#DarkGate generated a stream of xor bytes for random keys and it does not look random🧐
🔄Falls into an endless repetition of one or a pair of bytes.

#DarkGate
May-Document-6_2024-7477.xlsx
/lincsnet.com/share/MS_EXCEL_DOCUMENT_HELPER.hta
f0388a6ee986bf4b5046c344f8b078ef

/updateleft.com/
yhsxjctz
ZIP:061cc045426e0e592faa1f155c29a0dc

rmtixfwn
PS1:b37f28fd9b296552224c51f74b89321d

script.a3x
e6dcf390f0861b103a8331222dbb29fd

#DarkGate
May-Document-6_2024-[0-9]{4}.xlsx
/77.75.230.59:445/share/MS_EXCEL_DOCUMENT_HELPER.hta
92a89e19dd89d7828181065ff34ae5b3

/findyourbackups.com/
hwkayiuj
xyrbdxwg

Autoit3.exe
c56b5f0201a3b3de53e561fe76912bfd
script.a3x
20b223466a0fd0e9ac7b2bbedfa30bda

Debloat is for deflating executables. (github.com/Squiblydoo/deb…)

But if you all see other file formats that attackers inflate, send them my way too!

The following is an image of an LNK with 200 MB of null bytes slapped on the end (the overlay).

(Image is from the tool #malcat )

http://194.26.192.57/ #darkgate #opendir

cc: Mikhail Kasimov

Just released 🎉: What starts as an ISO file, ends in a RAT. Join me in diving into some ISO file forensics via the Windows Event Log, and how the configuration of a RAT that gets loaded into memory can be decrypted using CyberChef.

Enjoy!
youtu.be/8UfJMMD6HGU?fe…

Another great showcase of using urlscan.io.
You can use Options to specify the HTTP referer and user agent. Let's apply this to the threat case that DaveTheResearcher found today. We were able to extract the main culprit (chatgpt-app.]cloud) from the injected script that is…

Winner chosen at random, instructions sent to the email used to register.

👉 Giveaway ends May 10 at 4pm CDT.

The infamous #Rhadamanthys Stealer has been banned from XSS forum after failing to provide protection to CIS countries people.

Rhadamanthys was used against Russian military infrastructure (habr.com/en/companies/f…), also by some fellow traffers guys...

🫂🫡

vx-underground Turns out the LUA wasn't part of RedLine but a newish 'SmartLoader' malware loader.
research.openanalysis.net/github/lua/202…

🚨 #Yara is essential tool for #malware #analysis and a variety of other cybersecurity activities. This playlist will introduce you to yara basics and help you get started creating rules!

youtube.com/playlist?list=…

The Dark Alliance between GuLoader and Remcos. A great talk by Alexey Bukhteyev It was an honor for me to work on this research.
youtube.com/watch?v=MRrraT…

Wanna join the team?

proofpoint.wd5.myworkdayjobs.com/en-US/Proofpoi…

Day to day:
Write intrusion detection rules for the Snort and Suricata platforms

Answer support questions about rule guidance and false positives

Work with the open source community to maintain and optimize the ETOpen ruleset…

New Latrodectus malware attacks use Microsoft, Cloudflare themes - Lawrence Abrams
bleepingcomputer.com/news/security/…

bleepingcomputer.com/news/security/…

distro
https://cm.]wouterpattyn.]be/prominent/abstract/?ID=x
https://michaelpage.]com.job-search.]top-mp.]top/pagegroup-michaelpage/mp/index.php?ID=x
http://80.66.88.]146/data/5fb6dd81093a0d6812c17b12f139ce35

Samples 👇

bazaar.abuse.ch/sample/c64cb9e…

bazaar.abuse.ch/sample/6a195e6…

A New Opportunity Awaits - url > .js > .ps > .dll

Ongoing Micheal page themed recruitment campaign delivering a javascript loader resulting in the deployment of ScreenConnect for initial access.

(1/4) 👇

Lua coming for your endpoints!

'Using Lua bytecode makes it harder for security software to detect the malware. Lua is a less common programming language, so many security tools might not be equipped to properly analyze it.'

any.run/cybersecurity-…

#WikiLoader - #TA544 - .pdf > url > .zip > .js > .js > .dll

wscript.exe Invoice-808.js

wscript.exe sso.js

C:\Users\Admin\AppData\Local\Temp\npp.8.6.4.portable.x64\notepad.exe (sideload)👇

\npp.8.6.3.portable.x64\plugins\mimeTools.dll

(1/3)👇

IOC's
github.com/pr0xylife/Wiki…

#Latrodectus - .pdf > url > .js > .msi > .dll

wscript.exe Document.js

msiexec.exe /V

MSIBE26.tmp rundll32.exe C:\Users\Admin\AppData\Local\glosar\beta.dll, homq

rundll32.exe C:\Users\Admin\AppData\Roaming\Custom_update\Update.dll, homq

(1/3) 👇

IOC's
github.com/pr0xylife/Latr…

If you've been monitoring that #phorpiex 'Your Document' with document\.zip from Jenny @ gsd . com, it's now dropping #lockbit hosted at:

http:// 193.233 .132 .177/lbb.exe

app.any.run/tasks/206f3ae9…