Chris's Avatar

Chris

@phage.nz

High Tech, Low Life | curatedintel.org Team

493
Followers 75
Following 15
Posts 03.07.2023
Joined
Posts Following

Latest posts by Chris @phage.nz

Post image Post image Post image Post image

Over the past month I've seen intermittent runs of a campaign that uses novel methods to deliver stealer malware. This draws similarities with what was described by Blackberry in February: blogs.blackberry.com/en/2023/02/b... Techniques include JS delivery, stenography and reflective loading.

20.10.2023 02:52 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image Post image Post image

IcedID. Reviving old tricks. danceharddiehard[.]com > 1azure[.]com > ZIP > ISO > LNK > BAT > rundll32. C2: mistulinno[.]com (as seen in the campaign detailed by Cryptolaemus1 on X this morning) Sample: tria.ge/231019-3d1wm...

20.10.2023 02:41 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image Post image Post image

IcedID. PDF > ZIP > JS > CMD > Curl > 7Z (PW protected) > DLL. ZIP: hXXps://newssarkari[.]in/directions (via ad68e[.]app[.]goo[.]gl) 7Z: hXXps://gardenconceptstudio[.]pl/wp-includes/js/tinymce/plugins/compat3x/css/5673.7z C2: minutozhart[.]online Sample: tria.ge/230913-2nkfy...

13.09.2023 23:06 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Compromised Microsoft Key: More Impactful Than We Thought | Wiz Blog Our investigation of the security incident disclosed by Microsoft and CISA and attributed to Chinese threat actor Storm-0558, found that this incident seems to have a broader scope than originally ass...

Great work by Wiz, as always. Certainly leaves far more questions than answers.

24.07.2023 08:13 πŸ‘ 1 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Post image Post image Post image

Remcos RAT. URL (komamin[.]net) > ZIP > VBS > PS > ielowutil. Payload: 103.10.68[.]110/zimbra/gVCeM32.bin (opendir)
C2: septrem.duckdns[.]org:2424 Sample: https://tria.ge/230717-2c6vtafa63

17.07.2023 23:37 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
GitHub - Errum/IntelArchitectureMap: Intelligence Architecture Mind Map Intelligence Architecture Mind Map. Contribute to Errum/IntelArchitectureMap development by creating an account on GitHub.

Would also recommend taking a look at Freddy's "Intelligence Architecture Mind Map" project. I have found this to be an invaluable reference.

14.07.2023 04:57 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
The Threat Actor Profile Guide for CTI Analysts Threat actor profiles are made for a range of reasons. An example trigger for creatingΒ  a new profile can include after an incident, e.g., a...

Brilliant new project from Curated Intel lads @bushidotoken.net and Freddy. "The Threat Actor Profile Guide for CTI Analysts".

14.07.2023 04:55 πŸ‘ 1 πŸ” 1 πŸ’¬ 1 πŸ“Œ 0
GUNSHIP - Monster In Paradise [Official Music Video]
GUNSHIP - Monster In Paradise [Official Music Video] Preorder 'Unicorn' and stream 'Monster In Paradise': https://linktr.ee/gunshipmusicThis video contains bright, flashing lights and/or imagery that may cause ...

So good.

12.07.2023 08:15 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Storm-0978 attacks reveal financial and espionage motives | Microsoft Security Blog Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse ...

Interestingly, Microsoft released the advisory for CVE-2023-36884 without any associated patch. However, both the update guidance and this blog post include some great hardening advice which is effective well beyond just the exploitation of this vulnerability.

12.07.2023 06:35 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

New sample from today. Same email template. Looks like they fixed the script error that led to premature termination yesterday: https://tria.ge/230712-fw4nxach9s

12.07.2023 05:21 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image Post image Post image

Remcos RAT. Discord hosted JS. WScript > PowerShell > PowerShell > InstallUtil. Script parts hosted on Pastebin and WTOOLS. Runkey persistence. PowerShell obfuscation in one script is broken. C2: salwanazeeze.ddns[.]net:9595 Sample: https://tria.ge/230710-3hnf4aeh9z

11.07.2023 00:24 πŸ‘ 2 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Post image Post image Post image Post image

Deepfake crypto scam with 90k+ views still up after 10 hours on a verified account with 58k followers. Common scam kit.

08.07.2023 08:42 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
WyciskajΔ…c cytryny IoC - metodyczna analiza infrastruktury sieciowej. Jednym z najczΔ™stszych problemΓ³w przed jakimi stajΔ… analitycy CTI jest wykorzystanie zgromadzonych danych do odkrycia dalszych elementΓ³w wrogiej aktywnoΕ›ci, czyli tak zwany β€žpivotingβ€ž. Najpro...

Neat new project: a spreadsheet that outlines methods and data sources for analysing adversary infrastructure: https://docs.google.com/spreadsheets/d/1oBOW5qGJstWYg3qXwSK12MHav4Pz6rzP77FzSB2IEeY/edit?pli=1#gid=1591959748 The author has also produced an accompanying blog post - linked below.

05.07.2023 03:07 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image Post image

Remcos RAT. ZIP > EXE (.BAT extension). DLL sideloaded into easinvoker.exe to set a Defender exclusion for C:\Users with PowerShell. OVPN C2. Config: https://pastebin.com/raw/NsnRP6fw Sample: https://tria.ge/230705-avk8aaaa84

05.07.2023 01:34 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

Hello Bluesky. Hope you're well today.

05.07.2023 01:33 πŸ‘ 6 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0