James_inthe_box<p>Malicious <span class="h-card" translate="no"><a href="https://infosec.exchange/@github" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>github</span></a></span> repo at:</p><p>https://github\.com/charlie-60</p><p>seen dropped via <a href="https://infosec.exchange/tags/xworm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>xworm</span></a> on a hijacked @operagxofficial installer</p><p><a href="https://app.any.run/tasks/4be36a6c-15e4-4c50-99e7-d95eb48bd88a" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/tasks/4be36a6c-15e</span><span class="invisible">4-4c50-99e7-d95eb48bd88a</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
c.im is one of the many independent Mastodon servers you can use to participate in the fediverse.
C.IM is a general, mainly English-speaking Mastodon instance.
Administered by:
Server stats:
2.8Kactive users
c.im: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.7
#xworm
0 posts · 0 participants · 0 posts today
ANY.RUN<p>🚨 Fake Booking.com phishing pages used to deliver malware and steal data<br>⚠️ Attackers use <a href="https://infosec.exchange/tags/cybersquatting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersquatting</span></a>, mimicking Booking website to create legitimate-looking phishing pages that trick users into executing malicious actions.<br>Leveraging <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ANYRUN</span></a>'s interactivity, security professionals can follow the entire infection chain and gather <a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IOCs</span></a>.</p><p>👨💻 Case 1: The user is instructed to open the Run tool by pressing Win + R, then Ctrl + V to paste the script, and hit Enter. This sequence of actions executes a <a href="https://infosec.exchange/tags/malicious" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malicious</span></a> script that downloads and runs malware, in this case, <a href="https://infosec.exchange/tags/XWorm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XWorm</span></a>.<br>Take a look at the analysis: <a href="https://app.any.run/tasks/61fd06c8-2332-450d-b44b-091fe5094335/?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_term=060325&utm_content=linktoservice" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/tasks/61fd06c8-233</span><span class="invisible">2-450d-b44b-091fe5094335/?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_term=060325&utm_content=linktoservice</span></a></p><p>🔍 TI Lookup request to find domains, IPs, and analysis sessions related to this campaign:<br><a href="https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_content=linktoti&utm_term=060325#%7B%2522query%2522:%2522domainName:%255C%2522mktoresp.com%255C%2522%2520AND%2520domainName:%255C%2522booking.*.%255C%2522%2522,%2522dateRange%2522:30%7D%20%20" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">intelligence.any.run/analysis/</span><span class="invisible">lookup?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_content=linktoti&utm_term=060325#%7B%2522query%2522:%2522domainName:%255C%2522mktoresp.com%255C%2522%2520AND%2520domainName:%255C%2522booking.*.%255C%2522%2522,%2522dateRange%2522:30%7D%20%20</span></a></p><p>🎯 Use this search query to find more examples of this fake <a href="https://infosec.exchange/tags/CAPTCHA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CAPTCHA</span></a> technique and enhance your organization's security response:<br><a href="https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_content=linktoti&utm_term=060325#%7B%2522query%2522:%2522commandLine:%5C%2522" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">intelligence.any.run/analysis/</span><span class="invisible">lookup?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_content=linktoti&utm_term=060325#%7B%2522query%2522:%2522commandLine:%5C%2522</span></a></p><p>👨💻 Case 2: In this scenario, threat actors aim to steal victims’ banking information. It’s a typical phishing site that mimics Booking website and, after a few steps, prompts users to enter their card details to ‘verify’ their stay.<br>See example: <a href="https://app.any.run/tasks/87c49110-90ff-4833-8f65-af87e49fcc8d/?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_term=060325&utm_content=linktoservice" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/tasks/87c49110-90f</span><span class="invisible">f-4833-8f65-af87e49fcc8d/?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_term=060325&utm_content=linktoservice</span></a></p><p>📌 A key domain in this campaign, Iili[.]io, was also used by <a href="https://infosec.exchange/tags/Tycoon2FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Tycoon2FA</span></a> <a href="https://infosec.exchange/tags/phishkit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishkit</span></a>.<br>🔍 Use this TI Lookup query to find more examples:<br><a href="https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_content=linktoti&utm_term=060325#%7B%2522query%2522:%2522domainName:%255C%2522bzib.nelreports.net%255C%2522%2520AND%2520domainName:%255C%2522xpaywalletcdn.azureedge.net%255C%2522%2520AND%2520domainName:%255C%2522cdnjs.cloudflare.com%255C%2522%2520AND%2520domainName:%255C%2522xpaycdn.azureedge.net%255C%2522%2520AND%2520domainName:%255C%2522iili.io%255C%2522%2522,%2522dateRange%2522:180%7D%20" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">intelligence.any.run/analysis/</span><span class="invisible">lookup?