowsInstaller.Installer) and contains specific drive checks (i < drives.length) for execution control flow. Download Download. Email me if you need the password scheme. File Information ├── Brute Ratel C4 │ ├── 1b9e17bfbd292075956cc2006983f91e17aed94ebbb0fb370bf83d23b14289fa │ ├── 28f5e949ecad3606c430cea5a34d0f3e7218f239bcfa758a834dceb649e78abc │ ├── 29549b75a198ad3aee4f8b9ea328bc9a73eb0e0d07e36775438bbe7268d453f9 │ └── c3f8ebc9cfb7ebe1ebbe3a4210753b271fecf73392fef98519b823a3e7c056c7 ├── Latrodectus JS │ ├── 6dabcf67c89c50116c4e8ae0fafb003139c21b3af84e23b57e16a975b7c2341f │ ├── 937d07239cbfee2d34b7f1fae762ac72b52fb2b710e87e02fa758f452aa62913 │ └── fb242f64edbf8ae36a4cf5a80ba8f21956409b448eb0380949bb9152373db981 └── msi ├── 1b9e17bfbd292075956cc2006983f91e17aed94ebbb0fb370bf83d23b14289fa ├── 29549b75a198ad3aee4f8b9ea328bc9a73eb0e0d07e36775438bbe7268d453f9 ├── c3f8ebc9cfb7ebe1ebbe3a4210753b271fecf73392fef98519b823a3e7c056c7 └── ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991 Malware Repo Links Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
2024-10-23 TALOS Threat Spotlight: WarmCookie/BadSpace Summary: WarmCookie, also known as BadSpace, is a sophisticated malware family that emerged in April 2024, primarily distributed through malspam and malvertising. This malware provides long-term access to compromised environments and facilitates the deployment of additional payloads, such as CSharp-Streamer-RAT and Cobalt Strike. Its infection chains and functionality highlight notable development links to Resident backdoor, indicating possible shared authorship by TA866. WarmCookie’s infection chain initiates through email lures—typically invoice-related and job agency themes—that direct victims to malicious JavaScript-hosting servers. The obfuscated JavaScript downloader, often delivered as a compressed ZIP, triggers a PowerShell command that uses Bitsadmin to download and execute the WarmCookie DLL, embedding itself in the system with persistence. Persistence: WarmCookie leverages Task Scheduler to achieve persistence, creating scheduled tasks under %ALLUSERSPROFILE% or %ALLDATA%, and re-executing itself after a 60-second delay. The latest version modifies the typical command-line syntax from /p to /u for execution parameters. Command-and-Control (C2) Adaptation: TA866 previously used unique, detectable C2 user-agent strings (e.g., Mozilla/4.0 (compatible; MSIE 6.0…)), which have since been updated to blend with standard strings like Mozilla/5.0… Firefox/115.0. Self-Updating Mechanism: An initial implementation of a self-update command allows WarmCookie to receive updates dynamically from its C2 server, although this feature appears incomplete. C2 Command Updates The latest WarmCookie samples feature new C2 commands: Command 0x8: Receives a DLL from C2, assigns it a temporary filename, and executes it. Command 0xA: Similar to Command 0x8 but adds hardcoded parameters, allowing self-updating. Command 0xB: Moves the malware to a new temporary filename and deletes the scheduled task to disable persistence and terminate the malware process. Code and Function Similarities to Resident Backdoor A code-level comparison between Resident backdoor and WarmCookie shows: RC4 Decryption Consistency: Both use identical RC4 implementations and mutex management, often employing GUID-like strings for mutexes. Startup Logic: Both use similar logic for identifying execution as a DLL or EXE and establishing persistence through scheduled tasks. They both use rundll32.exe for DLL-based execution and task scheduling. Coding Conventions: Functions, parameter passing, and persistence mechanisms align closely, suggesting shared development practices or authorship. Download Download. Email me if you need the password scheme File Information ├── 0b26abc692b7a2877b6b6fce6aa99b29af125b063f1c41b507362def59f8dfce ├── 0c9697506df18baac4b4215e78a43926ea4bb94ea3607c851a1c2fe3b5b31f17 ├── 0d2cf14d27586ff9da5832e0efaba872a1641617fdb4a47d94b645172f7d2fa6 ├── 0d305291091bcb0c943c6472dce450272b2291b6287a053c5c553f082654c718 ├── 0d59c9bef911c879011f21163a083c09b759c9757f1ade9da9f87fdce27dc5f4 ├── 0da87bff1a95de9fc7467b9894a8d8e0486dfd868c2c7305e83951babacde642 ├── 0f11caad7cd5cf4de78145a13590fb50a42a63aaf3bbc6066d2a0bb58a2068f7 ├── 124e2b15b001eb302f0a5f43604621a001d250d42afdf353dc812f41bf249a55 ├── 13142aa3c815362511acee0b74672081d7bb8cd3cabd8ab4c85fb7ba8126aec5 ├── 13ccffd00e2fa89167e29a8d382d8c417e198ffce8684df23e4a8a91fdc0f23e ├── 15b1eb1072de7e16d5b7693a16269b315c0926558fa2cbbcd2948c2dd16ab8a0 ├── 193cadbea116833efaaa0bc6fbea552a68c9694fb0177ad873d702001b4cef8d ├── 1bcfed8b593a8a7c8b34e074aca3d4fc68a0ea3343b32eae89fdabf35ad40e7d ├── 1d9f4690a62fd4d17c031924585b1e46e417d8c72f331ba51cf0eceeb91f6579 ├── 1dd740062b30ce02e90238d55cb6f786496e120a40e93334fef7033e75d46d79 ├── 1ea681b79f88c2f0e9344beedb8776643d735c3f8251479c9495537c40fe5ba1 ├── 283cd2138b4f1ffef36411adee02f5d684593bdf3117c760ade04e19c958028a ├── 295d01d02376044ec078128788b4439eba63184147f0137852160952ad1649c2 ├── 2a311dd5902d8c6654f2b50f3656201f4ceb98c829678834edaeae5c50c316f5 ├── 2a4451ef47b1f4b971539fb6916f7954f80a6735cf75333fa9d19b169c31de2e ├── 2a5a12cc4ef2f0f527cc072243aa27d3e95e48402ef674e92c6709dc03a0836a ├── 2cbd9f49b2dec8a36e0961b5471bdb3266a5c061ba8784e14a193e700d156a0c ├── 2f434cc508baac8440e95e955306ee354e76680eedca4a3ec2d87f592cfdcba7 ├── 30a85fa1bf6df41d841efbf986beb286eb829380ebfdf0c1ac694f3d4f24315a ├── 32ff6653fb6e4757c1f7206af26475445e1e43c8e1db0af5309ad8a9c4d86ba1 ├── 33f81ee6d9747afe1c7c5a6ed741822749ea42bb297eb642f720fd44ae35e786 ├── 34f2fc85932f6fede57846cf2a2d55172d28e4a251bb4434a88a02ce8ec030f0 ├── 38f4b197dcda32b14dc98127e3a523364822e108f85153105b77b85ce31438d7 ├── 3f073189506b7ca07fb352e267699688bd3a6c11cde72217ec1ffbae211b6e15 ├── 40cdac6696e84f677d7e4817fd85f32da0f9256866bb85a25da207e3d5ca7d5c ├── 41d9d1e0599b492fdb6fa2ce47f0094112799830dd8dc1c098690a500a8fa6b1 ├── 425da6a7bd4faedc97990c6458d5e6a0635839037a99611385b77b43b443d1ec ├── 43b87cf9b5a73d9bdfdbd9e1da3cb4d1e26a509d328a90c01cc0025a9cb1698f ├── 44faed020d5d8b29918a3f02d757b2cfada67574cf9e02748ea7f75ba5878907 ├── 475edfbb2b03182ef7c42c1bc2cc4179b3060d882827029a6e67c045a0c1149b ├── 48320e88c9188d97e7f6a06eddcc8e1f89cf79ed66b68a546cd38e76f183b13e ├── 48640e2fb35f073c22937784f32c157d9a0781d61a2293f73fc3566b708205bd ├── 4b4e27824cd349192cf0913060f1481a192f2b13d44e2787edbe8d7f0c57fa06 ├── 4cccc2d7f97a78dd0ef3f06a2fdb555299cd06c4222dd546d87a4ed735743d48 ├── 4e731e9e0233d53c70830011690f59b0764f61aa19e49cd10bed92b6eb81762c ├── 4ff20a31223f3c0a04f1646332979c89fce5111f9d288b69568c9120d13c564c ├── 53db2f135883d74dcac2e620d14d7f775876bf49d3d5d4fdb131f8fed4917434 ├── 5428e75adfc1f8d9b551f0e912db89c9f82db0bb574a80553b2ee8a829668d18 ├── 55ace018a6c4f355511ce3f6833d4b997d4323afb890520dc815aa2f916499f3 ├── 5649dcd896bf2155e790c5f05b9fa2ba6fe5befcac85a8cb0beed23945686e02 ├── 56984cac7431ef001246350eaa6011cf2f34571e231b29572d27f962f6c7f165 ├── 56f9bd572b3d7c65da3d50d77a71fec0f8b4320f7bf7f691221522ac62e5d99b ├── 5970ba228d2afe2031b8e8c17ba284746ebb9066f0ccb8e1fe33a6e3927a6c97 ├── 5ab9b4e3f15a04bfe240368d9cea4e6fccbf88c89358e9316055e3f79ca10fd7 ├── 5b360b6855e87f173b4429adcca1d5f7735112119d69a5e9268673ab5ac82394 ├── 5ca2106d823eeee827f228b8a1caf6e769ce7cefea6da72f537e2e302f10f13b ├── 5cd47f178fd5afc2c290c77695277183df54d886f444f5993bbbe169eb3e2b12 ├── 60a43c829aaf03c42d012c0f61501e87864c19896d43f61f990d5be9a822eb9b ├── 60cd63e288c4054f85c9ea8167e0e58c1bd9998a15e3f8ed211132b42f76bdb6 ├── 613e6a8a49a61f157a8e064b7fbc7bd5d59909d47e31f6c18cd5c5659808ee89 ├── 616b1e1127902cef942cbc8ba6b89fe2e3090e992c7ae5e08c7d54b508b0caab ├── 62a653ff8e81f7ed05a1415a2ea679a993d5c1b0abd0ea93aff82dc10142629f ├── 62fb7f43c677ee2fe56406e7af8876289d3751e7c001aa627dd287baf5687f06 ├── 63537e464742099cfaf06904676e8955c0543a621e1936297e49090587a84ac1 ├── 668e1270bdb9a3aba41389777fc1ccd8759ad1316c62ea7c3f711925b44ef0b6 ├── 669e721ddb304f09ad60a7e166710a08e37a42f6a8cd5bc47a21fa0342292507 ├── 676cbcaa74ee8e43abaf0a2767c7559a8f4a7c6720ecc5ae53101a16a3219b9a ├── 67984703c89ee30cadaa8d7dd5c1a0e9f7f5d096ab0d6d03fdb01115780fa7c3 ├── 6a195e6111c9a4b8c874d51937b53cd5b4b78efc32f7bb255012d05087586d8f ├── 6ac099ab5132a17bf7a492b47442f0f6776eb76d702a5c2d947dab0ab33cfc45 ├── 6c41faafcf01000547c1e327c7366a89b4d5f9e64de2da404c34954990f7e1fa ├── 6cd8a62fb051c17da53b46bc05c6407eab58582c531f8dd18553ecd2b3b37411 ├── 6db0d6eaff5279d815e66e1abbdd7e4159c58c7747b158659d875c369c153b89 ├── 6fb83280ffc0feddf3f346a4d3a8914f26c097b8aef3a276590ea44ce9d70204 ├── 71053c8a336c10154dadd4572c00e45e177b2f29470bd7171b28e49ab855def0 ├── 712738c0afe1d10f28b6aefecb44f2bc442007fdd65f8f07582120e3ec22d590 ├── 748e247912e4f40c685c4b756cd9bfbc39c7b3fcd649cd85f83c67c4cdd8a62d ├── 770cafb3fe795c2f13eb44f0a6073b8fe4fb3ee08240b3243c747444592d85ff ├── 7b340050fe9bec7024092de63d223d2a96a32d14676f6c82c9024278ae0b323e ├── 7b7dbd54308cacec5c591dbd6a2b9f90368f986572c3edcbfedca7812b409347 ├── 7c49024676be4f90d905028675d4a714311f971c099ab01e3cd26cd13c68499c ├── 8087f6755ef54c99000517a5bf5a94ceeb43ee34d2774051c616b51e8d827e0a ├── 824438852f5f11bef8a60df08f6746abf869c52e288456f4cefb97910ae2fcd7 ├── 83218a0beee310a8056ca62946a5f8ca742787e49cf2b4f93e29c4940d3961c9 ├── 84519a45da0535087202b576391d1952a4cc81213f0e470db65f1817b65ee9d7 ├── 87ce3aaf800b7a80f82d38fd6ff60925814dbe611786c29040bc9fcfa9943fd3 ├── 87f57a7a4b4c83ecb3cdd5f274c95cd452c703de604f68aff6e59964b662e3f8 ├── 8d81f6af61f019c56ade65dc80a8b8332f8d141fa11714bc2f5594242661d8a3 ├── 8e8cebab33731844245e5f70e90933c37a19010bf893027ad7af2a92e1d56244 ├── 8f7b7f3da174d8ff41b2bc86e363d00d198d79cf52de078a3a5f6b55352bceb8 ├── 90b85d2ca44186de6df202abf27e3737c52691bf5dd28841fba8860bdc4483f8 ├── 927e941acb5bc42ff2050ad04fdb6e21d33f9b02cb3fc279dfee2f814557d8e5 ├── 95831ac07e5f732817af71fc4a9f33b707a656078cff6a58042bbd07bdb9bbbd ├── 959098a5c53f7a16fa644152aa4ffe52a989b24c1c5f87a23ae74719aab82238 ├── 962e21e349a00ef86d1c094b7ef6e80a5c99b98c1165f3fc318a55deff25731f ├── 975deab236438b6d7fa3ad1be7d9c2a3fabbd6103ff5f8b7fe536205ad715508 ├── 9a27a2ad96f7676d28f99ffc4cbc51a81b42c7739fc15a0e57295b028d6c830d ├── 9bc4c44b24f4ba71a1c7f5dd1c8135544218235ae58efa81898e55515938da6a ├── 9d143e0be6e08534bb84f6c478b95be26867bef2985b1fe55f45a378fc3ccf2b ├── 9d4c80ea1d6d1ce11f9bb79d7a5a4ddfcea9f20ffe039db7215e9c57fc183476 ├── 9e182abd97e46d2788e637b1969deede1821bc08ece40d731ec1051be0b32330 ├── a0916d3b97c0df2ec1ed6a772dac27c24842a64d4f6e078c941fa2046cabb9ed ├── a16ec983d5d2d7d4373da2faede5457ee5587b36e5bfd737a6c6d2c42ff7266f ├── a1cb61abc99eb58e30ae7a9908c260be26ce072400ad771532bfe7c039ce10ef ├── a20c9fe2888286473faea909d2f22a75a1b982387b08e2ba0bd091ae631f36fc ├── a5f16fa960fe0461e2009bd748bc9057ef5cd31f05f48b12cfd7790fa741a24e ├── a725883bd1c39e48ab60b2c26b5692f7334a3e4544927057a9ffbdabfeedf432 ├── ab8cd83f855445bd9486be0960b2dbb038c313165f2a9eb7cc5eecf96c344be6 ├── ad2333e1403e3d8f5d9bd89d7178e85523fa7445e0a05b57fd9bc35547ec0d98 ├── b3415b4f3524ac4df8fcff649b986d0ffe3874050bf48f0f1949c745c9e51d46 ├── b54b42b4dfb93502646e9e8cb0eb5b65dccf2b872ab79f67641e307a08234b94 ├── b6ac7f6e3b03acd364123a07b2122d943c4111ac4786bb188d94eae0e5b22c02 ├── b7aec5f73d2a6bbd8cd920edb4760e2edadc98c3a45bf4fa994d47ca9cbd02f6 ├── b9278ecce14213a1920ca9cc2b23ee18641c07a2780b693f009dcac578ffef92 ├── ba4c8be6a1eb92d79df396eea8658b778f4bc0f010da48e1d26e3fc55d83e9c7 ├── bb74c6fc0323956dd140988372c412f8b32735fb0ed1ad416e367d29c06af9cc ├── bfcb215f86fc4f8b4829f6ddd5acb118e80fb5bd977453fc7e8ef10a52fc83b7 ├── c36749f11be375b6f103ff973255b6d32ed816ba27c158adea087de7546045da ├── c437e5caa4f644024014d40e62a5436c59046efc76c666ea3f83ab61df615314 ├── c64cb9e0740c17b2561eed963a4d9cf452e84f462d5004ddbd0e0c021a8fdabc ├── c6c777beb38120497e6b26fea8f376652eafb5b661c65a87265421dc83f61121 ├── c7fc0661c1dabd6efd61eaf6c11f724c573bb70510e1345911bdb68197e598e7 ├── c8f3947a5d377064640358cfb0320de30324eb6d66789afaf1e4cd1a8dbb187b ├── cbd7ba0886a3e0d60b15bed0736bfaa130d47ab247e374d79c3612ce6ce049b6 ├── ccde1ded028948f5cd3277d2d4af6b22fa33f53abde84ea2aa01f1872fad1d13 ├── ccf29931f8bddd1888912ba5def598bf73c29bb20be50e44f60d36e3c0296c8b ├── cd9aebcc686a8a2eb25bf5d75100b28f58aad6512222ade6630bbad59e877369 ├── cec5bfbbd96c9a150d740c5be7d1d86c35ade0611085de537b8d1ca4887f2780 ├── cee576f6d4d05bfb4f0e0704a4712af10b0afcb369407f5edf3526145a53a685 ├── cf2e04d01b3de16d9aaa90c0d95775c9a99e63b23cc42043046ba31725d80e2e ├── cfa312272a7e55330855325925cc449a9ca8f80626d1003b0981c4375fad69a3 ├── d20903e4f8635fc8f8a7d1ab2330a61eb1fad29e03c353ede85bc359aa019f2c ├── d4c140b094dd3f278e8b99aa504419d2c2dc9bdb4169dc5eaaf55c187fd2f011 ├── d4c955b1db1e499ea47196b8f630205329f9277f3cc184d75a3b69a70d8c49da ├── d596868e19902772b38e91a6421ae72750e02445cdb6d24a9b3e78931c1d1ffd ├── d7cfd49c873810b2f3369af4f8e8d0bac57c83137b1cd173f2f79a8d5f0898b9 ├── db7827bb6788f0a7dae5ef2dc0f3c389ab2616fabed27d646b09ecceb7c1eea9 ├── ddbcce9bb969bda17064796c25abcc346748e7cd5d9d0460672d8d09ea97d24f ├── de6dbd27a07500e11af05f0420902c4d172aa34f6681d3f1546cf5b5872b3310 ├── e04562fb05388e10d6d70d4cadbec059c6c0601f8232d8699ad8a6d3ee0e75d6 ├── e2c7fb642d9227013695257561a77f9164f992615082b85fe973dde2934ecf1c ├── e4a9105c3c44cd3f0f975f807127aae121b67c561240fefdce215c715695d5be ├── e640676b0ff2ba116d8cea36cd7103a5897eb29e9c8a297bb8883b83972565a1 ├── e79e1858fdd8cb7642f0df4b2f696126df1bd6fc5f4731af8d797e02273f307f ├── e8ca376afa8e85fcd0487c25fd8330455cd2a5ea17aeaed95e9fd085d81035c8 ├── e94f9221944a764f220831eb421d4571b32e5b243aad4943b69ae2bcfb176737 ├── ebc0ded53cd49db7ea646bd02f391dee05f6093ec26300a7389ae2ef8d769a6f ├── ec4217947c398d6aa335436b8da830e66557031dd1ec152e33093c8cc8466077 ├── eca43317ae815a18eeaf723506c960a9b2edc39f127e5a200011e594e0ab31e2 ├── eec7ed30a026ba5ba82c288693bb6ad16cfc5643768bb89e5a0b17109d1fc7a6 ├── f036314c1ce294070c181bc0bc8af837679b1aeafbf2497799c065cbadc72474 ├── f0ce1e9db6418c488beb9be3b205d4c16afbbed6be20eebe8445d9cdbfc23dde ├── f31e28b2fd8efe63a7a2c39f7f87d895c44694d80b5fcbff91d51dc63eafa9dc ├── f4d2c9470b322af29b9188a3a590cbe85bacb9cc8fcd7c2e94d82271ded3f659 ├── f57dcff87305797c6488b8a45b2d48c1c119cc19a316f452c04b38e30090477d ├── f7fce1a38543f29336e8ae8ab659370ce21734acb2b5d86426f64143a9e3bf41 └── fa02d4d18b61842ab7166d6274e6b941342be58372f2a903e293554bbb07dd45 Malware Repo Links Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
2024-10-25 Cyble: HeptaX: Unauthorized RDP Connections for Cyberespionage Operations Summary: The attack starts with a malicious LNK file delivered within a ZIP file, likely distributed through phishing emails, and seems to target the healthcare industry. Upon execution, the LNK file initiates a PowerShell command that downloads multiple scripts and batch files from a remote server to establish persistence and control over the victim’s system. The LNK file, once opened, triggers PowerShell commands that download additional payloads from hxxp://157.173.104[.]153. These scripts enable the attacker to create a new user account with administrative privileges and alter RDP settings, reducing authentication requirements for easier unauthorized access. A persistent shortcut (LNK) file is created in the Windows Startup folder to maintain access. The primary PowerShell script communicates with the C2 server, constructing URLs with a unique identifier (UID) for the compromised machine to fetch commands or additional payloads. If UAC is detected as weak or disabled, the attack proceeds with further stages that lower the system's security configurations. A secondary payload, "ChromePass," is introduced, targeting Chromium-based browsers to harvest stored credentials, escalating the risk of compromised accounts. Scripts configure the system to facilitate remote desktop access, enabling actions such as data exfiltration, monitoring, and installation of further malware. Subsequent batch files (e.g., k1.bat, scheduler-once.bat) execute commands that hide traces, remove logs, and schedule tasks disguised as system operations to maintain persistence and evade detection. The final stages involve the execution of a PowerShell script that performs reconnaissance, collects extensive system data, and sends it encoded to the C2 server. Download Download. Email me if you need the password scheme. File Information ├── 18e75bababa1176ca1b25f727c0362e4bb31ffc19c17e2cabb6519e6ef9d2fe5 Google Chrome.lnk ├── 1d82927ab19db7e9f418fe6b83cf61187d19830b9a7f58072eedfd9bdf628dab bb.ps1 ├── 4b127e7b83148bfbe56bd83e4b95b2a4fdb69e1c9fa4e0c021a3bfb7b02d8a16 ChromePass.exe ├── 5ff89db10969cba73d1f539b12dad42c60314e580ce43d7b57b46a1f915a6a2b 202409 Resident Care Quality Improvement Strategies for Nursing Homes Enhancing Patient Satisfaction and Health Outcomes.pdf.lnk ├── 6605178dbc4d84e789e435915e86a01c5735f34b7d18d626b2d8810456c4bc72.zip ├── 999f521ac605427945035a6d0cd0a0847f4a79413a4a7b738309795fd21d3432 k1.bat └── a8d577bf773f753dfb6b95a3ef307f8b4d9ae17bf86b95dcbb6b2fb638a629b9 b.ps1 Malware Repo Links Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
2024-10-03 Threatmon: Amnesia Stealer Amnesia Stealer, a customizable open-source malware, was identified by ThreatMon on September 17, 2024. Functions as Malware-as-a-Service (MaaS), making it easily accessible for cybercriminals. Uses Discord and Telegram for Command & Control (C2) operations. Capable of stealing sensitive data like browser passwords, Discord tokens, cryptocurrency wallets, and Wi-Fi credentials. Features keylogging, clipboard hijacking, and can bypass Windows Defender. Can inject additional malware like trojans, cryptocurrency miners, and droppers. Available in three versions: Free, VIP, and an Android variant (in development). Android version can steal call logs, SMS, and WhatsApp session files. -- Key findings by Threatmon. -------- Download Download. Email me if you need the password scheme. File Information ├── 5b7e0be073dd22bd568bb9833f914c3e130863bd06d70b7623392a37d0ba4978 s.exe ├── 66985fe45320243565f3940f464bdab74179ac48afb9b6511e628ea826e60c33 Build.exe ├── bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278 updater.exe ├── c59a6d4e3082d0768b614b9d7e1b7a9915ee4615cea1d1bd8b45cb249a5f886c crss.exe ├── d07c47f759245d34a5b94786637c3d2424c7e3f3dea3d738d95bf4721dbf3b16 svchost.exe ├── dff14514b26b6278a7ffd56775c3193425e8c4ff7b544e3c3a8e2956ff9b74b8 Help.Exe ├── e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf conhost.exe └── e50c227b0f6283a82b7fef58d4ff3de1c25fa31922375e9d1518bf61bbc5d04a Build.exe Malware Repo Links Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
2024-09-26 Elastic: Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse Elastic Security Labs uncovered a sophisticated Linux malware campaign targeting servers through an Apache2 web server exploit in March 2024. The attackers used a mix of tools, including custom malware, KAIJI (a DDoS botnet), and RUDEDEVIL (a cryptocurrency miner). They utilized C2 channels disguised as kernel processes, Telegram bots for communication, and cron jobs for persistence. The campaign also involved leveraging gambling APIs, potentially for money laundering activities. The attackers exploited an Apache2 server, gaining arbitrary code execution. They deployed KAIJI malware and downloaded a script (00.sh) to erase traces and kill other mining processes. The attackers used a file server to distribute malware for different architectures. RUDEDEVIL and KAIJI malware variants were identified, each serving different purposes, like mining cryptocurrency or conducting DDoS attacks. RUDEDEVIL: A cryptocurrency miner with various functions such as socket creation, privilege handling, decryption, and process monitoring. The malware also includes an XOR-based encryption routine for concealing its activities. KAIJI: A DDoS botnet capable of evading detection, setting up persistence, and altering SELinux policies. Its deployment involved moving system binaries, using bind mount techniques, and creating multiple backdoors for control. The attackers utilized GSOCKET for encrypted communication, disguised as kernel processes. They also employed cron jobs, PHP payloads, and Systemd services to establish and maintain persistence on compromised hosts. Telegram bots and gambling APIs were used to relay information back to the C2 server. Download Download. Email me if you need the password scheme. File Information ├── 