(from yesterday) #Darkgate malspam spotted in #italy 🇮🇹

🤔 #TA577 is you?

🇷🇺Russian comments on html

eml>.html>.hta

h/t  Kelsey

bazaar.abuse.ch/sample/76b4b34…

#LockBit 3 is backup

ransomfeed.it/index.php?page…

via ransomfeednews

⚠️ In data odierna Cert AgID ha rilevato un sofisticato tentativo di frode che coinvolge una pagina falsa dell’ #AgenziaEntrate , ospitata su un dominio italiano precedentemente compromesso, finalizzato a infettare le vittime con un malware di tipo #keylogger .

Ransomware #LockBit : anomalie dopo lo smantellamento

🕵️ È probabile che l’obiettivo sia puramente distruttivo.

ℹ️ Ulteriori dettagli e #IoC 👇

🔗 cert-agid.gov.it/news/ransomwar…

🇮🇹 Diffusione di malware #Keylogger tramite falsa pagina di #AgenziaEntrate – #PuntoFisco

🔬 Malware VB6, dominio italiano come dropurl e C2 su Altervista lasciano presagire che gli autori della campagna siano probabilmente di nazionalità italiana 👇

🔗 cert-agid.gov.it/news/malware/d…

#phishing targeting Italians 🇮🇹

Cosmotown pls revoke the domain
/aruba-spa.id65200315104.com
geoblock restriction from Italy 🇮🇹
Aruba S.p.A.

ICANN MalwareHunterTeam JAMESWT Mich Anonymous🐾🐈‍⬛🍵☕ andsyn1 mRr3b00t BeeHive Malcore Douglas Mun

#Latrodectus - .pdf > url > .js > .msi > .dll

wscript.exe Document.js

msiexec.exe /V

MSIBE26.tmp rundll32.exe C:\Users\Admin\AppData\Local\glosar\beta.dll, homq

rundll32.exe C:\Users\Admin\AppData\Roaming\Custom_update\Update.dll, homq

(1/3) 👇

IOC's
github.com/pr0xylife/Latr…

#netsupport #config and #LIC
TomU | I'm still here... til the end 🕊️🇨🇭
rewilivak13.]com:443
greekpool.]com:443
38.180.62[.49

Samples zipped
bazaar.abuse.ch/sample/34724a9…

I made an x64 version of Ghidra's PropagateExternalParameters. It adds comments for the parameters.
Is not perfect. I just made it work for my use cases. But as I haven't found a similar script, I thought it might still be useful.

github.com/struppigel/hed…

#Ransomware #SCATTEREDSPIDER TTPs

1/2🧵

🔥ADExplorer1➡️ view and export Active Directory (AD) data

🔥smbpasswd.py2 ➡️Impacket script to change passwords remotely over Server Message Block (SMB)

🔥Ngrok3 ➡️reverse proxy tool used to create a TCP tunnel to a remote RDP port

Top 10 last week's threats by uploads 🌐

⬆️ #Phishing 1285 (1192)
⬆️ #Agenttesla 226 (208)
⬆️ #Remcos 164 (127)
⬆️ #Asyncrat 116 (80)
⬆️ #Snake 83 (24)
⬆️ #Hijackloader 72 (51)
⬇️ #Xworm 61 (93)
⬆️ #Njrat 50 (49)
⬆️ #Redline 50 (39)
⬇️ #Dbatloader 45 (53)

Track them all at 🔽…

#Lumma Stealer implemented a bot protection system, 'pre-trained on screenshots of known virtual machines' 2 months ago.

They now claim to have detected 483k bots avoiding 68k 'garbage logs', reducing usage of HDDs and helping the world to become cleaner with less CO2 emissions

#APT44 #SHARPIVORY and #ARGUEPATCH samples are uploaded abuse.ch
bazaar.abuse.ch/sample/9ca85bb…
bazaar.abuse.ch/sample/1cdca97…
Mandiant Report: services.google.com/fh/files/misc/…
UA-CERT Rep: cert.gov.ua/article/6278706
Yara hit: M_Hunting_Dropper_SHARPIVORY_Strings_1 and M_APT_Launcher_ARGUEPATCH_3

Fuck Elon Musk.
🤷‍♂️

MalwareHunterTeam Who said what Igal Lytzki🇮🇱 JAMESWT ➕ 'Book_PDF_5435435435.zip': 801c4e8cac66458a94a57e023576bf8c2b92ecf2da6180497700a621830b8ffc

Next stages:
1.- https://amazoniasaude[.]com[.]br/tet/become.txt
2.- https://amazoniasaude[.]com[.]br/tet/amazonia.ttt

Same C2 as above and also mentioned here twitter.com/g0njxa/status/……

Anyone remembers when in 2018 we (JAMESWT VR ClearSky Cyber Security) found OfflRouter infected documents at/from different places, including the website of the National police of Ukraine? 6 years later (and in 2018 it was already a years old thing), it's 'in the news' now.
🤷‍♂️

Dominio aperto 265giorni
Sito fatto male
Prezzi troppo bassi
P Iva, dati società, privacy inesistente
Via Valdo 764 Appartamento 84
San Caligola veneto PG, Italia
31392

Pagamento carta di credito

Secondo me ordini e ti fregano al volo la carta di credito