Over the past month I've seen intermittent runs of a campaign that uses novel methods to deliver stealer malware. This draws similarities with what was described by Blackberry in February: blogs.blackberry.com/en/2023/02/b... Techniques include JS delivery, stenography and reflective loading.

IcedID. Reviving old tricks. danceharddiehard[.]com > 1azure[.]com > ZIP > ISO > LNK > BAT > rundll32. C2: mistulinno[.]com (as seen in the campaign detailed by Cryptolaemus1 on X this morning) Sample: tria.ge/231019-3d1wm...

IcedID. PDF > ZIP > JS > CMD > Curl > 7Z (PW protected) > DLL. ZIP: hXXps://newssarkari[.]in/directions (via ad68e[.]app[.]goo[.]gl) 7Z: hXXps://gardenconceptstudio[.]pl/wp-includes/js/tinymce/plugins/compat3x/css/5673.7z C2: minutozhart[.]online Sample: tria.ge/230913-2nkfy...

Compromised Microsoft Key: More Impactful Than We Thought | Wiz Blog Our investigation of the security incident disclosed by Microsoft and CISA and attributed to Chinese threat actor Storm-0558, found that this incident seems to have a broader scope than originally ass...

Great work by Wiz, as always. Certainly leaves far more questions than answers.

Remcos RAT. URL (komamin[.]net) > ZIP > VBS > PS > ielowutil. Payload: 103.10.68[.]110/zimbra/gVCeM32.bin (opendir)
C2: septrem.duckdns[.]org:2424 Sample: https://tria.ge/230717-2c6vtafa63

GitHub - Errum/IntelArchitectureMap: Intelligence Architecture Mind Map Intelligence Architecture Mind Map. Contribute to Errum/IntelArchitectureMap development by creating an account on GitHub.

Would also recommend taking a look at Freddy's "Intelligence Architecture Mind Map" project. I have found this to be an invaluable reference.

The Threat Actor Profile Guide for CTI Analysts Threat actor profiles are made for a range of reasons. An example trigger for creating  a new profile can include after an incident, e.g., a...

Brilliant new project from Curated Intel lads @bushidotoken.net and Freddy. "The Threat Actor Profile Guide for CTI Analysts".

GUNSHIP - Monster In Paradise [Official Music Video] Preorder 'Unicorn' and stream 'Monster In Paradise': https://linktr.ee/gunshipmusicThis video contains bright, flashing lights and/or imagery that may cause ...

So good.

Storm-0978 attacks reveal financial and espionage motives | Microsoft Security Blog Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse ...

Interestingly, Microsoft released the advisory for CVE-2023-36884 without any associated patch. However, both the update guidance and this blog post include some great hardening advice which is effective well beyond just the exploitation of this vulnerability.

New sample from today. Same email template. Looks like they fixed the script error that led to premature termination yesterday: https://tria.ge/230712-fw4nxach9s

Remcos RAT. Discord hosted JS. WScript > PowerShell > PowerShell > InstallUtil. Script parts hosted on Pastebin and WTOOLS. Runkey persistence. PowerShell obfuscation in one script is broken. C2: salwanazeeze.ddns[.]net:9595 Sample: https://tria.ge/230710-3hnf4aeh9z

Deepfake crypto scam with 90k+ views still up after 10 hours on a verified account with 58k followers. Common scam kit.

Wyciskając cytryny IoC - metodyczna analiza infrastruktury sieciowej. Jednym z najczęstszych problemów przed jakimi stają analitycy CTI jest wykorzystanie zgromadzonych danych do odkrycia dalszych elementów wrogiej aktywności, czyli tak zwany „pivoting„. Najpro...

Neat new project: a spreadsheet that outlines methods and data sources for analysing adversary infrastructure: docs.google.com/spreadsheets/d/1oBOW5qGJ... The author has also produced an accompanying blog post - linked below.

Remcos RAT. ZIP > EXE (.BAT extension). DLL sideloaded into easinvoker.exe to set a Defender exclusion for C:\Users with PowerShell. OVPN C2. Config: https://pastebin.com/raw/NsnRP6fw Sample: https://tria.ge/230705-avk8aaaa84

Hello Bluesky. Hope you're well today.