09f935acbac36d224acfb809ad82c475d53d74ab505f057f5ac40611d7c3dbe7 l64_v0 RUDEDEVIL:LUFICER x64 version 0 ├── 0fede7231267afc03b096ee6c1d3ded479b10ab235e260120bc9f68dd1fc54dd apache2_upx_packed ├── 160f232566968ade54ee875def81fc4ca69e5507faae0fceb5bef6139346496a l64_v2 RUDEDEVIL:LUFICER x64 version 2 ├── 20899c5e2ecd94b9e0a8d1af0114332c408fb65a6eb3837d4afee000b2a0941b l86_v0 RUDEDEVIL:LUFICER x86 version 0 ├── 47ceca049bfcb894c9a229e7234e8146d8aeda6edd1629bc4822ab826b5b9a40 l86_v2 RUDEDEVIL:LUFICER x86 version 2 ├── 54a5c82e4c68c399f56f0af6bde9fb797122239f0ebb8bcdb302e7c4fb02e1de mvhhvcp3.exe DONUT LOADER ├── 728dce11ffd7eb35f80553d0b2bc82191fe9ff8f0d0750fcca04d0e77d5be28c SystemdXC XMRIG ├── 72ac2877c9e4cd7d70673c0643eb16805977a9b8d55b6b2e5a6491db565cee1f SystemdXC XMRIG ├── 89b60cedc3a4efb02ceaf629d6675ec9541addae4689489f3ab8ec7741ec8055 l64_v3 RUDEDEVIL:LUFICER x64 version 3 ├── 9e32be17b25d3a6c00ebbfd03114a0947361b4eaf4b0e9d6349cbb95350bf976 download.sh KAIJI Stager ├── 9ee695e55907a99f097c4c0ad4eb24ae5cf3f8215e9904d787817f1becb9449e download.sh KAIJI Stager ├── d0ef2f020082556884361914114429ed82611ef8de09d878431745ccd07c06d8 linux_amd64 KAIJI x64 ├── d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60 hjvhg.exe Miner ├── e89f4073490e48aa03ec0256d0bfa6cf9c9ac6feb271a23cb6bc571170d1bcb5 l86_v3 RUDEDEVIL:LUFICER x86 version 3 └── ea0068702ea65725700b1dad73affe68cf29705c826d12a497dccf92d3cded46 l64_v1 RUDEDEVIL:LUFICER x64 version 1 Malware Repo Links Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
Image courtesy of Palo Alto 2024-09-23 Palo Alto Unit42: Inside SnipBot: The Latest RomCom Malware Variant This latest version integrates novel obfuscation techniques and exhibits distinct post-infection activities not seen in previous variants (RomCom 3.0 and PEAPOD/RomCom 4.0). Key Points: Capabilities: SnipBot allows attackers to execute commands and download additional modules onto the victim's system. It deploys an initial signed executable downloader, followed by unsigned EXEs or DLLs. Infection Vector: Delivered via email containing links that redirect to the SnipBot downloader. The downloader uses anti-sandbox tricks, including checking the file’s original name and verifying at least 100 entries in the RecentDocs registry key. It also employs window message-based control flow obfuscation. Post-Infection Activity: Downloads additional DLL payloads, injecting them into explorer.exe using COM hijacking. Specifically, it registers the malicious DLL (keyprov.dll) as a thumbnail cache library in the registry (HKCU\SOFTWARE\Classes\CLSID). The primary payload, single.dll, listens on port 1342 for commands such as deleting registry keys, executing stored DLL payloads, and initiating further updates. Creates and manages registry keys (HKCU\SOFTWARE\AppDataSoft\Software) to store encrypted payloads and keep track of updates. Command & Control: Contacts its C2 domains (e.g., xeontime[.]com) to download payloads. Encrypts strings, including the C2 domain and API function names, to evade detection. Download Download. Email me if you need the password scheme. File Information ├── 0be3116a3edc063283f3693591c388eec67801cdd140a90c4270679e01677501 atch scan052224 CV.exe ├── 2c327087b063e89c376fd84d48af7b855e686936765876da2433485d496cb3a4.exe ├── 5390ba094cf556f9d7bbb00f90c9ca9e04044847c3293d6e468cb0aaeb688129 Attachment CV June2024.exe ├── 57e59b156a3ff2a3333075baef684f49c63069d296b3b036ced9ed781fd42312 Attachment Medical report.exe ├── 5b30a5b71ef795e07c91b7a43b3c1113894a82ddffc212a2fa71eebc078f5118 CV for a job.exe ├── 5c71601717bed14da74980ad554ad35d751691b2510653223c699e1f006195b8 Atch Data Breach Evidence.pdf Open with Adobe Acrobat.exe ├── a2f2e88a5e2a3d81f4b130a2f93fb60b3de34550a7332895a084099d99a3d436 atch List of Available Documents.exe ├── b9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045 webtime-e.exe ├── cfb1e3cc05d575b86db6c85267a52d8f1e6785b106797319a72dd6d19b4dc317.exe └── f74ebf0506dc3aebc9ba6ca1e7460d9d84543d7dadb5e9912b86b843e8a5b671 резюме.pdf Malware Repo Links Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
2024-09-19 Mandiant: UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks UNC1860 is an Iranian state-sponsored threat actor, likely affiliated with the Ministry of Intelligence and Security (MOIS), known for its persistent and stealthy operations. It employs a variety of specialized tools, passive backdoors, and custom utilities to target high-priority networks, such as government and telecommunications entities in the Middle East. Passive Implants: UNC1860 relies on custom-made passive backdoors like TOFULOAD and WINTAPIX, which leverage undocumented Input/Output Control (IOCTL) commands for communication, bypassing standard detection mechanisms used by EDR systems. These implants operate without initiating outbound traffic, making them difficult to detect through traditional network monitoring tools. Windows Kernel Driver: UNC1860 repurposed a legitimate Iranian antivirus kernel mode driver, Sheed AV, for stealthy persistence. This driver is used in TEMPLEDROP, a passive backdoor that protects its own files and other malware it deploys, preventing modification and enhancing its evasion capabilities. Obfuscation and Encryption: The group implements custom XOR encryption and Base64 encoding/decoding libraries to avoid detection. For example, XORO, a rolling encryption module (MD5: 57cd8e220465aa8030755d4009d0117c), is used in several utilities such as TANKSHELL and TEMPLEPLAY. These encryption methods, although simple, are tailored to evade standard detection signatures. TEMPLEPLAY and VIROGREEN Controllers: These GUI-operated malware controllers allow UNC1860 or third-party actors to manage compromised systems easily. They provide features such as: Command execution via the Command Prompt Tab. File transfer through Upload and Download Tabs. Using infected systems as middleboxes through the Http Proxy Tab, facilitating RDP connections even in restricted environments. Web Shells and Droppers: Web shells like STAYSHANTE and SASHEYAWAY are frequently deployed after initial access is achieved. These shells enable further persistence by deploying full passive backdoors, such as TEMPLEDOOR and FACEFACE, which can execute commands, transfer files, and interact with system services. Multi-stage Implants: UNC1860 maintains a suite of "main-stage" implants with advanced capabilities, reserved for high-value targets. These implants, such as TOFULOAD and TEMPLEDROP, demonstrate the group's deep understanding of Windows kernel components and its ability to bypass security measures like kernel protections. Reverse Engineering and Evasion: UNC1860 exhibits strong reverse engineering skills, especially evident in their repurposing of legitimate software like Windows file system filter drivers. This allows the group to manipulate system components for stealthy operations, using advanced evasion techniques like terminating Windows Event Log service threads and restarting them as needed. Download Download. Email me if you need the password scheme. File Information ├── ALL_LISTED │ └── │ ├── 0969f7f5556e3babd7050308a29fa2987dce01b3c94959724c9cd49bce052d80 │ ├── 1146b1f38e420936b7c5f6b22212f3aa93515f3738c861f499ed1047865549cb │ ├── 1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e │ ├── 159eecbba87a7397a5b84a21c289ae66ec776a3fd3b41bf11549fb621afebc0a │ ├── 1786916c1e3b16ce654497861fe43bb595ea0f0fa0fad4cd62f3edc82f9a27d4 │ ├── 1c57b1ed990a8946e86d69da2a047fa15525d883b86e93cb6444a4065dbad362 │ ├── 2097320e71990865f04b9484858d279875cf5c66a5f6d12c819a34e2385da838 │ ├── 23a9abed7c4a76a5cacf1e984ecf3cce91c3c1bbf4424c4b2ee141b4154c3703 │ ├── 2538767f13218503bccf31fccb74e7531994b69a36a3780b53ba5020d938af20 │ ├── 269d7faed3a01b5ff9181df32e3fdbf7f7f193cc53e4f28aa21290343e69f3cd │ ├── 3269de107e436a75a8308377709dc49b4893cfd137a3fc5b92d0f0590af4cb12 │ ├── 359d826ff025c5e4971d90be0d7dfebe10fc125f6dcaa2f0e9869e9f6bec4432 │ ├── 36b61f94bdfc86e736a4ee30718e0b1ee1c07279db079d48d3fe78b1578dbf03 │ ├── 3875ed58c0d42e05c83843b32ed33d6ba5e94e18ffe8fb1bf34fd7dedf3f82a7 │ ├── 58cb1ef132fbdd1855f75c2886666275d1bb75a9fb3fed88d05feee4230afd32 │ ├── 59463257c3f2425109fd097f814b6468663df947de8178c8cd7b7c5e94d3375c │ ├── 596b2a90c1590eaf704295a2d95aae5d2fec136e9613e059fd37de4b02fd03bb │ ├── 5cb88ec4eca35c41dbf32218c0f031e75e4c24a17cabe9eea2aa06efa5982967 │ ├── 67560e05383e38b2fcc30df84f0792ad095d5594838087076b214d849cde9542 │ ├── 6f0a38c9eb9171cd323b0f599b74ee571620bc3f34aa07435e7c5822663de605 │ ├── 6f938caeefa0aea3b8301e07bf918a49408cd319187d05ac519b20a00f460469 │ ├── 71106875c37bf5b92ef25c7bc1d607ae349aa85bbb2e92a39165a8a8f8f6eb0e │ ├── 7495c1ea421063845eb8f4599a1c17c105f700ca0671ca874c5aa5aef3764c1c │ ├── 786298c0d98aaf35777738a43a41546c6c8b1972b9bd601fb6cccf2c8f539ae4 │ ├── 7a1fee8d879bc16e63d05c79c5419bd19ee308c54831d7ee196cfa8281498a06 │ ├── 8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330 │ ├── 8e4f7a19b09e118ebda79726bf17e9d37ff4b66f4143762dd97ca80340388963 │ ├── 8fdd00243ba68cadd175af0cbaf860218e08f42e715a998d6183d7c7462a3b5b │ ├── 90b3f7fefe8e11b8eacaba09a3c14ed6aa66a4c8d798440d912d0a663917a265 │ ├── 9117bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0ceb │ ├── 9483f5eb9133c353cef636ef9fcc29e2c7bf658881574211ee142c93c523efaf │ ├── a052413e65e025cbefdddff6eeae91161de17ffec16d3a741dd9b7c33d392435 │ ├── a2598161e1efff623de6128ad8aafba9da0300b6f86e8c951e616bd19f0a572b │ ├── a375f98aa21377ed0c59b4c7121ac93763157e39d8235fb5ce77f88dee0e2ee4 │ ├── a650a90c1b505989b7e81bfb310d7e2013a380ab26f99622de158c58b1d0fbbf │ ├── ac7b01e01de0dc289cd649aa5072243f2036bd8d2d0152b6d9874c2ccaaf1e5d │ ├── b65bcba449d74e4395421aeb4012c9e509acb5e8153ff3dc9f01fd97a5cc2711 │ ├── b66919a18322aa4ce2ad47d149b7fe38063cd3cfa2e4062cd1a01ad6b3e47651 │ ├── ba3efa7d61e79cf62eeb0c65e803a6353f3012a89e0d910c2292801da43c8a93 │ ├── c0dc609e6fc8801bb902d14910c3ffd69d6bd5a26389836446dc4c23565ddcc7 │ ├── c3fa9432243e1a2ab1991ab4c07a19392038e6a8e817e5fea0232c4caabbb950 │ ├── c5b4542d61af74cf7454d7f1c8d96218d709de38f94ccfa7c16b15f726dc08c0 │ ├── ce59bbe3ef7e16423718de50639d2278eab9c1f08f998677ba6fbd36695f316a │ ├── da450c639c9a50377233c0f195c3f6162beb253f320ed57d5c9bb9c7f0e83999 │ ├── daa362f070ba121b9a2fa3567abc345edcde33c54cabefa71dd2faad78c10c33 │ ├── e17510e9fad082426920e6e6d94df7c1314ecc3ab041aa8e19d18140f5a0cc21 │ ├── e1ad173e49eee1194f2a55afa681cef7c3b8f6c26572f474dec7a42e9f0cdc9d │ ├── e26fbbeea2e152b3769126714c52112d04c4f2310461fb842bf2532e7903ce51 │ ├── e416fc85dbeefdff0f172b406c2f1fcdb90a895fa99c4eb66bcbe5c159f07b82 │ ├── e579a55f5415f891095a7488e2dd250da7f2ccadc27c3d1280f13fea4263a97b │ ├── e984b40c4c6909813ed9f0ea5de8f4f7cac40f0e8b9fb5041f4a568e307e5712 │ ├── eafb31f3ab90246d099e58f5fb950f58effa583f1e3caabc451dfabaf0d200e1 │ ├── ed3745f82c7873adca16833b718e20090ac6a8c74e7004b854af29ef1551de75 │ ├── f42ebd85c4d0ab6573a856049ac9c892c037a0ec8f39e54153dd439616883390 │ ├── f4639c63fb01875946a4272c3515f005d558823311d0ee4c34896c2b66122596 │ ├── f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d │ ├── fa2c5fa2814d4db288bf8733edc4f1a78cd2c72cde90f42cf5b14162ac648042 │ ├── fe14edf4db2a9838f15aaf24a5837ffc5c901313d6fd2fe60d15401154e44406 │ ├── ff51aa6cad655ddd99a525b78419cd746453fb2adcb689ba34ca3ab6e78b1347 │ └── ffb6acd2715dd988fe3c3fdbd7d45159f8e5b529eea506a856109a8696e93a80 ├── OATBOAT │ ├── 1146b1f38e420936b7c5f6b22212f3aa93515f3738c861f499ed1047865549cb_ file.None.0xfffffa80237c4010.img_OATBOAT with TOFULOAD shellcode │ ├── 3875ed58c0d42e05c83843b32ed33d6ba5e94e18ffe8fb1bf34fd7dedf3f82a7_systemre.exe_OATBOAT with TOFULOAD shellcode │ ├── 6f0a38c9eb9171cd323b0f599b74ee571620bc3f34aa07435e7c5822663de605_CyveraConsole.exe_OATBOAT that contains encrypted shellcode of TOFULOAD │ ├── 7495c1ea421063845eb8f4599a1c17c105f700ca0671ca874c5aa5aef3764c1c_ cct.exe_OATBOAT with TOFULOAD shellcode │ ├── 9117bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0ceb_ wlbsctrl.dll_OATBOAT loading shellcode │ ├── a2598161e1efff623de6128ad8aafba9da0300b6f86e8c951e616bd19f0a572b_CyveraConsole.exe_OATBOAT that contains encrypted shellcode of TOFULOAD │ ├── c5b4542d61af74cf7454d7f1c8d96218d709de38f94ccfa7c16b15f726dc08c0_OATBOAT that contains an encrypted TOFULOAD_dll_ │ └── e1ad173e49eee1194f2a55afa681cef7c3b8f6c26572f474dec7a42e9f0cdc9d_CyveraConsole.exe_OATBOAT that contains encrypted TOFUPIPE shellcode ├── SHEED AV │ └── b25455b3f51c0ca0bf5014d043e05fe8ab7621a465677a17390fbc47e4ffbc2f_get-graphics-offsets32.exe_ ├── TEMPLEDOOR │ ├── 786298c0d98aaf35777738a43a41546c6c8b1972b9bd601fb6cccf2c8f539ae4_System.dll_ │ ├── 86279d261e8bbb74f739de8f9755551dbcb32fafa41401a484ed2ea59742604e_System.dll_ │ └── b25455b3f51c0ca0bf5014d043e05fe8ab7621a465677a17390fbc47e4ffbc2f_Templedoor certificate └── XORO ├── 269d7faed3a01b5ff9181df32e3fdbf7f7f193cc53e4f28aa21290343e69f3cd_EncryptionModule Yara Rules Hits on the Samples listed above: M_UNC1860_TEMPLEDOOR_BytePatterns_1 TEMPLEDOOR 86279d261e8bbb74f739de8f9755551dbcb32fafa41401a484ed2ea59742604e_System.dll_ M_UNC1860_TEMPLEDOOR_BytePatterns_1 TEMPLEDOOR 786298c0d98aaf35777738a43a41546c6c8b1972b9bd601fb6cccf2c8f539ae4_System.dll_ SASHEYAWAY_Strings_1 a650a90c1b505989b7e81bfb310d7e2013a380ab26f99622de158c58b1d0fbbf M_UNC1860_TEMPLEDOOR_BytePatterns_1 786298c0d98aaf35777738a43a41546c6c8b1972b9bd601fb6cccf2c8f539ae4 M_OBFUSLAY_UNC1860_1 e17510e9fad082426920e6e6d94df7c1314ecc3ab041aa8e19d18140f5a0cc21 M_OBFUSLAY_UNC1860_1 fa2c5fa2814d4db288bf8733edc4f1a78cd2c72cde90f42cf5b14162ac648042 SASHEYAWAY_Strings_1 9483f5eb9133c353cef636ef9fcc29e2c7bf658881574211ee142c93c523efaf SASHEYAWAY_Strings_1 67560e05383e38b2fcc30df84f0792ad095d5594838087076b214d849cde9542 SASHEYAWAY_Strings_1 8e4f7a19b09e118ebda79726bf17e9d37ff4b66f4143762dd97ca80340388963 M_Hunting_Backdoor_TOFULOAD_1 e26fbbeea2e152b3769126714c52112d04c4f2310461fb842bf2532e7903ce51 M_Autopatt_DropperMemonly_WINTAPIX_1 8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330 M_OBFUSLAY_UNC1860_1 59463257c3f2425109fd097f814b6468663df947de8178c8cd7b7c5e94d3375c M_APT_CRYPTOSLAY_UNC1860_1 1c57b1ed990a8946e86d69da2a047fa15525d883b86e93cb6444a4065dbad362 M_Hunting_Backdoor_TOFULOAD_1 da450c639c9a50377233c0f195c3f6162beb253f320ed57d5c9bb9c7f0e83999 SASHEYAWAY_Strings_1 58cb1ef132fbdd1855f75c2886666275d1bb75a9fb3fed88d05feee4230afd32 SASHEYAWAY_Strings_1 ac7b01e01de0dc289cd649aa5072243f2036bd8d2d0152b6d9874c2ccaaf1e5d M_WINTAPIX_StringDecodingMethod_1 a375f98aa21377ed0c59b4c7121ac93763157e39d8235fb5ce77f88dee0e2ee4 M_WINTAPIX_PaddedStrings_1 a375f98aa21377ed0c59b4c7121ac93763157e39d8235fb5ce77f88dee0e2ee4 SASHEYAWAY_Strings_1 2538767f13218503bccf31fccb74e7531994b69a36a3780b53ba5020d938af20 M_OBFUSLAY_UNC1860_1 ba3efa7d61e79cf62eeb0c65e803a6353f3012a89e0d910c2292801da43c8a93 M_OBFUSLAY_UNC1860_1 b66919a18322aa4ce2ad47d149b7fe38063cd3cfa2e4062cd1a01ad6b3e47651 M_OBFUSLAY_UNC1860_1 159eecbba87a7397a5b84a21c289ae66ec776a3fd3b41bf11549fb621afebc0a M_OBFUSLAY_UNC1860_1 ce59bbe3ef7e16423718de50639d2278eab9c1f08f998677ba6fbd36695f316a SASHEYAWAY_Strings_1 b65bcba449d74e4395421aeb4012c9e509acb5e8153ff3dc9f01fd97a5cc2711 SASHEYAWAY_Strings_1 ed3745f82c7873adca16833b718e20090ac6a8c74e7004b854af29ef1551de75 M_WINTAPIX_StringDecodingMethod_1 f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d M_WINTAPIX_PaddedStrings_1 f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d Malware Repo Links Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
2024-09-19 Kaspersky: Exotic SambaSpy is now dancing with Italian users SambaSpy is a highly obfuscated Java-based RAT, protected by the Zelix KlassMaster protector. It supports a range of malicious activities, including: File system and process management Keystroke logging using the JNativeHook library, sending keystrokes to the C2 upon key release Clipboard content control through Java Abstract Window native libraries Webcam access and remote desktop control using the Java Robot and GraphicsDevice classes Browser credential theft, targeting Chrome, Edge, Brave, Opera, and others Remote shell access and the ability to load additional plugins dynamically via URLClassLoader, using addURL() to invoke downloaded plugins. SambaSpy exhibits heavy obfuscation to evade detection, with encrypted strings and obfuscated class names and methods. The malware performs detailed environment checks to avoid execution in virtualized or sandbox environments, exiting immediately if the language is not set to Italian. It also encrypts its communications with the C2, complicating analysis. Some malicious websites contain comments in Brazilian Portuguese, hinting at a possible connection to Brazil. The attackers repeatedly use second-level domains with new subdomains, allowing them to maintain control while shifting operations to evade detection. Download Download. Email me if you need the password scheme. File Information ├── 43f86b6d3300050f8cc0fa83948fbc92fc69af546f1f215313bad2e2a040c0fa DOCUMENTO pdf ├── 49bbfac69ca7633414172ec07e996d0dabd3f7811f134eecafe89acb8d55b93a jar Dropper ├── 9948b75391069f635189c5c5e24c7fafd88490901b204bcd4075f72ece5ec265 jpg jar Sambaspy ├── SAMBASPY - additional samples │ ├── 23fcf754156e84559d5640c0fc5f24d536332c3be516202086223528e2b45956 fMBFwZaxLTVpj │ ├── 6e059b017198c588cc5a39e608ca0034438dab953772ed7cd196a1aab1415b63 file jar │ ├── 8025e6b88d96cf77672bb0eed783808778b52074d686fe1f51076ffadae44749 jar │ ├── 8a4fce944f129b1f7bd36ba0076af5a37cd54c45644b155073cbd8a27b6430e8 FACTURE jar │ ├── 8e0c5271cc354d6a9f81f1d09472d8b88209b7afca85358e2c7e034ce0bbec37 daisynuke jar │ ├── 9530d49197932cc7f169dae3f953e00dc9cf3625eb74e0e335701d3e3fd8c8d4 Prodotto png │ ├── 9d7fc389f5c0793a5282da241999069c6e8b09a30efcaace36e76416556c3bbb jar │ ├── b1a61e5a54a61e8dc5feac75023120c29541c1597d82ea689d6246163cd98d75 ElxoxoYytt11893183509316623887 tmp │ ├── bc7d491a4a88b7c214c679433647c92bc5001741672bcfb96574d9b977d8121c Factuur - 2024108393 pdf jar │ ├── c0e73cc26a16a477e6de5e26ea1a61d3504fae6f77a278ae96f621a34405bdc9 aq jar │ ├── cc7632a505300c65c46bc3a0badaaa6b6a99abe148038ecf380ea04eaa6bc14c client jar │ ├── dbaca1975b39161944950812b54c27ed62251a469f8dce82a743d246a6706968 FACTURE jar │ ├── e16f1a38e8ebe14b2243ab62dfcc0596c227987cc6d83b55ef58a046a9fbb2d2 celka jar │ ├── e3578b593437dd7edf5d8a575ad1b05131a067b78e07e1a4677dd5747bdcd056 Imagem jpg jar │ ├── e8cee7472d4d0816da9398e7b49fe742865dd7b629131d120ef3181e3f0849f2 newRat jar │ └── f820670f83310b4d6bb4683ebe140e06449fa40f385dda138c27fa6c47080878 jar └── d3effd483815a7de1e1288ab6f4fb673b44a129386ef461466472e22140d47f8 zip Downloader Malware Repo Links Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
Trend Micro - Infection Chain 2024-09-08 TrendMicro Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC Earth Baxia, a threat actor suspected to originate from China, has been targeting government organizations in Taiwan and other Asia-Pacific (APAC) countries, using spear-phishing emails and exploiting a vulnerability in GeoServer (CVE-2024-36401), a remote code execution (RCE) exploit. This exploit allowed the attackers to download or copy malicious components, which were then used to deploy customized Cobalt Strike payloads. Their modified Cobalt Strike version included altered signatures for evasion, and they introduced a new backdoor named EAGLEDOOR, which supports multiple communication protocols for payload delivery and information gathering. The infection chain typically began with spear-phishing emails that delivered malicious attachments or links. These emails often contained decoy documents to lure victims. One of the key methods used by Earth Baxia is the GrimResource technique, which involves downloading files from public cloud services such as AWS and Aliyun. The payloads were injected into legitimate processes using AppDomainManager injection to avoid detection. Earth Baxia's campaigns primarily targeted government agencies, telecommunication businesses, and the energy sector in countries such as Taiwan, South Korea, the Philippines, and Vietnam. Analysis of Cobalt Strike watermarks and server locations suggests a strong connection to China. During the attack, the group employed sophisticated malware-loading techniques, including DLL side-loading and process injection. Key malware involved in these campaigns included Cobalt Strike and