Happy Wednesday everyone!

The Proofpoint Threat Research team paired up with the Team Cymru to dissect the #Latrodectus malware. "First seen being used by #TA577 and more recently #TA578, Latrodectus is a downloader that likes to evade sandbox environments." The researchers take a deep dive into the code to see what information they could extract and found PLENTY!

After you are done reading, why not take a Cyborg Security Community Hunt Package to hunt for a threat like this? In the article, the researchers mention that the malware sets an AutoRun registry key for persistence, which is a common technique used by different adversaries and malware due to the capability and functionality of those registry keys. So, take this hunt package with you, it's dangerous out there! Enjoy and Happy Hunting!

Autorun or ASEP Registry Key Modification
https://hunter.cyborgsecurity.io/research/hunt-package/8289e2ad-bc74-4ae3-bfaa-cdeb4335135c

Source of article:
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #getHunting

Proofpoint and Team Cymru collaborated on a report on Latrodectus malware. Latrodectus is an up-and-coming downloader with various sandbox evasion functionality. It first appeared in email threat campaigns in late November 2023. Latrodectus shares infrastructure overlap with historic IcedID operations. It is being distributed by financially motivated TA577, as well as TA578. Proofpoint provides malware analysis, C2 infrastructure, links to IcedID, and list of IOC. 🔗 https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice

#Latrodectus #threatintel #IcedID ##IOC #TA577 #TA578 #cybercrime

Proofpoint warned that the TA577 cybercrime group, acting as initial access brokers (IAB), pivoting to stealing the NT LAN Manager (NTLM) hashes. Two distinct email-based campaigns that TA577 carried out on 26-27 February 2024 targeted hundreds of businesses. No IOC provided but Proofpoint lists defense-in-depth steps to defend against this. 🔗 https://www.proofpoint.com/us/blog/identity-threat-defense/ta577-attack-ntlm-vulnerability

cc: @selenalarson

#TA577 #cybercrime #threatintel #IAB

#TA577 is a messy b that lives for drama. Learn more about their wild attack chain we spotted attempting to steal NTLM data. Great work by the team @Ffforward and Kelsey https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-theft

New blog post! In this one I look at a Java-based dropper for Pikabot that TA577 used in mid-February 2024.
https://forensicitguy.github.io/dissecting-java-pikabot-dropper/
#malware #pikabot #ta577

#DarkGate gained popularity among threat actors (e.g: #TA577, #DuckTail), our #RE analysis details the internals of the malware, how it implements technique to evade defenses: Union-API, token theft via UpdateProcThreadAttribute, APC injection.

https://blog.sekoia.io/darkgate-internals/

Fake sites impersonating Zoom download page distributes #DarkGate Loader:
zoomadvertisingofferr.]com
zoomadvertisingooffer.]com

DarkGate C2: 81.19.135.]17 (likely #TA577 payload, A1111 botnet)

hxxps://zoomadvertisingofferr.]com/ZoomInstaller.msi

https://tria.ge/231021-dsawbaec67

This #IcedID #BackConnect C2 server keeps telling the bot to sleep for 60 seconds. This goes on for 3 hours. No reverse shell, no VNC, no file manager 😿

HELLO #TA577, IT’S TIME TO WAKE UP!!

#TA577 returned yesterday from their month long break to deliver #Qbot via URLs to zipped OneNote. #TA570 came back too (after the blog was sent for publishing) with OneNote attachments to deliver Qbot.

#TA570 and #TA577 actors, distributing #Qakbot/#Qbot #malware have gotten in on the #OneNote action, delivering lures going undetected by many AV engines.

Highest number of flags is 2/60 based on this C2 IP called by malicious OneNote lures:

https://www.virustotal.com/gui/ip-address/103.214.71.45/relations

TA570/Obama Sample: https://bazaar.abuse.ch/sample/b45ace5a35914dcd4beb7486f3ddad4bbd84be245d403b9e6a3f1b907aa4ae03/

TA577/BB## Sample: https://bazaar.abuse.ch/sample/bd040a74f99bd767652abc940a4939361d214ba6407781724fde55e48fa7aecf/