☩MalwareMustDie

711 posts

☩MalwareMustDie banner
☩MalwareMustDie

☩MalwareMustDie

@malwaremustdie

Official account of MalwareMustDie, NPO & public account @unixfreaxjp Info: https://t.co/131r5UW4bF Blog: https://t.co/lUnpKnXOqV

☩Psalm 115:1 Katılım Eylül 2018
144 Takip Edilen5.9K Takipçiler
Sabitlenmiş Tweet
☩MalwareMustDie
☩MalwareMustDie@malwaremustdie·
Okay.. this #malware actor's efforts continues. New #email malvertisement w/domain robinrodriguez[.]info via spambot at 161[.]248.238.122 at same AS150895/EZ TECHNOLOGY in #Vietnam, w/same payload "Protected .py" saved in #sendspace camouflaged in a zipped python windows pkg. The evil docx is now using new obfusctated JS loader to exec encoded powershell downloader, triggered by same cve #EQUEDIT exploit. It aims signature evasion, with same infection #backdoor motivation. See attached pictures for better understanding. Block that sendspace url & final #stager hashes. docx: virustotal.com/gui/file/fc046… js: virustotal.com/gui/file/4062e… #MalwareMustDie!
☩MalwareMustDie tweet media☩MalwareMustDie tweet media
☩MalwareMustDie@malwaremustdie

Okay, listen up. THIS (see prev thread) #malware campaign is on-going, even now. Adversaries are in control of these .INFO domains: crystalogletree[.]info, coraliereinger[.]info and kevinsaad[.]info, Which they are spreading infection campaign relayed from various IP MTA located in this subnet 160[.]250.128.0/23 at AS150895/EZ TECHNOLOGY CO LTD, I attached. email they used for the infection. Chains infection: docx -> rtf -> xml obj #cve-2017-118822 load shellcode to decrypt & load another shellcode to execute malicious script in rtf (there are license.vbs/.js/Client.vbs) that downloads python312x86()zip contains evil Protected(py) to be persistence installed & executed, or execute a DLL binary of "license(.)ini" to be injected to into process. That evil python is lastly served at sendspace(.)com/pro/dl/5qcr3i So all of scripts used & binary will be heavily obfuscated. They tried hard to evade all checks and aiming unpatched #EQEDIT on older #msoffice app. The above #IOC and #CTI info should be their #TTP so use information above to #block ur network in anyway you can. Just saying, in a glimpse, it seems like adaptation of previously known as #hancitor docx campaign added w/ AI steroid. No, this isn't emotet, and no this is not Heodo/Geodo but could be the copycat. #MalwareMustDie!!

English
0
9
29
3.4K
☩MalwareMustDie
☩MalwareMustDie@malwaremustdie·
well, I guess they just won't stop anyway..
English
0
0
1
101
☩MalwareMustDie
☩MalwareMustDie@malwaremustdie·
told them stop sending that trash, guess they can't take a hint dint they?
English
1
0
1
248
☩MalwareMustDie
☩MalwareMustDie@malwaremustdie·
Okay, listen up. THIS (see prev thread) #malware campaign is on-going, even now. Adversaries are in control of these .INFO domains: crystalogletree[.]info, coraliereinger[.]info and kevinsaad[.]info, Which they are spreading infection campaign relayed from various IP MTA located in this subnet 160[.]250.128.0/23 at AS150895/EZ TECHNOLOGY CO LTD, I attached. email they used for the infection. Chains infection: docx -> rtf -> xml obj #cve-2017-118822 load shellcode to decrypt & load another shellcode to execute malicious script in rtf (there are license.vbs/.js/Client.vbs) that downloads python312x86()zip contains evil Protected(py) to be persistence installed & executed, or execute a DLL binary of "license(.)ini" to be injected to into process. That evil python is lastly served at sendspace(.)com/pro/dl/5qcr3i So all of scripts used & binary will be heavily obfuscated. They tried hard to evade all checks and aiming unpatched #EQEDIT on older #msoffice app. The above #IOC and #CTI info should be their #TTP so use information above to #block ur network in anyway you can. Just saying, in a glimpse, it seems like adaptation of previously known as #hancitor docx campaign added w/ AI steroid. No, this isn't emotet, and no this is not Heodo/Geodo but could be the copycat. #MalwareMustDie!!
☩MalwareMustDie tweet media☩MalwareMustDie tweet media☩MalwareMustDie tweet media☩MalwareMustDie tweet media
☩MalwareMustDie@malwaremustdie

Well, the adventure continues.. w/same bad-actors (pivoted attackers spambot: 160[.]250.128.165/VN) who's very eager to do more #malware CTF with me. But.. the endgame is now different...an AI generated hash-obfuscated DLL loader.. See the pics of details & links (it has my hint to crack the hash), below is chain of infections: docx: virustotal.com/gui/file/467f6… rtf: virustotal.com/gui/file/4289c… DLL loader: virustotal.com/gui/file/1a119… #MalwareMustDie!