EAGLEDOOR. The latter used Telegram for command-and-control (C&C) communications and supported various protocols like DNS, HTTP, and TCP for data exfiltration. Earth Baxia utilized public cloud services to host malicious files, making it harder to track their activities. They also used tools like curl for exfiltrating data from victim systems. Download Download. Email me if you need the password scheme. File Information ├── DULLDOWN │ ├── 1c13e6b1f57de9aa10441f63f076b7b6bd6e73d180e70e6148b3e551260e31ee TrojanSpy.SH.DULL.ZTLH │ └── c78a02fa928ed8f83bda56d4b269152074f512c2cb73d59b2029bfc50ac2b8bc oncesvc.exe.config xml ├── RIPCOY │ ├── 04b336c3bcfe027436f36dfc73a173c37c66288c7160651b11561b39ce2cd25e 202407111985[1].jpeg oncesvc.dll │ ├── 1e6c661d6981c0fa56c011c29536e57d21545fd11205eddf9218269ddf53d448 Hướng dẫn và yêu cầu kiểm tra, giám sát hoạt động của từng đơn vị năm 2024.msc │ ├── 4edc77c3586ccc255460f047bd337b2d09e2339e3b0b0c92d68cddedf2ac1e54 水域污染詳細訊息.msc │ ├── 6be4dd9af27712f5ef6dc7d684e5ea07fa675b8cbed3094612a6696a40c664ce 0c664ce.msc │ └── ca05513c365c60a8fdabd9e21938796822ecda03909b3ee5f12eb82fefa34d84 Document new.pdf.msc └── SWORDLDR (not the same as in their IOC https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/IOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt but also recent SWORDLDR) ├── 00e6541316006156887d3313d72a81af30427742b27adec4a81c6ee7441b207c Error Program Demo Edu.dll ├── 084da6b560f62eeebc339ef3e1125f6da5a57bbd2c4ac192cec51b426dd6982e Error Program Demo Edu.dll ├── a2ad95555bf3ce55ec70b41fa9ffa6bd2bafdb97d687a477efc0ab23fa0ed32e Error Program Demo Edu.dll └── db425ce989ff1e2046f5ebddf2472dca8c48ab987e632e66caabf86502bf3ef0 SensorMonitor.exe Malware Repo Links Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
2024-09-18 Lumen: Derailing the Raptor Train Black Lotus Labs The Raptor Train botnet, discovered in 2023, is a large, multi-tiered network primarily composed of compromised SOHO routers, IP cameras, NAS servers, and NVR/DVR devices. The botnet's primary implant, named "Nosedive," is a customized variant of the Mirai malware, designed to infect various IoT architectures like MIPS, ARM, PowerPC, and others. Nosedive implants are delivered via multi-stage droppers using encoded URL schemes, making detection challenging. Once deployed, the malware operates entirely in-memory, allowing for file uploads, downloads, command execution, and DDoS attacks. This memory-resident nature, combined with anti-forensics techniques such as obfuscated processes and multi-stage infections, complicates detection and analysis. The botnet operates across three tiers: Tier 1 devices (bots), Tier 2 C2 servers, and Tier 3 management nodes. Tier 1 devices are compromised using 0-day and n-day vulnerabilities, with a lifespan of about 17 days. Tier 2 C2 nodes facilitate communication between bots and are managed from Tier 3 nodes using a custom Electron-based tool called "Sparrow." Sparrow enables operators to control C2 servers, deploy payloads, manage bots, and conduct exploitation activities. Download Download. Email me if you need the password scheme. File Information ├── 2022 Finch NOSEDIVE │ ├── a8ca358dcd9c16eaf33d1ca583dd0f95d18ef6ce29595df55e25d09b0fca64ac elf_ │ └── ba2c26e641a34b1683add59e7481a22934d62ca9814e4ee0f1c71766f37dfd6d elf_ ├── 2023 NOSEDIVE │ ├── 9119babb36c94a47b5034a76fc4d56b927eae9511c86bcc7c02a4afe3fe1c0f8 elf_ │ ├── fcfac7831cbe120b6cf6792c3527135d84b0b97ed78fe773833f5b5f26d7a0d9 elf_ │ └── fe088f3553e09f62cc89f40d931be1b29491607c8f813ab17a7d664443a8e244 elf_ └── 2024 NOSEDIVE (2024 Yara matches for NOSEDIVE) ├── 88e0e0be0805fa3fb5ac0a4e29a3c7a206a63b20eaa8661a1a865061601b7f3f elf_ ├── 9591b845695d8fc5d99aaf8571c21d5526ab2777c64c2c6fa5ae5d491e592fc8 elf_ ├── b0355fe61ae232620d8f446ab8487b9b74307ff956f4e5222fc5dded53fea765 elf_ └── f23b9b9f09b4875f2c2f78cf50222c309cc312b0bdb01c0d3a6056bcea8eaec5 elf_ Malware Repo Links Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
2024-09-12 Ahnlab: SuperShell malware targeting Linux SSH servers SuperShell is a sophisticated backdoor malware targeting Linux SSH servers, written in the Go language, which allows cross-platform functionality on Linux, Windows, and Android. Created by a Chinese-speaking developer, it operates as a reverse shell, enabling attackers to execute commands remotely on the compromised systems. The attack begins with brute force and dictionary attacks against SSH servers, using weak credentials like "root/password" and "root/123456qwerty." Once access is gained, attackers execute a series of commands to download and install SuperShell, leveraging tools like wget, curl, tftp, and FTP, with download sources often hosted on compromised servers. SuperShell's obfuscation adds complexity, but it can still be identified through specific internal strings and its runtime behavior. The malware's installation process is versatile, targeting directories like /tmp, /var/run, /mnt, and /root, with commands often including clean-up actions to remove traces post-installation (rm -r *). Typically, the payload involves downloading a script or binary, which is then executed with elevated permissions using chmod +x followed by execution (./ssh1). This pattern is consistently observed across multiple commands, highlighting the malware's redundancy and persistence in ensuring successful deployment. Additionally, the attackers often deploy XMRig, a Monero cryptocurrency miner, alongside SuperShell, hinting at a dual-purpose attack: maintaining persistent control over the system while generating illicit cryptocurrency. 2023-03-13 Ahnlab: ShellBot Malware Being Distributed to Linux SSH Servers On March 13, 2023, ASEC reported that ShellBot, a Perl-based DDoS bot, is actively targeting Linux SSH servers. The malware exploits weak SSH credentials through brute-force attacks, gaining access to deploy its payload. Once installed, ShellBot connects to a Command and Control (C&C) server via the IRC protocol, enabling attackers to issue commands, steal data, and launch DDoS attacks. Initial Access: Attackers scan for servers with open SSH ports (port 22) and use brute-force tools to guess weak or default credentials. Installation: After gaining access, ShellBot is deployed, often achieving persistence by modifying startup scripts or cron jobs. IRC Protocol: ShellBot uses the IRC protocol for C&C communication, allowing it to receive commands like executing remote tasks or launching DDoS attacks without needing a custom C&C infrastructure. Customization: ShellBot is highly customizable, with variants like "LiGhT’s Modded perlbot v2" offering different capabilities and attack methods tailored by various threat actors. Download Download. Email me if you need the password scheme. File Information ├── SHELLBOT │ ├── 2220783661db230d0808a5750060950688e2618d462ccbe07f54408154c227c1 .pl │ ├── b7d62d1a145ddda241e624ef94ab31fcca1a13f79e130d0a704586e35745282a .pl │ ├── e476b9c07fcd80824d4eafce0e826ae1c12706ca6215eb6e3995468374bb8a76 .pl │ └── f5a26a68344c1ffd136ba73dec9d08f61212872cdba33bd4d7d32733a72e4ed5 .pl │ ├── Other Shellbot samples │ │ ├── 0857f90be97326ff45f17ec3f6ce60d9a0f6d8faed34e48527fde5ec30bd5a0d │ │ ├── 0c1673e442b945a0aecf60d3970e924b16bd72d46e257bd72927821e4ebbc9ca │ │ ├── 1f3c279ea684d5cbdc7004819bf15a160f70b2c79c4affd309f9ab3ad957045b │ │ ├── 5ba1d0efb313ccc20e3d5f2476a3db811e15c80c3f1ac73b7a02d80c5c49c728 │ │ ├── a26de5b607e3a66af8b7db2c13bcd1c658817649c699f8731db6f237c3c5b1ce │ │ └── cb80570332e3e32037f426e835d05bdcd276e9e5acfd439027d788dd64dcb47d └── SUPERSHELL ├── 157bea84012ca8b8dc6c0eabf80db1f0256eafccf4047d3e4e90c50ed42e69ff ssh1.sh ├── 23dbfb99fc6c4fcfc279100c4b6481a7fd3f0b061b8d915604efa2ba37c8ddfa setup c3pool miner.sh └── cf5a7b7c71564a5eef77cc5297b9ffd6cd021eb44c0901ea3957cb2397b43e15 ssh1 Malware Repo Links Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
2024-09-12 0day in {REA_TEAM}: The X-Worm malware is being spread through a phishing email by m4n0w4r More about X-Worm: Malpedia: X-Worm Malware with wide range of capabilities ranging from RAT to ransomware. Phishing Tactics: An attacker sent an email with a shortened link that, when clicked, triggered the download of a file named Itinerary.doc_.zip. The downloaded .zip file contained a shortcut file (.lnk). This .lnk file was used to download and run a malicious batch script (output4.bat), which employed bitsadmin to download a harmful payload, disguised as svchost.com, into the %temp% folder. The svchost.com file was analyzed using tools like DiE and ExeInfo, revealing it to be part of the XWorm malware family, protected by .NET Reactor. The malware's code was heavily obfuscated but was partially deobfuscated using the NETReactorSlayer tool. MD5 hashing, AES encryption in ECB mode, and Base64 decoding to decrypt strings. The malware’s configuration included a host (cyberdon1[.]duckdns[.]org), port (1500), and other parameters like a Telegram token and chat ID. XWorm Version: The analyzed version of XWorm was 5.6. Download Download. Email me if you need the password scheme. File Information ├── 1893afc228afedb18b743176cbd3f0e4adb31fee7982252a4dc6180a6fb83451 ZBWWHQNZII.exe ├── ec7351c49098d55c332f9c5b0b4c51ffe804dd5780fc954006efcf2aeef91b7f HPFQJGRKIS.exe ├── ec7e0bf7036f03786789b6cb58d01c84733fc3a865974c79edf68cba25ff9891.Itinerary.doc.zip.exe └── ec7e0bf7036f03786789b6cb58d01c84733fc3a865974c79edf68cba25ff9891 ZBWWHQNZII.exe Malware Repo Links Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
