'test_interview.zip': 39785213364b84c1442d133c778bf5472d76d8ef13b58b32b8dd8ac0201c82ca
Maybe ESET caught something interesting here...
🤔
Shadow Chaser Group Jazi Florian Roth Germán Fernández

2024-04-18 (Thursday): #SSLoad infection leads to #CobaltStrike DLL. In this case we saw no follow-up Cobalt Strike C2 traffic. List of indicators available at bit.ly/3Q9SORR

#TimelyThreatIntel #Unit42ThreatIntel #Wireshark #InfectionAnalysis

HelloKitty Ransomware released some decryption keys and rebranded into HelloGookie with a new blog. Gookie, who is the author of this ransomware, sends his regards to LockBit due to possible competition. He also regained access to his lost account on the Exploit forum.

Bypassing SmartScreen and SafeBrowsing for Microsoft Edge and Google Chrome -- nothing leet, but creating a 'DNS sinkhole' for the cloud URLS to avoid scanning web browser visited websites or new downloads. youtu.be/lNNJlu1KB2I

'Indeed Resume Export 4001901\.zip': c796ea83815c2ea21228a5e4964cbe2f8a297648fd6e37928c1c722600c15051
'Indeed Resume Export 4001901.pdf.lnk': fba6c3f93838656c9627006913ad14a6d9645998e72df06f3df2107e0ddd4980
🤔
Germán Fernández

Opendir: https://tceh[.]us/
Maybe Namecheap.com will nuke it...

#ISFB #LDR4 - url > .zip > .js > CobaltStrike

Interesting campaign this week purporting to be Hays Recruitment.

DocuSign lure that leads to a site that drops a zip file that contains a .js loader for #CobaltStrike

(1/3)👇IOC's continued

🤦‍♂️
😂

🔥 Tan solo han pasado 8 días desde mi alerta sobre #BlackHatSeo en distintos sitios web de la Fuerza Aérea del Perú Fuerza Aérea del Perú, y ahora el CSIRT GOB CL informa sobre la recepción de 🎣 #Phishing desde la dirección IP 38.43.155[.]5, la cual corresponde a fasmail.fap[.]mil[.]pe.

⬇️De 13 servicios analizados, al menos 12 están en estado DOWN.
#Ransomware #Chile

Submitted a few minutes ago on VT: MSI file from the first stage of #Ousaban signed with EV certificate.

Sample: bazaar.abuse.ch/sample/6a94447…
Payload: hxxp://94.103.83[.]221/tiru/

I've seen it before, but it's not that common.

Have you ever wondered what is going on with Vietnamese 🇻🇳 malware targeting Facebook accounts?
I did, so you can get a quick overview of these threat actors activities and how they are spending (and earning) millions of $$$

Read now! 👇👀 #dropshipping
g0njxa.medium.com/from-vietnam-t…

🚨🇨🇱 La empresa Plus Consulting (servicios de cobranza) está respondiendo a un nuevo ataque de #ransomware desde el pasado domingo 14 de abril.

'La naturaleza del incidente corresponde a un ransomware que afectó servidores Microsoft y VMware ESXi en la red de nuestra

Since it's out there now this is what I caught in wild CVE-2024-3400

GET /global-protect/login.esp HTTP/1.1 Host: X User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept-Encoding: gzip, deflate, br

191.96.225[.]117
🤔
Germán Fernández

09 active Chilean IP addresses serving the #Mirai botnet
hxxp://190.217.148.227:4886/i
hxxp://216.155.93.238:33194/i
hxxp://186.67.115.166:42924/i
hxxp://179.51.168.26:10428/i
hxxp://190.153.161.82:41582/i
hxxp://186.67.227.98:65300/i
hxxp://190.217.148.149:32075/i

▪ Another python stealer targeting Facebook Business accounts (Ads Manager) and hosted on Github.

https://github[.]com/sea2check/home

The lure is a job offer impersonating the L'Oréal brand, so we can already imagine how they distribute this threat.

/global-protect/portal/js/loremipsum.js?img[ZWNobyAnUmljayBBc3RsZXkgLSBOZXZlciBHb25uYSBHaXZlIFlvdSBVcCc=] 🤓

#Fofabot Query for #APT 41 / #Barium #APT Infra

Query: cert.subject.cn='as.website'

Link: en.fofa.info/result?qbase64…

Infra:
194.156.99[.]115
173.199.71[.]210
45.77.65[.]219
107.191.47[.]199
185.174.172[.]41
65.20.98[.]31
195.85.250[.]254

#Malware #ioc #CTI