English
1
5
19
5.3K
Mishi_vibes 🇺🇲
Mishi_vibes 🇺🇲@Mishi_2210·
Your brain might say 300, but it isn’t. So what is it?
Mishi_vibes 🇺🇲 tweet media
English
13.6K
248
6.9K
8.1M
☩MalwareMustDie
☩MalwareMustDie@malwaremustdie·
Thank you @freebsd & @cperciva for the great news. I've been waiting for this. Will test in on my Vortex86DX3 & Raspberry PiZero2W box before production. Memo: time for #pkbase switching, fixes: userland package (libc stuff), old OpenZFS bug, more info at #freebsd announce: freebsd.org/releases/14.4R… & notes: freebsd.org/releases/14.4R… Update/upgrade, red this 1st: docs.freebsd.org/en/books/handb…
Colin Percival@cperciva

FreeBSD 14.4-RELEASE is now available: lists.freebsd.org/archives/freeb…

English
0
0
2
584
☩MalwareMustDie
☩MalwareMustDie@malwaremustdie·
@cyber_razz B) hashing for sure b/c it is the only a one-way cryptographic function in the options. Other ones need key(canbe liability if db has it), or vault or insecurity (encoding IS reversible), i can say much of these as RE veteran.
English
0
0
1
179
Abdulkadir | Cybersecurity
Abdulkadir | Cybersecurity@cyber_razz·
SECURITY+ KNOWLEDGE CHECKPOINT An organization wants to ensure that even if a database is compromised, the stored passwords cannot be easily reversed back to their original form. Which of the following is the BEST solution? A. Encryption B. Hashing C. Encoding D. Tokenization
English
53
13
177
21.3K
Cyber_Racheal
Cyber_Racheal@CyberRacheal·
A technician is troubleshooting a "Limited Connectivity" error. The computer has an IP address of 169.254.10.55. Which service is likely unavailable? A) DNS B) NAT C) DHCP D) ARP
English
69
11
208
30.5K
☩MalwareMustDie
☩MalwareMustDie@malwaremustdie·
So, how license.ini stager DLL got executed? See docx's exploit XML's (Equation.3 /3072bytes). It has embedded encrypted #shellcode loader, it execs license.ini to memory after EQU bug exploited by buffer overflow. See pic for more. This is that loader: virustotal.com/gui/file/c37b6… Stay safe! Check ur updates/patch #malwaremustdie
☩MalwareMustDie tweet media
English
0
0
1
253
☩MalwareMustDie
☩MalwareMustDie@malwaremustdie·
Well, the adventure continues.. w/same bad-actors (pivoted attackers spambot: 160[.]250.128.165/VN) who's very eager to do more #malware CTF with me. But.. the endgame is now different...an AI generated hash-obfuscated DLL loader.. See the pics of details & links (it has my hint to crack the hash), below is chain of infections: docx: virustotal.com/gui/file/467f6… rtf: virustotal.com/gui/file/4289c… DLL loader: virustotal.com/gui/file/1a119… #MalwareMustDie!
☩MalwareMustDie tweet media☩MalwareMustDie tweet media☩MalwareMustDie tweet media☩MalwareMustDie tweet media
☩MalwareMustDie@malwaremustdie

(smile) Someone at 160[.]250.128.122 spammed me w/docx email attachment..(downloader), it downloaded Protected.py (a persistent installer),then runs classic shed api shellcode with reversed shell injected to SndVol..(snipped part sc).. to bad..no reg+SndVol in #BSD

English
3
9
62
8.7K
☩MalwareMustDie
☩MalwareMustDie@malwaremustdie·
(smile) Someone at 160[.]250.128.122 spammed me w/docx email attachment..(downloader), it downloaded Protected.py (a persistent installer),then runs classic shed api shellcode with reversed shell injected to SndVol..(snipped part sc).. to bad..no reg+SndVol in #BSD
☩MalwareMustDie tweet media
English
1
7
28
10.4K
☩MalwareMustDie
☩MalwareMustDie@malwaremustdie·
updates on banking spear #phishing #spambot infra subnet, if you don't have any business with them to #block is good. It's your choice. 101[.]47.152.0/21 101[.]47.72.0/21 150[.]5.128.0/21 158[.]51.96.0/23 23[.]160.193.0/24
English
0
1
1
268

Keşfet

@Matt_Pinner @drb0n3z @Support @Mishi_2210 @freebsd @cperciva @cyber_razz @CyberRacheal