imp0rtp3

Really excited to finally publish my malware research of SoWaT - APT31's router implant. imp0rtp3.wordpress.com/2021/11/25/sow…

We just published a new blog regarding a novel low-detected #LockBit campain fortinet.com/blog/threat-re…

@WhichbufferArda Nice Find, 5.199.162[.]72 170.64.180[.]66 Related to same infrastructure

a8d1b963b5de74e24733fd6766dd9082e091a19143525675208b7222111f03da

#APT #Gamaredon Malicous HTA files contains Base-64 Encoded VBscript 6bd8ff39e46e501c7d3ece116861121207741abb92f5e12a527cdf8b7c2c4cb8 9e1d16b50209d83aaa92ad8391982d99a9cee280e51cfe2c5b9c080599697837 C2: t[.]me/s/oearps 137[.]184[.]2[.]98/jug/71[.]aif?=Function

Great Blog by the colleagues @Mandiant mandiant.com/resources/blog…

TA was less careful with the windows samples - left us some clues: - GBK (Chinese) encoding of the computer info (later changed to utf-8) - UTC+8 compile time string inside sample (exactly 8 hours ahead of PE compile time)

New IPs related to the TA exploiting #CVE_2022_42475: 139.99.35[.116 139.99.37[.119 194.62.42[.105 45.86.231[.71 45.86.229[.220 185.250.149[.32 137.175.30[.138 146.70.157[.133 155.138.220[.254 #JA3: bf2b95ac267823f6588b2436bc537b26

Advisory of #CVE_2022_42475 (FortiOS SSL-VPN RCE) updated with additional IPs of the threat actor exploiting it: 139.180.184[.]197 66.42.91[.]32 158.247.221[.]101 107.148.27[.]117 139.180.128[.]142 155.138.224[.]122 185.174.136[.]20 fortiguard.com/psirt/FG-IR-22…

Undetected PyInstaller stealers on Virustotal Search for behaviour:"mdvksublbpczqluqvvbytfprxdwakuke"

So yesterday was open #threatintel season on the Russia-based Callisto/SEABORGIUM crew, with a triple whammy of blogs from us and a couple of industry friends: PwC: pwc.com/gx/en/issues/c… Recorded Future: recordedfuture.com/exposing-tag-5… Sekoia: blog.sekoia.io/calisto-show-i…

@malwrhunterteam @Arkbird_SOLG @JAMESWT_MHT

IoCs: sha256 - edfe81babf50c2506853fd8375f1be0b7bebbefb2e5e9a33eff95ec23e867de1 hxxp://mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid[.]onion hxxp://monti5o7lvyrpyk26lqofnfvajtyqruwatlfaazgm3zskt3xiktudwid[.]onion/chat/c7c5b8b0703950c40e6614bf957f94c1

New rebranded #Conti #Ransomeware Linux & ESXi locker surfaced on VT as #Monti. Almost identical to previous versions of Conti. Added cmdline argumens --detach --size, --file (latter unused). We wrote about previous campaign on September (YARA included): fortiguard.com/threat-signal-…

I share yara rules and the samples of the new variant of #blackbasta ransomware. Samples: bazaar.abuse.ch/browse/tag/Bla… Yara : github.com/StrangerealInt…

#ESETresearch discovered an active #Android campaign conducted by the hack-for-hire group #Bahamut. The campaign has been active since January 2022, with malicious apps are distributed through a fake #SecureVPN website @LukasStefanko welivesecurity.com/2022/11/23/bah… 1/6

#ESETResearch discovered that #LuckyMouse/#APT27 used a code-signing certificate belonging to VMPsoft, the developer of the VMProtect packer. The signed file is a loader for the SysUpdate backdoor (aka Soldier). We notified VMPSoft of this compromise 1/4 virustotal.com/gui/file/a8527…

NEW: Cybersecurity startup Corellium gave trials to NSO Group and DarkMatter. It also sold to cellphone cracking firms Cellebrite and Elcomsoft in Russia, as well as Pwnzen, a hacking firm with ties to China's government, according to a leaked document. wired.com/story/corelliu…

Like everyone, I'm also available on Mastodon. This is my handle: @imp0rtp3@infosec.exchange @imp0rtp3" target="_blank" rel="nofollow noopener">infosec.exchange/@imp0rtp3