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_content=linktoti&utm_term=060325#%7B%2522query%2522:%2522domainName:%255C%2522bzib.nelreports.net%255C%2522%2520AND%2520domainName:%255C%2522xpaywalletcdn.azureedge.net%255C%2522%2520AND%2520domainName:%255C%2522cdnjs.cloudflare.com%255C%2522%2520AND%2520domainName:%255C%2522xpaycdn.azureedge.net%255C%2522%2520AND%2520domainName:%255C%2522iili.io%255C%2522%2522,%2522dateRange%2522:180%7D%20</span></a></p><p>Investigate the latest <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> and <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a> attacks with <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ANYRUN</span></a> 🚀</p><p><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a></p>
OTX Bot<p>Uncovering .NET Malware Obfuscated by Encryption and Virtualization</p><p>This article examines advanced obfuscation techniques used in popular malware families like Agent Tesla, XWorm, and FormBook/XLoader. The techniques include code virtualization, staged payload delivery, dynamic code loading, AES encryption, and multi-stage payloads. The malware uses a three-stage process: an encrypted payload in the PE overlay, a virtualized payload using KoiVM, and a final payload that is typically Agent Tesla or XWorm. The obfuscation methods aim to evade sandbox detection and hinder static analysis. The article provides insights into extracting configuration parameters through unpacking each stage and discusses potential automation opportunities for sandboxes performing static analysis.</p><p>Pulse ID: 67c5deb911aab45bdf301787<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67c5deb911aab45bdf301787" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67c5d</span><span class="invisible">eb911aab45bdf301787</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-03 16:54:17</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/AgentTesla" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AgentTesla</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Encryption" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Encryption</span></a> <a href="https://social.raytec.co/tags/FormBook" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FormBook</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/NET" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NET</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/Tesla" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Tesla</span></a> <a href="https://social.raytec.co/tags/Worm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Worm</span></a> <a href="https://social.raytec.co/tags/XLoader" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XLoader</span></a> <a href="https://social.raytec.co/tags/XWorm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XWorm</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
ANY.RUN<p>🚨 New <a href="https://infosec.exchange/tags/Stegocampaign" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Stegocampaign</span></a> abuses obfuscated registry to execute payload<br>The attack is carried out through users following instructions, such as downloading a REG file that adds a <a href="https://infosec.exchange/tags/malicious" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malicious</span></a> script to Autorun. While exploiting Autorun has been rarely used recently, we found a sample actively using this method.</p><p>🔗 Execution chain:<br>PDF ➡️ Phish link ➡️ REG file adds a script to Autorun ➡️ OS reboot ➡️ CMD ➡️ PowerShell ➡️ <a href="https://infosec.exchange/tags/Wscript" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Wscript</span></a> ➡️ Stegocampaign payload (DLL) extraction ➡️ Malware extraction and injection into AddInProcess32 ➡️ XWorm</p><p>⚠️ Victims receive a phishing PDF containing a link to download a .REG file. By opening it, users unknowingly modify the registry with a <a href="https://infosec.exchange/tags/script" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>script</span></a> that fetches a VBS file from the web and adds it to Autorun. </p><p>Upon system reboot, the <a href="https://infosec.exchange/tags/VBS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>VBS</span></a> file launches <a href="https://infosec.exchange/tags/PowerShell" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PowerShell</span></a>, triggering an execution chain that ultimately infects the operating system with <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a>. </p><p>👾 Then, <a href="https://infosec.exchange/tags/ReverseLoader" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ReverseLoader</span></a> downloads <a href="https://infosec.exchange/tags/XWorm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XWorm</span></a>, initiating its execution. The payload contains a DLL file embedded in an image, which then extracts XWorm from its resources and injects it into the