Mastouille

0 message0 participant0 message aujourd’hui

Anonymous 🐈️🐾☕🍵🏴🇵🇸 :af:2025-02-26 (Wednesday): <a href="https://kolektiva.social/tags/XLoader" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#XLoader</a> (<a href="https://kolektiva.social/tags/Formbook" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Formbook</a>) distributed through <a href="https://kolektiva.social/tags/malspam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malspam</a>. The email has an attached PDF document. The PDF has links for a ZIP download, and the ZIP contains files that use DLL side-loading for XLoader.<a href="https://bit.ly/4bgKRU8" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://bit.ly/4bgKRU8</a>

FunesFound this user on the <a href="https://mastodon.archive.org/@internetarchive" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@internetarchive</a> hosting images with embedded base64 encoded <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> between <<BASE64_START>> and <<BASE64_END>> flags. The malware is used to download an inject the next stage payload into another process. The campaign I observed involved <a href="https://infosec.exchange/tags/RemcosRAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RemcosRAT</a> User page: <a href="https://archive.org/details/@nodetectonn" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://archive.org/details/@nodetectonn</a> Remcos: hxxps://petshopsirena[.]mk/a.txt <a href="https://infosec.exchange/tags/c2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#c2</a> : 45.95.169[.]135:2404I found samples dropping others such as <a href="https://infosec.exchange/tags/agenttesla" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#agenttesla</a> and <a href="https://infosec.exchange/tags/formbook" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#formbook</a> as well.<a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a>

Infoblox Threat IntelWe just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/RDGA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RDGA</a> <a href="https://infosec.exchange/tags/DGA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DGA</a> <a href="https://infosec.exchange/tags/DDGA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DDGA</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#phishing</a> <a href="https://infosec.exchange/tags/scams" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#scams</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/threatactor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatactor</a> <a href="https://infosec.exchange/tags/c2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#c2</a> <a href="https://infosec.exchange/tags/revolverrabbit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#revolverrabbit</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cyber" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cyber</a> <a href="https://infosec.exchange/tags/cyberintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cyberintelligence</a> <a href="https://infosec.exchange/tags/xloader" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#xloader</a> <a href="https://infosec.exchange/tags/formbook" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#formbook</a> <a href="https://infosec.exchange/tags/abusedtld" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#abusedtld</a> <a href="https://insights.infoblox.com/resources-research-report/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://insights.infoblox.com/resources-research-report/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about</a>

BradThis is what I think of <a href="https://infosec.exchange/tags/Formbook" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Formbook</a> now...

Brad30 Days of <a href="https://infosec.exchange/tags/Formbook" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Formbook</a>: Day 3, Wednesday 2023-06-07 "AE30" at <a href="https://malware-traffic-analysis.net/2023/06/07/index.html" rel="nofollow noopener noreferrer" target="_blank">https://malware-traffic-analysis.net/2023/06/07/index.html</a>3 of 30 days? I'm 10% done!My findings so far:It seems like Formbook doesn't steal login credentials from the current Chromium-based Microsoft Edge or Thunderbird.But it -does- steal credentials from Google Chrome & Outlook.It still seems to still look for login credentials in Internet Explorer.I'm basing this on artifacts from the directory that Formbook temporarily stores the screenshot of the desktop and any login credentials it steals. After it sends the info to the C2 server, Formbook deletes the files.Today, I had Chrome installed and set up with some stored login credentials. I normally just use the current Chromium-based Edge for that, which was also present, but all those juicy login/password combos seem untouched by Formbook.Nothing from Filezilla, either, in this case.In this post, I've included a screenshot of my victim desktop that Formbook sent to its C2 server(s).I'll keep mixing things up and trying other applications to see if there's anything else Formbook tries to steal from.I mean, I know that Formbook is a sort of "bargain basement" MaaS-style malware, but come on! Not stealing from the current Microsoft Edge? I think Formbook's still stuck in the Windows 7 era.

Brad30 Days of <a href="https://infosec.exchange/tags/Formbook" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Formbook</a>: Day 2, Tuesday 2023-06-06 - "CG62"My current effort to generate a collection of <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pcap</a> files/IOCs from up-to-date Formbook samples I find on VirusTotal...Today's post, number 2 of 30: <a href="https://malware-traffic-analysis.net/2023/06/06/index.html" rel="nofollow noopener noreferrer" target="_blank">https://malware-traffic-analysis.net/2023/06/06/index.html</a>

Brad30 Days of <a href="https://infosec.exchange/tags/Formbook" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Formbook</a>: Day 1, Monday 2023-06-05I'm generating <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pcap</a> files/IOCs from up-to-date Formbook samples I find on VirusTotal.It'll take longer than 30 calendar days, I'm sure, but I plan on doing 30 of these.We'll see if the accumulated data is worth anything. At least, there will be 30 examples of Formbook infections where people can see the data exfiltration, even if you can't decode it (which I can't yet).My first post: <a href="https://www.malware-traffic-analysis.net/2023/06/05/index.html" rel="nofollow noopener noreferrer" target="_blank">https://www.malware-traffic-analysis.net/2023/06/05/index.html</a>

RedhotcyberL’infostealer FormBook viene diffuso attraverso le campagna di ADS di Google I <a href="https://mastodon.bida.im/tags/ricercatori" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ricercatori</a> di sicurezza <a href="https://mastodon.bida.im/tags/informatica" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#informatica</a> di SentinelLabs riferiscono che una <a href="https://mastodon.bida.im/tags/campagna" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#campagna</a> in corso utilizza gli annunci <a href="https://mastodon.bida.im/tags/Google" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Google</a> per distribuire programmi di installazione di <a href="https://mastodon.bida.im/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> che utilizzano la <a href="https://mastodon.bida.im/tags/tecnologia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#tecnologia</a> di virtualizzazione <a href="https://mastodon.bida.im/tags/KoiVM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#KoiVM</a> per evitare il rilevamento quando viene installato l’infostealer <a href="https://mastodon.bida.im/tags/FormBook" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FormBook</a>. KoiVM è un plugin per la protezione <a href="https://mastodon.bida.im/tags/ConfuserEx" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ConfuserEx</a> che offusca i codici operativi di un programma in modo che solo la macchina virtuale li capisca. <a href="https://mastodon.bida.im/tags/redhotcyber" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#redhotcyber</a> <a href="https://mastodon.bida.im/tags/informationsecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#informationsecurity</a> <a href="https://mastodon.bida.im/tags/ethicalhacking" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ethicalhacking</a> <a href="https://mastodon.bida.im/tags/dataprotection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dataprotection</a> <a href="https://mastodon.bida.im/tags/hacking" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hacking</a> <a href="https://mastodon.bida.im/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://mastodon.bida.im/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://mastodon.bida.im/tags/cybersecurityawareness" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurityawareness</a> <a href="https://mastodon.bida.im/tags/cybersecuritytraining" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecuritytraining</a> <a href="https://mastodon.bida.im/tags/cybersecuritynews" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecuritynews</a> <a href="https://mastodon.bida.im/tags/privacy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#privacy</a> <a href="https://mastodon.bida.im/tags/infosecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosecurity</a> <a href="https://www.redhotcyber.com/post/linfostealer-formbook-viene-diffuso-attraverso-le-campagna-di-ads-di-google/" rel="nofollow noopener noreferrer" target="_blank">https://www.redhotcyber.com/post/linfostealer-formbook-viene-diffuso-attraverso-le-campagna-di-ads-di-google/</a>

Recherches récentes

Options de recherche

Administré par :

Statistiques du serveur :

#FormBook