2023-11-23 Palo Alto Unit42: Hacking Employers and Seeking Employment: Two Job-Related This is a 2023 article by Unit42 covering two cyber campaigns, "Contagious Interview" (CL-STA-0240) and "Wagemole" (CL-STA-0241), linked to the Lazarus group (North Korea). There is a more recent campaign VMCONNECT described by Reversing Labs here 2024-09-10 Fake recruiter coding tests target devs with malicious Python packages but I don't have samples for that one. These campaigns target job-seeking activities to deploy malware and conduct espionage. Contagious Interview (CL-STA-0240): The campaign targets software developers by posing as employers and convincing them to download malicious NPM packages during fake job interviews. The malware, BeaverTail and InvisibleFerret, is cross-platform, running on Windows, Linux, and macOS. BeaverTail: A JavaScript-based malware that steals cryptocurrency wallet information and loads the second-stage payload, InvisibleFerret. InvisibleFerret: A Python-based backdoor with capabilities including fingerprinting, remote control, keylogging, and browser credential theft. It communicates with a C2 server using JSON-formatted messages and supports commands for data exfiltration and additional malware deployment. The threat actors use GitHub to host malicious NPM packages, creating accounts with minimal activity to avoid detection. Wagemole (CL-STA-0241): Wagemole involves North Korean actors using fake identities to apply for remote IT jobs, likely to funnel wages to North Korea's weapons programs and potentially conduct espionage. Exposed Infrastructure: Researchers found resumes, interview scripts, and other fraudulent materials on GitHub. These documents impersonate IT professionals and aim to gain unauthorized employment at US companies. Download Download. Email me if you need the password scheme. File Information BEAVERTAIL js ├── 09a508e99b905330a3ebb7682c0dd5712e8eaa01a154b45a861ca12b6af29f86 config.js ├── 0ce264819c7af1c485878ce795fd4727952157af7ffdea5f78bfd5b9d7806db1 server.js ├── 1123fea9d3a52989ec34041f791045c216d19db69d71e62aa6b24a22d3278ef9 server.js ├── 121ca625f582add0527f888bb84b31920183e78c7476228091ff2199ec5d796b Setup.js ├── 1b21556fc8ecb9f8169ba0482de857b1f8a5cb120b2f1ac7729febe76f1eea83 setupTests.js ├── 1f9169492d18bffacebe951a22495d5dec81f35b0929da7783b5f094efef7b48 error.js ├── 2618a067e976f35f65aee95fecc9a8f52abea2fffd01e001f9865850435694cf setupTests.js ├── 40645f9052e03fed3a33a7e0f58bc2c263eeae02cbc855b9308511f5dc134797 config.js ├── 41a912d72ba9d5db95094be333f79b60cae943a2bd113e20cc171f86ebcb86cf config.js ├── 4c465e6c8f43f7d13a1b887ff26d9a30f77cf65dd3b6f2e9f7fe36c8b6e83003 App.test.js ├── 4c605c6ef280b4ed5657fe97ba5b6106b10c4de02a40ae8c8907683129156efd setupTests.js ├── 6b3fce8f2dad7e803418edd8dfc807b0252705c11ec77114498b01766102e849 App.test.js ├── 700a582408cbda7ee79723b3969b8d10d67871ea31bb17c8ca3c0d94b481aa8c setupTests.js ├── 72ebfe69c69d2dd173bb92013ab44d895a3367f91f09e3f8d18acab44e37b26d act.js ├── 75f9f99295f86de85a8a2e4d73ed569bdb14a56a33d8240c72084f11752b207e setupTests.js ├── 785f65f1853a08b0e86db5638fbd76e8cad5fe1359655716166a76035261c0be error.js ├── 7b718a46ae4de09ed4f2513df6e989afe1fbb1a0f59511a4689fac5e1745547d setupTests.js ├── 7f8bb754f84a06b3e3617dd1138f07a918d11717cc63acaef8eb5c6d10101377 serviceChecker.js ├── 845d7978682fa19161281a35b62f4c447c477082a765d6fedb219877d0c90f31 configurationR.js ├── 9867f99a66e64f6bce0cfca18b124194a683b8e4cb0ced44f7cb09386e1b528d configurationR.js ├── a2f8de3c5f5f6ecbf29c15afd43a7c13a5bf60023ecb371d39bcca6ceef1d2b7 next.setup.js ├── b833f40b2f3439f317cf95980b29bddd2245d2acc2d5c11e9690dd2fa4289585 setupTests.js ├── d8f065d264b1112d6ee3cf34979289e89d9dcb30d2a3bd78cc797a81d3d56f56 setupTests.js ├── de42155e14a3c9c4d919316d6ba830229533de5063fcd110f53e2395ef3aa77a serviceWorker.js └── fc9bb03998a89524ce5a0f859feb45806983aa4feb5f4d436107198ca869ff6f setupTests.js BEAVERTAIL DLLs Downloaded ├── 2d8a5b637a95de3b709780898b7c3957f93d72806e87302f50c40fe850471a44 store8.node ├── c5a73896dc628c23a0b6210f50019445e2b8bfc9770f4c81e1fed097f02dfade store8.node └── da6d9c837c7c2531f0dbb7ce92bfceba4a9979953b6d49ed0862551d4b465adc store8.node BEAVERTAIL ARCHIVE FILES ├── 104926c2c937b4597ea3493bccb7683ae812ef3c62c93a8fb008cfd64e05df59 sandwich bot (1).zip ├── 12c0f44a931b9d0d74a2892565363bedfa13bec8e48ff5cd2352dec968f407ee arb front v2.zip ├── 1c905fa3a108f4c9bc0578882ce7af9682760b80af5232f130aa4f6463156b25Shared with you ICO.zip ├── 592769457001374fac7a44379282ddf28c2219020c88150e32853f7517896c34 arb.zip ├── 61dff5cbad45b4fe0852ac95b96b62918742b9c90dd47c672cbe0d1dafccb6c5 arb front v2.rar ├── 6465f7ddc9cf8ab6714cbbd49e1fd472e19818a0babbaf3764e96552e179c9af african-economy-main.zip ├── 709820850127201a17caab273e01bb36ce185b4c4f68cd1099110bb193c84c42 Solbots-Template.zip ├── 9ae24a1912e4b0bab76ae97484b62ea22bdc27b7ea3e6472f18bf04ca66c87de.zip ├── b5f151f0a4288e148fd10e19c78399f5b7bdff2ad66940fadd20d6eae4b7518b MoonShield.zip ├── c8c11f9b308ea5983eebd8a414684021cc4cc1f67e7398ff967a18ae202fb457 RockBlocks-main.zip ├── ceb59dbaf58a8de02f9d5e9b497321db0a19b7db4affd5b8d1a7e40d62775f96.pack ├── db6e75987cabdbfc21d0fdcb1cdae9887c492cab2b2ff1e529601a34a2abfd99 dapp.zip ├── e2a940c7d19409e960427749519dc02293abe58a1bef78404a8390f818e40d08 0915.zip └── ff620bd560485c13a58a0de941bd3e52943036e6a05306e928f7c626998822fb Freelance 0913.zip INVISIBLE_FERRET └── 92aeea4c32013b935cd8550a082aff1014d0cd2c2b7d861b43a344de83b68129.js Malware Repo Links Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
2024-09-10 Sakai @sakaijjang 김수키(Kimsuky) 에서 만든 악성코드-Terms and conditions(이용 약관).msc(2024.9.6) - Kimsuky (North Korea) - Terms and Conditions.msc by https://x.com/sakaijjang?lang=en Article translation in English More about Kimsuky: 2020-10-27 CISA North Korean Advanced Persistent Threat Focus The malware is delivered as a file named "Terms and conditions.msc," containing embedded PowerShell commands. The PowerShell script is executed in a hidden window (-WindowStyle Hidden), preventing user awareness. The script uses Invoke-Expression (iex) to execute code and Invoke-WebRequest (iwr) to download a malicious script from hxxps://0x0(.)st/Xyl7(.)txt. The downloaded data, encoded in hexadecimal, is decoded into a byte array. The decoded data is initially saved as an MP3 file (e.g., vBqz.mp3) in the system’s public documents folder. The MP3 file is then renamed to an executable file (e.g., vBqz.exe), disguising the payload as a media file. The executable is run using conhost.exe in the background with the -NoNewWindow option, ensuring it remains hidden. File Camouflage: The use of the MP3 extension initially disguises the executable file. Stealthy Execution: Utilizing system utilities like conhost.exe and executing commands in hidden windows help evade user detection and security software. Command-and-Control (C2) Infrastructure: The malware’s reliance on a public site for payload distribution suggests a flexible and easily reconfigurable C2 mechanism. Hexadecimal Encoding: The use of encoded data indicates potential obfuscation techniques; decoding this data can reveal more about the malware. Potential Variants: Different versions of this malware may exist, with variations in the payload or C2 URLs. Monitoring and updating detection rules, such as YARA, would be beneficial. Download Download. Email me if you need the password scheme. File Information Name: Terms and conditions.msc Size: 141 KB MD5: 81d224649328a61c899be9403d1de92d SHA-1: f4895809cb38fa1f225340e99c05e477a5017111 SHA-256: cea22277e0d7fe38a3755bdb8baa9fe203bd54ad4d79c7068116f15a50711b09 Malware Repo Links Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
2024-09-03 K7 Security Labs: Luxy: A Stealer and a Ransomware in one The sample is a .NET 32-bit executable, enforcing single-instance execution via a mutex and ensuring network connectivity before proceeding. It also implements anti-VM checks using System UUIDs, process names, and other system identifiers to evade sandbox environments. Browser Data Extraction: Utilizes methods like GETENCRYPTIONKEY to extract and decrypt stored passwords and cookies from various browsers. Cryptocurrency Wallet Theft: Targets wallets such as Zcash, Ethereum, and others, copying wallet files to a text file for exfiltration. Session File Theft: Extracts Minecraft session files, logging them in a source.txt file, potentially compromising user authentication. Roblox Cookie Theft: Steals cookies from the registry and browsers using PowerShell commands. File Encryption: Deploys AES256 encryption on all files in the malware execution path, renaming files post-encryption. The encryption method uses a 128-bit key and IV, padding the plaintext to meet AES block size requirements. Ransom Note: After encryption, a ransom note is dropped, informing the victim of the encryption and providing instructions to obtain the decryption key. The Ransom note reads: ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. To get this software and key you need join our server discord: discord.gg/ Personal ID: Download Download. Email me if you need the password scheme. File Information a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323 09b5f5200e59d3a4623d739661ce9832 Malware Repo Links Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
2024-09-05 Splunk: ShrinkLocker Malware: Abusing BitLocker to Lock Your Data ShrinkLocker is a newly discovered ransomware strain that exploits BitLocker, a legitimate Windows feature, to encrypt data by locking users out of their systems. Unlike traditional ransomware, ShrinkLocker leverages BitLocker's secure boot partition to make decryption extremely challenging. The malware initiates its attack by identifying the operating system and determining whether it’s a suitable target. It modifies key system registry settings, particularly those related to Remote Desktop Protocol (RDP) and Trusted Platform Module (TPM), to suit its objectives. After disabling BitLocker key protectors, ShrinkLocker shrinks non-boot partitions by 100MB, formats these partitions, and reconfigures boot files to destabilize the system, potentially rendering it irreparable. The malware also exfiltrates data to a command-and-control server and attempts to erase traces of its activity by deleting logs, firewall rules, and scheduled tasks. Download Download. Email me if you need the password scheme. File Information d4f2c5b21e96cfef0fc4e5acb6bde30113d1c8c7522f35d99102de886ed337b3 disk.vbs_ 32f31b35179bbff9ca9dd21b43bfc3e585baafedde523bd3e4869400ab0362cb Dim oShell.txt (vba) 7662aeae889c350bdabdcc89ccc4c117e0fffdc06933dd7058946fa74a0842bb run.vbs Malware Repo Links Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
