Threat Intel & Malware Research
Agreed there! It would certainly be nice to have the freedom of say the matrix protocol to run in the web browser.
Since writing this, I've also been reached out to regarding the lack of reproducible builds wrt clients. I still need to do more research, however seems the safest bet for Android users in particular would be a pivot to the Molly derivative.
@lippard Great point! I have used Threema, and it's a very clean interface.
Downside is that it is still centralized where you can't stand up your own instance(s). If that were a possibility, it would be a perfect contender.
Simplex and some other P2P messengers like Briar are candidates, but they don't quite fit the bill wrt user experience (yet atleast)
@lippard Will give this a look and adjust accordingly. Please let me know if there are any other issues you see!
We have just posted our latest research with our observations and analysis into ConnectWise ScreenConnect attacks.
We’ve observed multiple attacks in the past 48 hours. This has included a malware that was built using the LockBit 3 ransomware builder tool leaked in 2022: this may not have originated with the actual LockBit developers.
But we’re also seeing RATS, infostealers, password stealers and other ransomware. All of this shows that many different attackers are targeting ScreenConnect.
Anyone using ScreenConnect should take steps to immediately isolate vulnerable servers and clients, patch them and check for any signs of compromise.
We have extensive guidance and threat hunting material from our teams to help.
We’ll provide updates to our blog with more information as appropriate.
https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/
We’ve also seen other ScreenConnect abuse in our telemetry, some delivering AsyncRAT (via WSF script execution); infostealers; and SimpleHelp Remote Access Client
Would you catch this as an malicious ad?
1️⃣ Google ad spoofing "dropbox.com"
2️⃣ Click & redirection involving l.hyros[.]com -> drcpbox[.]net
3️⃣ Fake Dropbox Download "Dropbox-x64.msix"
4️⃣ Powershell execution of #LummaStealer
This campaign is also targeting:
🎯 Zoom (windows only)
🎯 Streamlabs (windows only)
🎯 Telegram (windows & mac)
🎯 TradingView (windows & mac)
🎯 Basecamp (windows only)
#IOCs:
🔗https://www.virustotal.com/gui/file/60acae4c1ab23e506468ae1995868e8f76f9e7f25439fb154f987ea2e2a9b9cd
🔗 https://virustotal.com/gui/file/264b1e91bdc38110ee707a4fb7e772433d7a6a17c2ab2d552eb5c4abbe450147
@malware_traffic The irony is their overall negligence with PPC advertising and malware distribution via Firebase and AMP :)
Late last month we posted some early findings related to an initial-access campaign dubbed “Nitrogen,” which colleagues elsewhere in the industry have connected to certain BlackCat (aka ALPHV) infections. Our MDR protections kept those of our customers targeted by Nitrogen from crossing paths with that feral feline, so we’ve been digging into Nitrogen itself to better understand its construction and what it does to establish and entrench access. Turns out that for a BlackCat-adjacent infection, it’s a bit of a dog’s breakfast: https://news.sophos.com/en-us/2023/07/26/into-the-tank-with-nitrogen/
It's copycat season with fake updates. (This was reported earlier).
Loaded via: itsdigitalshiva[.]com/cdn-js/wds.min.php
Payload is again NetSupport RAT after malicious JS execution.
Added regexes for detection in EKfiddle and calling it SmartApeSG (after the hosting company name).
In mid-June, Sophos identified a previously unnoted initial-access campaign targeting IT users via malicious advertising (malvertising) – one that uses interesting export forwarding and DLL pre-loading techniques to mask malicious activity, hinder analysis, and generally support its foothold once on the target network. Our colleagues at Trend are watching this adversary too, and have some thoughts on what we’re tracking as “Nitrogen,” after we observed a string in the PDB path commonly used among the samples. As we continue our own research, we are sharing early findings with the community. (1/4)
Recently I spent about a week focusing on popular Google search terms and discovered that brand impersonation via malicious ads is still very much a problem.
I've documented my findings and some suggestions in this blog post: https://www.malwarebytes.com/blog/threat-intelligence/2023/05/malvertising-its-a-jungle-out-there
Hi everyone. It's the X-Ops team with another research update.
We've been looking at the fallout of an advisory published by #PaperCut, a print-management software company.
The update to their initial posting about CVE-2023-27350 (https://www.papercut.com/kb/Main/PO-1216-and-PO-1219) reported that they're aware of attacks in the wild targeting their PaperCut MF and NG Application and Site Server software, version 8.0 and newer.
We're publishing some research today into attacks we've observed targeting this platform.
The company (and Sophos) recommend that anyone using this software patch immediately; the patch (https://www.papercut.com/kb/Main/Upgrading#application-server-upgrade) has been available since March 8th. We began to see attackers abusing the unpatched servers on April 13.
Here's a short version of our findings, with the rest published on our blog:
#malware #worms #malminers #exploit #ransomware
1/6
Sophos MDR has observed quite the uptick in #chromeloader infections. We found one instance where the infection stemmed from a fake Youtube Video Downloader site.
🔎 Google search:download youtube video
➡️ User lands on hxxps://10downloader[.]com/en/51
➡️ User attempts to download a specific video
➡️ Redirection to hxxps://heinndoorh[.]com
➡️ Redirection to hxxps://llyighaboveth[.]com
➡️ Redirection to hxxps://adtwobrightsa.info/12557074
⬇️ Downloads the sample Your File Is Ready To Download.exe
This often leads to the creation of a schtask such as \chrome display, \chrome disp, \chrome profile, and many more.
Encoded powershell is invoked to create a registry key under HKCU:\Software\ with various paths such as:
Hey there. @threatresearch here again, taking over the X-Ops Mastadon to talk about some research we posted this week.
We stumbled upon a malicious tool earlier this year, while our EDR and incident response teams were called in to perform postmortem investigations of ransomware attacks.
While reviewing logs, we found that the threat actors had used a custom-designed #malware we're calling #AuKill as a way to terminate the #EDR agent and endpoint security software the target had installed.
https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver
A short 🧵 begins here
Hey everybody, it's @threatresearch taking control of the Sophos X-Ops Mastodon feed with an update about the #research I've been working on for several weeks with my Labs and #MDR colleagues, just published this morning.
In February, a #tax #accounting firm reached out to us about a strange email exchange they had (and the aftermath), and the more we started digging, the more we found.
The big takeaway is that an unknown threat actor group appears to have been targeting the kinds of small- to medium-sized businesses that perform tax preparation services in the United States with a social engineering method that kept their activities under the radar...until it delivered #malware to those targets. The campaign seemed to start in late January and has ramped up significantly in the past few weeks. There are thousands of CPA and accounting businesses in the US and this is their busiest time of the year, and they handle a lot of financially sensitive documents.
The delivery method was a type of malware called #GuLoader, and the payload was a commodity #RAT malware called #remcos
A short thread begins here:
https://news.sophos.com/en-us/2023/04/13/tax-firms-targeted-by-precision-malware-attacks/
#Qakbot BB22 malspam distribution is firing on all cylinders
Infection chain:
thread-hijacked email -> attachment (.pdf) -> embedded url -> archive download (pass-protected .zip) -> wscript (.wsf) -> rundll32 (.dll) -> C2 activity
Links embedded within the PDF files:
.dll files staged under %appdata%\local\temp\
And as expected with Qakbot, the payload URLs are routinely changing.
.zip passwords:
3/4/2023 -> 721
3/5/2023 -> 755
Earlier today @sans_isc shared details about malicious javascript injected into a tax filing service:
🔗 https://infosec.exchange/@sans_isc/110135855938937896
I took a further look to see what I could figure out 🔎
While reviewing the efile website in URLScan I noticed some recent scans that look strange...
A fake browser update page with a convincing theme!
🎣 > "The current version of your browser uses an unsupported protocol. Click on the below link to update your browser."
Here's the fake browser update page captured earlier today:
🔗 https://urlscan.io/result/e45661ba-aef2-4651-b77b-8ed6a6973e0b/
More in thread 🧵 (1/2)
@defensivecomputing I was very excited to see this as well! I used to take the TOR Browser and remove the proxy for clearnet intent, so it's nice to see a commercially maintained browser following suit
The November and December holidays are usually not a quiet time for defenders, but ProxyNotShell – and its PLAY-ful descendant OWASSRF -- made the end of 2022 extra spicy. It really has only been three months... 1/2
@DFIR_Janitor @th3_protoCOL The peer pressure finally got to you, huh? 😅😂 welcome aboard!