AddInProcess32 system process. </p><p>❗️ This chain of actions abuses legitimate system tools and relies on user actions, making it difficult for automated security solutions to detect. <br>This puts organizations at risk by allowing attackers to evade detection, potentially leading to data breaches and access to sensitive data. <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ANYRUN</span></a> Sandbox offers full control over the VM, which allows you to interact with malware and manipulate its behavior. </p><p>👨💻 See analysis with a reboot:<br><a href="https://app.any.run/tasks/068db7e4-6ff2-439a-bee8-06efa7abfabc/?utm_source=mastodon&utm_medium=post&utm_campaign=stegocampaign&utm_term=190225&utm_content=linktoservice" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/tasks/068db7e4-6ff</span><span class="invisible">2-439a-bee8-06efa7abfabc/?utm_source=mastodon&utm_medium=post&utm_campaign=stegocampaign&utm_term=190225&utm_content=linktoservice</span></a></p><p>🚀 <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ANYRUN</span></a>'s interactive VMs let users manually execute each step of the entire attack chain, even without a system reboot:<br><a href="https://app.any.run/tasks/f9f07ae8-343f-4ea5-9499-a18f7c8534ef/?utm_source=mastodon&utm_medium=post&utm_campaign=stegocampaign&utm_term=190225&utm_content=linktoservice" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/tasks/f9f07ae8-343</span><span class="invisible">f-4ea5-9499-a18f7c8534ef/?utm_source=mastodon&utm_medium=post&utm_campaign=stegocampaign&utm_term=190225&utm_content=linktoservice</span></a></p><p>🔍 Use this TI Lookup search query to find similar samples to enrich your company's detection systems:<br><a href="https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=stegocampaign&utm_content=linktoti&utm_term=190225#%7B%22query%22:%22domainName:%5C%22filemail.com$%5C%22%22,%22dateRange%22:180%7D" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">intelligence.any.run/analysis/</span><span class="invisible">lookup?utm_source=mastodon&utm_medium=post&utm_campaign=stegocampaign&utm_content=linktoti&utm_term=190225#%7B%22query%22:%22domainName:%5C%22filemail.com$%5C%22%22,%22dateRange%22:180%7D</span></a></p><p>Analyze and investigate the latest malware and phishing threats with <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ANYRUN</span></a> 🛡️</p><p><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a></p>
ANY.RUN<p>🚨 <a href="https://infosec.exchange/tags/XWorm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XWorm</span></a> leverages LOLBAS techniques to abuse <a href="https://infosec.exchange/tags/CMSTPLUA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CMSTPLUA</span></a></p><p>CMSTPLUA is a legitimate Windows tool that can be exploited for system binary proxy execution using <a href="https://infosec.exchange/tags/LOLBAS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LOLBAS</span></a> techniques, bypassing security controls like <a href="https://infosec.exchange/tags/UAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>UAC</span></a>, and executing <a href="https://infosec.exchange/tags/malicious" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malicious</span></a> code, putting organizations at risk. </p><p>⚙️ With Script Tracer in <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ANYRUN</span></a> Sandbox, a SOC team can analyze scripts more efficiently. It simplifies script breakdowns, making it easier to understand their behavior and get key insights. <br>The <a href="https://infosec.exchange/tags/script" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>script</span></a> embedded in the INF file is used to coordinate an execution chain: <br>1️⃣ EXE starts cmstp.exe which is used to launch a <a href="https://infosec.exchange/tags/malicious" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malicious</span></a> script from an <a href="https://infosec.exchange/tags/INF" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>INF</span></a> file. <br> <br>2️⃣ CMSTPLUA ➡️ mshta.exe ➡️ cmd.exe ➡️ EXE ➡️ PowerShell <br>– <a href="https://infosec.exchange/tags/MSHTA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MSHTA</span></a> loads a <a href="https://infosec.exchange/tags/VBScript" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>VBScript</span></a> from memory to run an executable and shuts down the <a href="https://infosec.exchange/tags/CMSTP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CMSTP</span></a> process. <br>– EXE launches <a href="https://infosec.exchange/tags/PowerShell" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PowerShell</span></a> to add itself to <a href="https://infosec.exchange/tags/MicrosoftDefender" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MicrosoftDefender</span></a> exceptions. <br> <br>3️⃣ Finally, it runs the XWorm <a href="https://infosec.exchange/tags/payload" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>payload</span></a> from the <a href="https://infosec.exchange/tags/System32" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>System32</span></a> directory and adds itself to the Scheduled Task for persistence. <br> <br>👨💻 