@MatrixGlitch1 @dcuthbert Most browsers use DNS over HTTPS by default these days. And it's difficult to obtain a valid alternative cert for a website / domain you don't control.
English
Scarlet Shark Security
347 posts
Scarlet Shark Security
@ScarletSharkSec
Digital Security Intelligence
Washington D.C. Katılım Ocak 2020
1.8K Takip Edilen642 Takipçiler
@dcuthbert In 2016 only 40% of sites were HTTPS compared to about 85% today.
That as well as HSTS & certificate pinning has changed the landscape a bit.
Only need one site or app to use plain HTTP to silently inject your own stuff.
Redirecting via DNS + different SSL certificate works
English
I too am over the "dont use public wifi" brigade. Often the advice is from tests done over a decade so, so it's good to see someone actually testing what modern devices behave like when interception is happening.
mRr3b00t@UK_Daniel_Card
Can anyone tell me why the public WiFi with an attacker in it is unsafe? I can read all the targets traffic metadata but I can’t read their traffic. Anybody? The ASD say it’s not safe but I’m not really sure why….. If you can show me an attack that will do something let me know I’ll run it here now!
English
@executemalware This might be DynamicRAT, your possible C2 is listed in the IoCs here: gi7w0rm.medium.com/dynamicrat-a-f…
English
I also looked at another tax-themed email that led to a still unidentified #java #stealer #malware.
Here are the IOCs:
github.com/executemalware…
English
@jstrosch @ViriBack Seems to be this project: github.com/UnamSanctam/Un… which is a front end for SilentCryptoMiner.
English
Español
@Fire__Squirrel Now you just need to map traceroute hopes to each data center.
English
DHL delivery failure themed #phishing
hXXps://accomplish-delivery.change-server.info
Threat actors are using email addresses from a NameCheep data breach after August 2022.
English
@samson2655 @InQuest @James_inthe_box @Ledtech3 This was previously reported as Kimsuky here:
twitter.com/HaoZhixiang/st…
zhixiang hao@HaoZhixiang
Kimsuky APT group targets cryptocurrency industry mal vba->write file->wscript execution->http request ioc MD5 7cf2a5dfb0c0777e0670aea29cb3a97b IOC: http://asenal+medianewsonline+com/good/luck/flavor/list.php?query=1 @cz_binance @HuobiGlobal @ShadowChasing1 @c3rb3ru5d3d53c
English
Anyone seeing #Socgholish using localsys-shield[.]com today?
English
@GossiTheDog @MalwareTechBlog Also there are a few privacy services that will create disposable credit card numbers and will accept whatever name is given for the purchase.
English
@StopMalvertisin @ShadowChasing1 @h2jazi @malwrhuntertean @1ZRR4H @JAMESWT_MHT @luigi_martire94 onlinecloud[.]cloud is hosted on 155.138.159[.]45
Other malicious domains hosted there:
msteam[.]biz
docuprivacy[.]com
privacysign[.]org
digiboxes[.]us
1drvmicrosoft[.]com
English
#DangerousPassword (#Lazarus) #APT
New Profit Distributions.zip
7a9c191fe28be75afa4e0bb654b1cf22
Password.txt.lnk
893bc3ea857672dc972832f38847ab3c
http://www.onlinecloud[.]cloud:443/Pdx6AiWhoRniAEQb02NAPdv+XZIcCqH63cEyxFjHq10=
@ShadowChasing1 @h2jazi
English
@haneeni61853819 FYI the linked site might be compromised; link redirected to hXXps://z8d4v6s8.stackpathcdn.com/merrx01/
English
English
@WhichbufferArda @campuscodi Thanks for posting this. Is there any chance you can share the report in a format that can be more easily computer translated?
English
@campuscodi We made an analysis of same cyber attack 2 weeks ago, and published it on our official website in 17 Aug, report is written in Turkish but if anyone interested in I dropped link below infinitumit.com.tr/devlet-kurumla…
English
Quick correction there was a LNK in the ISO disk image as well.
English
#ICEDID sample
tria.ge/220809-t2v6lsc…
ZIP -> ISO -> [BAT, JS, DLL]
C2: abegelkunic[.]com
Deutsch
@keydet89 @pr0xylife @executemalware @ffforward @Cryptolaemus1 @ankit_anubhav @Max_Mal_ @JAMESWT_MHT @1ZRR4H @fr0s7_ @malwarelabnet @Myrtus0x0 Sorry for the confusion, I thought you were asking how we use the LNK parser.
The target isn't metadata, but it's still part of the parsed LNK that I posted. We don't analyze malware on Windows, so the main use is parsing out the target. Metadata is used to ID threat actors.
English
#IcedID - .zip > .iso > .lnk > .dll
cmd.exe /c start rundll32.exe b4ramo.dll,#1
bazaar.abuse.ch/sample/e3507aa…
bazaar.abuse.ch/sample/77c3de1…
c2
http://explorblins.]com/
IOC's
github.com/pr0xylife/Iced…
English