csØsf

@UK_Daniel_Card Good stuff

Here you go world! mr-r3b00t.github.io/CISAKEV/

c2: hxxp://45\.61.136.85/6202033

@L0Psec Interesting sample

for code/script exec there is getNewSc() which is cool, GETs a base64 encoded compiled AppleScript writes to /tmp/applet_, loads the script and executes it. There's more interesting functions here, but this is a quick summary.

retweeting myself is weird but not sure how best to share an update to this thread - thanks @malwrhunterteam. Compiled read only AppleScript infostealer that communicates with this domain. 4e00ca5de51a62cd0fce534872a2c952b8c33deee02a1ad73e4f9cd050faf933 (currently 1 VT hit) 🧵

Interesting Telnyx v4.87.2

@vxunderground Nuclear crytomining

Big news for Threat Actors Windows 11 powering the Nuclear Power Plant Nuclear Copilot

LiteLLM compromise

@gamozolabs I don't see why remaining 1% is not.

I'm like 99% sure that strings is the best reverse engineering tool.

@UK_Daniel_Card what is it, i mean the tool

mOnItOrInG :D

@James_inthe_box interesting case, multi layer calls to get shellcode, virtual allocate with wrx, write and create thread, classic but interesting.

An extremely interesting #clickfix that drops #chromeelevator app.any.run/tasks/b69f163b…

@wyliebsd @cyb3rops b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3

@cyb3rops Can you post the full hash?

This is bad. Putty level bad. notepad-plus-plus.org/news/hijacked-…

@pcrisk @LawrenceAbrams @demonslay335 @struppigel @JakubKroustek Interesting strings

ClearWater Ransomware; Extension: .clear; Ransom note: CLEARWATER_README.txt virustotal.com/gui/file/7116b… @LawrenceAbrams @demonslay335 @struppigel @JakubKroustek

@L0Psec @500mk500 As always, good surfacing 🔥

IOCs DMG -e6de9815c4a3a40acacd456dd7344acfea682f6bc6e72e02ee33cbc6e36de6b2 machO - 86f268637d7a4bfce77fc416b136a3da577c294defb2e92a6484281a6d0f6a3a focusgroovy\.com @500mk500 45.83.220\.205

More MacSync, thanks @malwrhunterteam :) e6de9815c4a3a40acacd456dd7344acfea682f6bc6e72e02ee33cbc6e36de6b2 - DMG, Currently only 1 hit on VT, reaches out to C2 and downloads/executes osascript as we've come to expect from these. let's dive in 🧵

@1ZRR4H @malwrhunterteam Interesting find.

🚩 #ClickFix ("Rapid7 IT Advisory") → macOS users → Apfell (red teaming framework). URL: https://security-usa[.]com:8443/printer.html (#opendir). "CRITICAL ADVISORY: Xerox Client Update Immediate action required for all Moose" + "If you're looking at this, this is part of a CSIRT approved phishing campaign" 😏 Payload: "patch.js": ac4928b95e1d016fa8941da5e0840870c97987a154d70c5ae0124055ffa07196. [+] bazaar.abuse.ch/sample/ac4928b…

@Ryan_Riordz @ValidinLLC Interesting, uses `gzzZ8Umq` as rc4 key. decode/decrypt shellcode in memory, set protection to PAGE_EXECUTE_READWRITE and execute

- outlok-hotmail[.]com 🤔 (104.21.62[.146) Interesting MultiRAT find from @ValidinLLC 🔥

@BlinkzSec @malwrhunterteam some of the py scripts in zip use aes/xor combination to decrypt shellcode and inject in explorer.exe and resume it

@BlinkzSec @malwrhunterteam Interesting... decrypts shellcode using rc4 key `LodEFZvO` , sets protection flags and executes in memory buffer

WsgiDAV opendir: https://huge-arrangements-magnet-flu.trycloudflare[.]com/ 🤷‍♂️

@malwrhunterteam Interesting, vbscript1 > vbscript2> download/run bat > download zip > unzip > run py script > set startup

WsgiDAV opendir: https://pi-healing-sudan-kennedy.trycloudflare[.]com/ 🤷‍♂️

@BlinkzSec @malwrhunterteam Interesting... shellcode injection into arbitrary process

@malwrhunterteam Oh, right - in terms of words, the only thing that came to mind was the entry in urlhaus. Great work!

WsgiDAV opendir: https://meat-media-sl-type.trycloudflare[.]com/ 🤷‍♂️

@salmanvsf @JAMESWT_WT @anyrun_app @sekoia_io @gregclermont @suyog41 mshta hxxps://fun\.cawyfie51\.ru/stun.google?t=1j45lls2

@salmanvsf @JAMESWT_WT @anyrun_app @sekoia_io @gregclermont @suyog41 Interesting find

Interesting #ClickFix Technique uses compromised legit site with obfuscated JS fetching data from BNB Chain. jmw[.]lk -> 0xf4a32588b50a59a82fbA148d436081A48d80832A#code -> mshta "remote domain" @JAMESWT_WT @anyrun_app seen before ?