Deutsche Telekom CERT

⬇️ Check out our new blog post on recent exploitation of Ivanti EPMM appliances

🔍 How can customers identify fake invoices? In contrast to a valid email (see screenshot below), the personal data of the customer is missing. Usually, your name and address would be included! There is also a guide that explains this in detail ➡️ telekom.de/hilfe/internet… 🧵6/6

The malicious shellcodes contain multiple RATs, in this case AsyncRAT/VenomRAT, XenoRAT and XWorm. All RATs refer to the same C2 server IP 178[.]16[.]53[.]106 and DNS name krusty-krab[.]duckdns[.]org 🧵5/6

🚨 ALERT: Cybercriminals are sending out fake Telekom invoices via phishing emails to deliver multiple malicious RAT payloads. The activity originates from an attack cluster tracked by Telekom Security under the name "Rodent Weed". 🧵1/6

Victims receive this #scam via email and also offline with letters. The emails also contain a PDF attachment with the invoice and QR code. (3/3)

We detected three different campaigns from the same threat actor targeting German companies in the name of the Federal Central Tax Office and insurance companies over the last month. (2/3)

Fraudsters have now started using EPC QR codes in fake invoices that can be opened by many banking apps. These codes already contain all the necessary transfer information for the app to start a simple transfer action for the victim. (1/3)

These C2 domains are resolved to the IPs 49.13.65[.]7, 49.13.216[.]178, 91.107.236[.]217, 94.130.58[.]118, 159.69.151[.]131, 162.55.172[.]46, 167.235.238[.]185, which are all hosted in AS 24940 (Hetzner). 🧵9/x

When this final payload was executed, it connected to a C2 server at myocubookstore[.]com. We do believe that also wth[.]so, mrhardinero[.]com, borderlessandbeyond[.]com, brideofrove[.]com, aempodcast[.]com are part of the same infrastructure and campaign. 🧵8/x

🚨 Telekom Security detected a major #vishing campaign against multiple targets in #Germany, likely related to a ransomware group. We are still analyzing, but here is what we know so far 🧵1/x

Our Colleague @t_eismar has developed a VSCode extension to help with RegRipper output. 🔍Features: - Syntax highlighting for RegRipper output files - Outline navigation with collapsible sections - Unique coloring for timestamps and improved readability github.com/teismar/regrip…