Check out the analysis and see Script Tracer in action: <br><a href="https://app.any.run/tasks/9352d612-8eaa-4fac-8980-9bee27b96bce/?utm_source=mastodon&utm_medium=post&utm_campaign=cmstplua&utm_term=130225&utm_content=linktoservice" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/tasks/9352d612-8ea</span><span class="invisible">a-4fac-8980-9bee27b96bce/?utm_source=mastodon&utm_medium=post&utm_campaign=cmstplua&utm_term=130225&utm_content=linktoservice</span></a> </p><p>Living-off-the-Land techniques have been leveraged for years to execute malicious operations using legitimate system utilities. <br>Use these TI Lookup search queries to find similar samples and improve the efficiency of your organization's security response:<br>🔍 <a href="https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=cmstplua&utm_content=linktoti&utm_term=130225#%7B%2522query%2522:%2522commandLine:%255C%2522%255C%255C.inf%255C%2522%2520AND%2520imagePath:%255C%2522cmstp%255C%255C.exe$%255C%2522%2522,%2522dateRange%2522:180%7D" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">intelligence.any.run/analysis/</span><span class="invisible">lookup?utm_source=mastodon&utm_medium=post&utm_campaign=cmstplua&utm_content=linktoti&utm_term=130225#%7B%2522query%2522:%2522commandLine:%255C%2522%255C%255C.inf%255C%2522%2520AND%2520imagePath:%255C%2522cmstp%255C%255C.exe$%255C%2522%2522,%2522dateRange%2522:180%7D</span></a><br>🔍 <a href="https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=cmstplua&utm_content=linktoti&utm_term=130225#%7B%2522query%2522:%2522commandLine:%255C%2522mshta%2520vbscript:%255C%2522%2522,%2522dateRange%2522:180%7D" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">intelligence.any.run/analysis/</span><span class="invisible">lookup?utm_source=mastodon&utm_medium=post&utm_campaign=cmstplua&utm_content=linktoti&utm_term=130225#%7B%2522query%2522:%2522commandLine:%255C%2522mshta%2520vbscript:%255C%2522%2522,%2522dateRange%2522:180%7D</span></a></p><p>Analyze latest <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> and <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a> threats with <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ANYRUN</span></a> 🚀</p><p><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a></p>
Infoblox Threat Intel<p>We have detected a recent malware campaign originating from a Türkiye IP. The campaign involved SnakeKeyLogger and XWorm, sent via emails primarily from`mail.haselayakkabi[.]com[.]tr` (SMTP IP: 45[.]144[.]214[.]104). The subject line was "<Recipient> received a new documents" with attachments like "SCS AWB and Commercial Invoice.rar" and a png of the Dropbox logo. Be cautious and stay safe! <br>The combination of Xworm and SnakeKeyLogger represent a significant threat to privacy, and is capable of stealing passwords, recording keystrokes, and exfiltrating the data using SMTP and telegram.</p><p>Malware Analysis: <a href="https://tria.ge/250205-bqhf9stndn" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">tria.ge/250205-bqhf9stndn</span><span class="invisible"></span></a><br>Stay vigilant, everyone! 💻🔒<br> <br><a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/snakekeylogger" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>snakekeylogger</span></a> <a href="https://infosec.exchange/tags/xworm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>xworm</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/mastodon" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>mastodon</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infobloxthreatintel</span></a></p>
:rss: Hacker News<p>Hacker infects 18,000 "script kiddies" with fake malware builder<br><a href="https://www.bleepingcomputer.com/news/security/hacker-infects-18-000-script-kiddies-with-fake-malware-builder/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/hacker-infects-18-000-script-kiddies-with-fake-malware-builder/</span></a><br><a href="https://rss-mstdn.studiofreesia.com/tags/ycombinator" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ycombinator</span></a> <a href="https://rss-mstdn.studiofreesia.com/tags/computers" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>computers</span></a> <a href="https://rss-mstdn.studiofreesia.com/tags/windows" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>windows</span></a> <a href="https://rss-mstdn.studiofreesia.com/tags/linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>linux</span></a> <a href="https://rss-mstdn.studiofreesia.com/tags/mac" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>mac</span></a> <a href="https://rss-mstdn.studiofreesia.com/tags/support" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>support</span></a> <a href="https://rss-mstdn.studiofreesia.com/tags/tech_support" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>tech_support</span></a> <a href="https://rss-mstdn.studiofreesia.com/tags/spyware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>spyware</span></a> <a href="https://rss-mstdn.studiofreesia.com/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> <a href="https://rss-mstdn.studiofreesia.com/tags/virus" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>virus</span></a> <a