Olivia
Online
MalwareParty
@MalwareParty
Joined June 2017
29 Following
344 Followers
11 Posts
Word add-in persistence Sample uses the CVE-2017-11882 %temp% dropper method to %APPDATA%\Microsoft\word\startup\w.wll
@blu3_team @ImPureMotion
https://t.co/fupQTmy79W
Starting to work on another blog post for this activity
Who to follow
Nextron Systems
@nextronsystems
Managed Compromise Assessments #YARA #IOCs #DFIR #APT #Sigma - the home of @thor_scanner, ASGARD and the Aurora Agent
Kyle Cucci
@d4rksystem
Threat Research @proofpoint | Author of "Evasive Malware" @nostarch | Talks about cybercrime, threat intel, and malware stuff.
Rene Freingruber
@ReneFreingruber
Interests: reversing, fuzzing, browser&kernel exploits, red teaming, maldev (loaders, C2, obfuscators), coding (hashcat utils, BloodHound ingestors, EDRs), ...
@securitydoggo @blu3_team @ImPureMotion You already found one earlier :) This is from their earlier tests:
https://t.co/o1JPEtR9oW
(更正以此為准)書面資料-院長指示事項辦理情形表.rtf (
(Corrigendum on this basis) Written information - Dean's case for handling matters table) https://t.co/ARQOgADp5E #phishing #malware #infosec @James_inthe_box @lotus_ruan
Thanks to these folks who helped find these and are always encouraging!
@securitydoggo
@James_inthe_box
@_jsoo_
The decoded portion of the CVE-2017-11882 is "cmd /c start %TEMP%\jjjjjjjjjjjjjjjjjjj.j" which runs the executable and shows a messagebox
with the word "Hacked".
Example:
5c68c0a32a8c59271afe3456430125f77b02b240fe578da6b7f398656f6cf972
This is an early test using a small executable named "jjjjjjjjjjjjjjjjjjj.j".
@blu3_team @ImPureMotion How it works
Apparently embedded objects get stored in %temp% while the document is open and they use the original name. That gives
us a method of "dropping" a known file to a known location. CVE-2017-11882 gives us a method of executing it.
We have recently found samples in the wild using a new method involving CVE-11882 that effectively makes it a dropper.
Apologies if someone has already put this out but we haven't seen it and believe it is important.
@blu3_team @ImPureMotion
First blog post... taking a stab at it, had some fun with the logo
https://t.co/qt3UAsulUE
#malware #molerats #infosec #cybersecurity
Last Seen Users on Sotwe
Ppt222999
Seen from Indonesia
Goat (xxx content)
Seen from Turkey
CHAVEZ XXL 🔥
Seen from Argentina
فاشخ الأمهات والنسوان الكبيرة
pecinta ibu ibu
Seen from Singapore
Ruzgar
Seen from Turkey
هديل غالية حصريات مشاهير
Seen from United States
Aylin ay💥
Seen from Turkey
銀メダル
Seen from United States
5. ♛⎯⎯⎯⎯❦ 𝙰𝚕𝚖𝚕𝚔𝚊 𝚂𝚊𝚗𝚍𝚢 ❦⎯⎯⎯⎯♛
Seen from Germany
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.1M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.3M followers
Kim Kardashian
@kimkardashian
69.4M followers
Virat Kohli
@imvkohli
68.7M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60M followers