2024-08-30 Truesec: Dissecting the Cicada (Ransomware) ESXi Ransomware Cicada3301, a ransomware group first detected in June 2024, appears to be either a rebranded or derivative version of the ALPHV ransomware group, employing a ransomware-as-a-service (RaaS) model. The ransomware, written in Rust, targets both Windows and Linux/ESXi environments, utilizing ChaCha20 for encryption. Technical analysis reveals several key similarities with ALPHV: both use nearly identical command structures for shutting down VMs and removing snapshots, and share a similar file-naming convention. The ransomware's binary is an ELF file, with its Rust origin confirmed through string references and investigation of the .comment section. Key parameters include sleep, which delays the ransomware's execution, and ui, which displays the encryption progress on the screen. The key parameter is crucial for decryption; if it's not provided or incorrect, the ransomware will stop running. The main function, linux_enc, starts the encryption process by generating a random key using OsRng. Files larger than 100 MB are encrypted in parts, while smaller files are encrypted entirely using ChaCha20. The ChaCha20 key is then secured with an RSA public key and added, along with a specific file extension, to the end of the encrypted file. Initial access appears to be facilitated by the Brutus botnet, with threat actors using stolen or brute-forced credentials to gain entry via ScreenConnect. The IP address associated with this attack is tied to the Brutus botnet, raising the possibility of a direct connection between the botnet operators and Cicada3301. The ransomware also features a decryption check routine, where an encoded and encrypted ransomware note stored within the binary is decrypted using the provided key, validating the correct decryption. Download Download. (Email me if you need the password scheme) File Information 63e0d4e861048f581c9e5c64b28a053eb0023d58eebf2b943868d5f68a67a8b7 esxi The article didn't include any hashes, only the YARA rule. While this sample doesn't trigger a match with the rule, I believe it's the same malware
2024-09-02 SocRadar: Dark Web Profile: Abyss Ransomware Abyss Ransomware, first identified in 2023, is a sophisticated ransomware strain targeting both Windows and Linux systems, with a specific focus on VMware ESXi environments. It employs advanced encryption techniques, multi-extortion tactics, and strategic network infiltration to disrupt operations across various sectors, including finance, healthcare, and technology. Key Characteristics: Target Platforms: Windows, Linux (particularly VMware ESXi) Encryption: Utilizes the Salsa20 encryption algorithm; appends .abyss or .crypt extensions. Initial Access Vectors: Phishing emails, weak SSH configurations, and exploiting known vulnerabilities in exposed servers. Multi-Extortion Tactics: Encrypts files and exfiltrates data, threatening public exposure on a TOR-based leak site if ransom demands are not met. Windows Variant: Service Termination: Disables critical services (e.g., MSSQL, Exchange) to ensure encryption success. Persistence: Alters boot configuration to disable recovery options. File Encryption: Employs Salsa20; ransom note WhatHappened.txt is dropped in each directory. Obfuscation: Written in C++, using techniques to evade detection and hinder forensic analysis. Linux Variant: VMware ESXi Targeting: Leverages esxcli to manage and shut down virtual machines for encryption. Selective Encryption: Avoids critical system directories to maintain partial system functionality. Persistence: Establishes daemon processes to ensure the ransomware remains active post-reboot. Download Download (Email me if you need the password scheme) File Information ├── ├── Abyss_Linux │ ├── 6f9046f4bc6517d47150caa3d6ddbc327cced5eecd86e8699d105beef388c3c0 elf_ │ └── 72310e31280b7e90ebc9a32cb33674060a3587663c0334daef76c2ae2cc2a462 elf_ └── Abyss_Windows ├── 0079fb42859d04096cf9d6aaaaf6a463bd723b1fb7625d4137cc88b890dbec51 exe_ ├── 00fb27c489126cb61a2908f0ce15961c4af4681985e233cdac4f021fb3735ad0 exe_ ├── 03f9dccb15e19b5af71d1c831f963e834c41a42777b270bd1d60230f88fe6a95 exe_ ├── 056220ff4204783d8cc8e596b3fc463a2e6b130db08ec923f17c9a78aa2032da exe_ ├── 07532f7b226afb8e4a931d9e51da41a6c163c4b59b7472682999ce795fd48ca1 exe_ ├── 0763e887924f6c7afad58e7675ecfe34ab615f4bd8f569759b1c33f0b6d08c64 exe_ ├── 0d2c958ee0a7a8667b93d0f9aaa265a32fbd44f3af0aaca9dfe93bfd0253d035 exe_ ├── 10eddba5af7b55a8bd815fd98184cb703583bee61812fcf3e12f8b220bf3a7c7 exe_ ├── 112a76c7fb220e0e44f96d833da260cfadb051e64a9311e19f34448eb856341f exe_ ├── 1189c8aa073b9630958a1d8fdb81b8a1f6b538962e7b39c1de9071ab25007a23 exe_ ├── 13158c90fe1a73a8bfec9205dbfe65a5346632a637d92d8aa671737af804e61d exe_ ├── 1a31b8e23ccc7933c442d88523210c89cebd2c199d9ebb88b3d16eacbefe4120 exe_ ├── 1d04d9a8eeed0e1371afed06dcc7300c7b8ca341fe2d4d777191a26dabac3596 exe_ ├── 25ce2fec4cd164a93dee5d00ab547ebe47a4b713cced567ab9aca4a7080afcb7 exe_ ├── 2cc6aeea99c5c45d16a4d84bf9c87c1fac3c3a390214179331d7049457ee7621 exe_ ├── 2e42b9ded573e97c095e45dad0bdd2a2d6a0a99e4f7242695054217e2bba6829 exe_ ├── 362a16c5e86f13700bdf2d58f6c0ab26e289b6a5c10ad2769f3412ec0b2da711 exe_ ├── 3b2687884f2cc8710fabcfa39264a6fa2056d5178b1a9aba027a74abdf273ed6 exe_ ├── 3fd080ef4cc5fbf8bf0e8736af00af973d5e41c105b4cd69522a0a3c34c96b6d exe_ ├── 505934035dfcff6afabc9c29c10e1aa30187207f7c805ea10d24621d09db9277 exe_ ├── 62069d85d187ffc78dc0c8b108098016b7631b5cc7501e30be3d1515eddd781a exe_ ├── 68cbeaccb231459ceb604934f9b4cb6fc3b51901293db9d8464074e350f11bc2 exe_ ├── 822c77cc025d12b267cf598a3bdff207b1ba278e96126590ac60d88701cd840a exe_ ├── 877c8a1c391e21727b2cdb2f87c7b0b37fb7be1d8dd2d941f5c20b30eb65ee97 exe_ ├── 88f16d251a88b9429ca9a99d4fb3083081ff55fb7cedfb32213b4bca011e9ce7 exe_ ├── 9243bdcbe30fbd430a841a623e9e1bcc894e4fdc136d46e702a94dad4b10dfdc exe_ ├── 94fa7d8eefce262cb2386b8fff2e1f35c8f35d570cecef54515207b9df40d97d exe_ ├── b524773160f3cb3bfb96e7704ef31a986a179395d40a578edce8257862cafe5f exe_ ├── ba7c611f8c14a5651b33405a521e189ad17210b36633972700540ba2056564a0 exe_ ├── d58c756206dcf233d853ddf3c7c7cfd7b2052637211f442b10b93995e969f0d7 exe_ ├── dced334f3d9739ef157ead80133d584af782e22e87d227a5ed83bf968f17d367 exe_ ├── dee2af08e1f5bb89e7bad79fae5c39c71ff089083d65da1c03c7a4c051fabae0 exe_ ├── e331eac881cbd0c473dfc63de47e9cead852625658ab7e602f9ed5128b65c6a4 exe_ ├── e5417c7a24aa6f952170e9dfcfdf044c2a7259a03a7683c3ddb72512ad0cd5c7 exe_ ├── e63420bc4a633d9e44e146ceeee17584e752b3e6fd9700137373746461d7b378 exe_ ├── e6537d30d66727c5a306dc291f02ceb9d2b48bffe89dd5eff7aa2d22e28b6d7c exe_ └── f88f90760aa5f3bfa3977b5f388db814b767878dc6b9d45929c1ee94d7f5c57d exe_
2024-08-30 Microsoft: North Korean threat actor Citrine Sleet exploiting Chromium zero-day 2024-03-01 Lazarus group operations — A deep dive into FudModule Rootkit by Lucas Mancilha 2024-02-28 Avast: Lazarus and the FudModule Rootkit: Beyond BYOVD with anAdmin-to-Kernel Zero-Day - Avast Threat Labs 2024 Blackhat Asia Speakers: Luigino Camastra, Igor Morgenstern Video Slides 2024-04-18 Avast: From BYOVD to a 0-day: Unveiling Advanced Exploits inCyber Recruiting Scams - Avast Threat Labs 2022-09-30 ESET: Lazarus & BYOVD: evil to the Windows core 2022-09-22 Ahnlab: Lazarus Group's Rootkit Attack Using BYOVD Download Download. Email me if you need the password scheme. File Information ├── 2022-09-22 Ahnlab │ └── cbd1634cf7c638f2faf5e3ec79137db6704ec9de8df798fc46aeeed38de3da9b dll ├── 2022-09-30 ESET │ └── 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5 DBUtil 2 3 Sys ├── 2024-04-18 Avast GenDigital Blackhat Asia │ ├── 381d3ba5fd446e53f1c71f05a2b97124382146b4c7f28884174334db7b347219 dll │ ├── 4b1cba57928e02665be444a51937228c4d7315ff5e08c13a03bd7c77eebdcf5e dll │ └── d9add2bfdfebfa235575687de356f0cefb3e4c55964c4cb8bfdcdc58294eeaca DSROLE DLL └── Other └── cbd1634cf7c638f2faf5e3ec79137db6704ec9de8df798fc46aeeed38de3da9b BYOVDBYOVDRootkit
2024-08-28 Akamai Beware the Unpatchable: Corona Mirai Botnet Spreads via Zero-Day (CVE-2024-7029) - command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) Akamai's Security Intelligence and Response Team (SIRT) has identified a new botnet campaign exploiting multiple vulnerabilities, including a zero-day vulnerability, CVE-2024-7029, discovered by Aline Eliovich. This command injection vulnerability exists in the brightness function of AVTECH IP camera devices, allowing for remote code execution (RCE). The botnet spreads a Mirai variant with strings referencing the COVID-19 virus, leveraging this vulnerability to infect systems. CVE-2024-7029: This vulnerability affects AVTECH IP camera models with firmware versions up to AVM1203 FullImg-1023-1007-1011-1009. The flaw allows attackers to inject commands through the "brightness" parameter in the device's web interface, leading to remote code execution. Exploitation: The botnet campaign not only exploits CVE-2024-7029 but also targets older, unpatched vulnerabilities, such as a Hadoop YARN RCE, CVE-2014-8361, and CVE-2017-17215. These vulnerabilities, though older, remain effective due to their widespread use in unpatched systems. Spread of Mirai Variant: The attack chain involves exploiting the identified vulnerabilities to download and execute a variant of the Mirai botnet. This variant, known as Corona Mirai, connects to command-and-control servers and spreads across networks, particularly through Telnet on ports 23, 2323, and 37215. Affected Devices: The vulnerability primarily impacts AVTECH IP camera models, specifically those running the AVM1203 firmware versions mentioned above. Despite these models being discontinued, they are still in use in critical infrastructure, including transportation authorities Affected Models: AVTECH IP Cameras: Specifically models running up to AVM1203 firmware versions FullImg-1023-1007-1011-1009. Download Download. Email me if you need the password scheme. File Information ├── 06b1f09a62204472581e6aec381f96014bb6cc3fc1a9cef38bbcfe88bd82e499 r ├── 0a566c39ecbc4107f954cb3e5e240ccaf0018dfac9b5062b4db7971fb3d9f413 elf ├── 135264de24d499877e95673b9cca737e488042813f41fef7817728a704323fe2 r ├── 15a1d52c529d314bb2b5fa8b8bd6c6a496609a283dd0e78e595c929e720d1b5b ├── 22553be649f76a060ebbdfd410e295b66803e9c49d23369a726be2c5a25733ab sh ├── 25945c4fe38ed2008f027bd1484b89867b23528c738812d317ddf57f48666b91 r ├── 372eefdc4bf9f4a4382db2762fcf9a9db559c9d4fff2ee5f5cf5362418caaa92 r ├── 3995a7e7eb8eeafb0b6da2c3813e61d11993a820d478c87809136de79d8f8280 sh ├── 40d8f662c187b53fd6fdeb70db9eb262b707e557d3fa4e5e4eacaeaa03ac45f2 r ├── 4826b0194fbd924aa57b9c4ab1e017f0f45f547189374b0ea761d415fa4285ff elf ├── 4f50d318688c80f08eb7fad6f8788cae459c3420b3b9eb566f936edd7a780ae1 sh ├── 5e264cb009c4d84b6180e47b9ceda3af8897b17b88fccc9c2914706d66abd1d1 r ├── 6ad5984bc9af7af6962a080bbb1a35bb56e8671c4b9c1d44e88da5a3f6b9aa82 r ├── 774947944ea370592a30478bb3f26081799f7d7df975a6735e620d3442e7803b elf ├── 8ac82a770cffbbc8fba73554d7caa117ef6d37ffee468665b95bc406449f91b5 r ├── 947f517d3b833cc046b2ea0540aad199b7777fb03057122fb0b618828abdc212 r ├── 9e9e481bb448438572c2695469c85f773ddcd952025e45bee33bbfce2531c656 r ├── b0f7ef937d77061515907c54967a44da3701e0d2af143164bbf44bb4fc6f26af sh ├── c0ae1eb249705f61d45ca747c91c02a411557a28792f4064c1d647abb580bc10 x86 elf ├── c15bbfb85bfd8305fad8cc0e0d06cbe825e1e6fc6d8dbe5a8d1ac4243bd77d0c elf ├── cfcae524309a220a48327c50bf32bf5ed3aed5698855b5da9f1ae932fb2df90c elf ├── e82192fbe00bc7205abe786155bbfc0548f5c6ee9819a581e965526674f3cc57 mips elf └── f4bf61fc335db4f3e7d7d89b534bc1e6ead66a51938e119ea340fe95039935e3 mips elf