href="https://rss-mstdn.studiofreesia.com/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> <a href="https://rss-mstdn.studiofreesia.com/tags/Cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybercrime</span></a> <a href="https://rss-mstdn.studiofreesia.com/tags/Hackers" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Hackers</span></a> <a href="https://rss-mstdn.studiofreesia.com/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://rss-mstdn.studiofreesia.com/tags/XWorm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XWorm</span></a> <a href="https://rss-mstdn.studiofreesia.com/tags/virus_removal" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>virus_removal</span></a> <a href="https://rss-mstdn.studiofreesia.com/tags/malware_removal" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware_removal</span></a> <a href="https://rss-mstdn.studiofreesia.com/tags/computer_help" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>computer_help</span></a> <a href="https://rss-mstdn.studiofreesia.com/tags/technical_support" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>technical_support</span></a></p>
Angerman 🦅<p>Hacker infects 18,000 "script kiddies" with fake <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> builder</p><p>Tl:dr “there is no honour among thieves” 🥹</p><p>A threat actor targeted low-skilled hackers, known as "script kiddies," with a fake malware builder that secretly infected them with a backdoor to steal data and take over computers.</p><p>Security researchers at CloudSEK report that the malware infected 18,459 devices globally, most located in Russia, the United States, India, Ukraine, and Turkey.</p><p>"A trojanized version of the <a href="https://infosec.exchange/tags/XWorm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XWorm</span></a> <a href="https://infosec.exchange/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> builder has been <a href="https://infosec.exchange/tags/weaponized" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>weaponized</span></a> and propagated," reads the CloudSEK report.</p><p>I do this, in a safe way, internally as well. Typical action ofc is a <a href="https://infosec.exchange/tags/rickroll" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>rickroll</span></a> 😆</p><p>Source: <a href="https://www.bleepingcomputer.com/news/security/hacker-infects-18-000-script-kiddies-with-fake-malware-builder/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/hacker-infects-18-000-script-kiddies-with-fake-malware-builder/</span></a></p><p> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a></p>
ESET Research<p><a href="https://infosec.exchange/tags/ESETResearch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ESETResearch</span></a>’s monitoring of <a href="https://infosec.exchange/tags/AceCryptor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AceCryptor</span></a> revealed a significant decrease in prevalence of the malware in H2 2024: we only observed around 3k unique samples as opposed to 13k in H1 2024. Overall hits went down by 68% compared to H1, and by 87% compared to H2 2023.</p><p>Similarly, the number of unique users targeted by AceCryptor campaigns decreased by 58% between H1 and H2 2024, and the decrease was even more pronounced when compared to H2 2023, amounting to 85%.</p><p>As for the malware families packed by the cryptor, we could yet again see the usual suspects such as <a href="https://infosec.exchange/tags/Rescoms" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Rescoms</span></a>, <a href="https://infosec.exchange/tags/Smokeloader" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Smokeloader</span></a>, and <a href="https://infosec.exchange/tags/Stealc" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Stealc</span></a> among the most delivered threats.</p><p>While much smaller in scale than in previous periods, we still detected two notable campaigns of the malware. First, on July 11, 2024, 500 victims in Germany 🇩🇪 were sent emails with malicious attachments disguised as financial documents inside a password protected archive.</p><p>Instead of the documents, the archive contained an AceCryptor executable packing the Racoon Stealer successor <a href="https://infosec.exchange/tags/RecordBreaker" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RecordBreaker</span></a>, which then exfiltrated the victim information to a C&C server with the IP address of 45[.]153[.]231[.]163.</p><p>Then on September 23, 2024 more than 1,600 endpoints of small businesses in Czechia 🇨🇿 received emails whose attachments contained an AceCryptor binary packing the <a href="https://infosec.exchange/tags/XWorm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XWorm</span></a> RAT 🪱🐀. As a C&C, XWorm RAT used easynation[.]duckdns[.]org.</p><p>The list of 🔍 Indicators of Compromise (IoCs) can be found in our GitHub repository: <a href="https://github.com/eset/malware-ioc/tree/master/ace_cryptor" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/eset/malware-ioc/tr</span><span class="invisible">ee/master/ace_cryptor</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload