1/ "The APT actors deleted some of their entries in Apache httpd logs using mi.war, a malicious Tomcat application that deletes log entries based on the string in keywords.txt. The actors deleted log entries with the string Firefox/107.0." [1]
The sample is available on VT. [2]
The vx-underground x @SentinelOne malware research competition has come to a conclusion and a winner has been chosen.
@tr3gleos discovered an unknown malware family named "Net_Neo" which targets banking institutions primarily in Spain and Chile.
https://t.co/7XBg7c0oj1
Let's continue with Brute Ratel C4 Hunting 🎯
Last time we started from VT/hash attributed to badger implant, we grabbed one JARM from BRc4 C2 51.77.112.254 and combined with the HTTP Response hash.
Today we will pivot from another Brute Ratel C4 JARM and we will find more threat actors infra🤝
Microsoft's https://t.co/FExGESVtzW service is being used as a Cobalt Strike C2.
Encrypted beacon: d599f5a81d0bc8bf45f21585d89b93cbbc07be04c3e501127f1fd9669659376b
C2: devbox[.]microsoft[.]com/sync/lf1AQtwJeF-n7vM3EZW5UAyfPQLtyTXVQ1EWL
LAPSUS$ extortion group claims to have breached @Okta. They have released 8 photos as proof.
The photos we are sharing has been edited so no sensitive information or user identities are displayed.
Image 1 - 4 attached below.
Recent #Emotet downloaders use:
XLSX ➡ VBA ➡ batch ➡ PowerShell
Based on some great work by @DissectMalware, binary refinery now has a batch deobfuscator. Ripping out those C2s is easier than ever!
🏭 xlxtr | bat | carve -sd b64 | xtp url
🌐 https://t.co/UFEAIVxsJx
2021-12-29: 🔥#IcedID aka #BokBot Malware | ↪️Hooking Engine
📚API hook splicing technique to intercept API calls by inserting a jump instruction for browser and other API for information-stealing purposes
Similar hooking engine in concept from ZeusVM:
https://t.co/wKJXbxa1qc