2024-08-29 Esentire: Exploring AsyncRAT and Infostealer Plugin Delivery Through Phishing Emails eSentire's Threat Response Unit (TRU) discovered an AsyncRAT infection that was delivered through a Windows Script File (.wsf) via email. The malicious .wsf file, named “SummaryForm_,” downloaded a VBScript from a remote server, which then fetched a fake image file. This file was actually a ZIP archive that, once extracted, ran additional scripts to establish persistence on the system. The scripts created a scheduled task to execute the AsyncRAT payload repeatedly, making it difficult to detect and remove. The payload was injected into the RegAsm.exe process using a DLL to further evade detection. Additionally, this version of AsyncRAT included an infostealer plugin designed to exfiltrate data from popular web browsers like Chrome and Firefox, as well as cryptocurrency wallet extensions such as MetaMask and Coinbase. The attack highlights the use of multiple stages and obfuscation techniques to maintain persistence and steal sensitive information from the infected system. Download Download. Email me if you need the password scheme. File Information ├── 29b4af288f1bb75da4df5cbf00033c68df1fee656433cb99726f16de8c2b55f1 uzopuzbkrpcziwca txt ├── 5768a2bfeaa935af64b66bec24cc4d35c7919e1317daa072f8902a7354f3bf8d WJVIQQFZMZLSZTJJ bat ├── 5b1b7bd1fadfc3d2abcd8ea8f863fe96233e1dac8b994311c6a331179243b5cd NewPE2 dll ├── 7d91feeb19c895927012f56d9502ba8a9345ff955adc7d20f2e3a660a029769e SummaryForm wsf ├── 82dcc44da4b3454291a1d846414efde776b51bf2d30406cb9aa5bac020b0c4c5 AsyncRAT ├── ab2bef5c63ac65904386a02f4c7d9bbceaafa3763aceef24fd7981ca993006a4 CEIULUDEZFCEVSMM bat ├── b8631fd49a327589f97232eefc14bec144ef6fdd43d3d79ce9fab3adf8067221 IRUAHCKDFAFDCHUV vbs ├── c351fafa32e9c2e91a514c10fa8097da0f837c2a4bfcbac0e899f5780fd8b69a YXRPNPSMGCOBEURV ps1 └── d381eeba306533d765ae541fcb737f408abbeeed2f15ae1b1c678adde3960d31 lAOdPuUqwXLVFvqT jpg
2024-08-29 Fortinet Ransomware Roundup - Underground The Underground ransomware is likely spread by the RomCom group (also known as Storm-0978). The group exploits the Microsoft Office and Windows HTML RCE vulnerability (CVE-2023-36884). Other methods, such as phishing emails and access via Initial Access Brokers (IABs), may also be used. Shadow Copies Deletion: It removes all shadow copies to prevent file recovery: bash Copy code vssadmin.exe delete shadows /all /quiet RDP Session Limits: Sets a 14-day limit on Remote Desktop sessions to maintain persistence: bash Copy code reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f SQL Server Service Stop: Halts the MS SQL Server service to disrupt operations: bash Copy code net.exe stop MSSQLSERVER /f /m Ransom Note Deployment: Drops a ransom note named “!!readme!!!.txt” in directories containing encrypted files. File Encryption: The ransomware encrypts files without altering their extensions, making it harder to visually identify encrypted files. It avoids encrypting critical system files (e.g., .sys, .exe, .dll) to maintain system functionality. Log and File Deletion: It creates and runs a script (temp.cmd) to delete the original ransomware file and clear Windows Event logs, complicating forensic analysis. Data Leak Site: The ransomware group maintains a site where they post stolen data from their victims, spanning industries such as construction, pharmaceuticals, and manufacturing. As of July 2024, they have listed 16 victims. Telegram Channel: The group also uses a Telegram channel to distribute stolen data, with links to files hosted on Mega, a cloud storage service. Download Download. Email me if you need the password scheme. File Information ├── 9d41b2f7c07110fb855c62b5e7e330a597860916599e73dd3505694fd1bbe163 enc getswin x64 exe ├── 9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f exe ├── cc80c74a3592374341324d607d877dcf564d326a1354f3f2a4af58030e716813 exe ├── d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666 exe └── eb8ed3b94fa978b27a02754d4f41ffc95ed95b9e62afb492015d0eb25f89956f exe
2024-08-23 Cyfirma. A Comprehensive Analysis of Angry Stealer : Rage Stealer in a New Disguise (Telegram rat). CYFIRMA analyzed malware known as "Angry Stealer", which is heavily advertised on platforms like Telegram, a repackaged version of the previously identified "Rage Stealer" The dropper is a 32-bit Win32 executable written in .NET, which acts as the initial stage of the attack. Upon execution, it deploys two key payloads: "Stepasha.exe" and "MotherRussia.exe, Stepasha.exe - The Info-Stealer: Once deployed, "Stepasha.exe" begins an extensive data collection process. It targets sensitive information stored on the infected system, including browser data (passwords, cookies, autofill data), cryptocurrency wallets, VPN credentials, and system information. The collected data is then packaged into a ZIP file and exfiltrated to a remote Telegram channel. This process leverages hardcoded credentials and bypasses SSL validation, ensuring the data reaches the attacker without interruption. The malware incorporates techniques to avoid detection, such as tampering with file timestamps and ensuring only one instance runs at a time. MotherRussia.exe - The Builder Tool: This secondary payload acts as a builder, allowing the creation of additional malicious executables. The user provides specific inputs, such as bot tokens and chat IDs, which are then embedded into the generated executable. The tool is likely designed for tasks related to remote desktop operations or bot interactions, making it easier for attackers to automate and scale their malicious activities. Angry Stealer" is a direct descendant of "Rage Stealer," sharing the same codebase and functionality. This rebranding approach allows cybercriminals to market the same malware under different names, reaching new buyers and avoiding detection by reusing proven tactics. The dropper was compiled in a .NET environment, likely within an isolated setup like Windows Defender Application Guard, suggesting that the developers took precautions to avoid detection during development. Download Download. Email me if you need the password. File Information ae25ed76f7aa901495537c2600bf149f6a56a42f28dc8fc9c6ed6c802ce0422e_MotherRussia.exe_ bb72a4c76034bd0b757b6a1e0c8265868563d11271a22d4ae26cb9fe3584a07d_Stepasha.exe_ c477b037e8fe3ab68b4c1da6f9bfe01e9ea818a5b4f94ed9e2757e25035be06d exe_
2024-08-14 Elastic: Beyond the wail: deconstructing the BANSHEE infostealer This analysis of BANSHEE Stealer reveals a sophisticated macOS-based malware (sold for $3,000) developed by Russian threat actors, targeting both x86_64 and ARM64 architectures. BANSHEE Stealer is designed to collect a wide range of data from infected systems, including browser history, cookies, logins, cryptocurrency wallets, and around 100 browser extensions. The malware employs basic anti-analysis techniques, such as debugging and virtualization detection using the sysctl API and system profiling commands, and avoids infecting systems set to the Russian language. It uses AppleScripts for tasks like muting system sound, phishing for user passwords, and copying keychain data. The stolen data is then compressed, XOR-encrypted, Base64-encoded, and exfiltrated to a remote server. BANSHEE Stealer targets nine browsers for browser data collection—Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, Opera, OperaGX, and Safari - extracting history, cookies, and login credentials. Interestingly, it focuses on Safari cookies using an AppleScript script, while other browsers have a broader range of data collected. The malware also scans for around 100 browser plugins, saving the data in a specified temporary directory. BANSHEE Stealer targets wallets like Exodus, Electrum, Coinomi, Guarda, Wasabi, Atomic, and Ledger. It copies wallet-related files to a temporary directory for later exfiltration. The malware's functionality is structured in several C++ files, including Controller. cpp, which manages core tasks like anti-debugging measures using the sysctl API, language checks via CFLocaleCopyPreferredLanguages, and exfiltration processes. The malware's exfiltration method involves compressing the collected data into a ZIP file using the ditto command, followed by XOR encryption and Base64 encoding. The resulting file is then exfiltrated via an HTTP POST request to a command-and-control server using the cURL command. Download Download. (Email me if you need the password) d556042c8a77ba52d39e211f208a27fe52f587047140d9666bbeca6032eae604 localfile~ x64 File Information ├── 11aa6eeca2547fcf807129787bec0d576de1a29b56945c5a8fb16ed8bf68f782 localfile~ x64 └── Variants ├── 7a6c0b683961869fc159bf8da1b4c86bc190ee07b0ad5eb09f99deaac4db5c69 localfile~ x64 └──
You can subscribe to this RSS to get more information