![RussianPanda9xx's tweet photo. Wild #RogueRaticate appeared 🐀 Similar infection chain as described in this thread https://t.co/6g7ANLZIya
▶️ The infected WP website: hxxps://glenpharmer[.]com/restaurant/
▶️ Did a little more digging. The same web inject is used to deliver SocGholish here (hxxps://msgroup[.]space/most-funny-sports-moments-you-have-ever-seen/, where the initial C2 is mta.timeline.transversallearning[.]com)
▶️ opendir hosting both NetSupport RAT binaries and the hta file (hxxps://www.monroefmc[.]com/wp-content/uploads/2014/)
▶️ NetSupport RAT is dropped under C:\Users\<username>\AppData\Roaming\SquirellApp. Gateway IP is 185.225.75[.]33
▶️ Persistence via scheduled task "BackgroundCheck"](https://pbs.twimg.com/media/F3Q4iqBXsBIgJIf.jpg)
![RussianPanda9xx's tweet photo. Wild #RogueRaticate appeared 🐀 Similar infection chain as described in this thread https://t.co/6g7ANLZIya
▶️ The infected WP website: hxxps://glenpharmer[.]com/restaurant/
▶️ Did a little more digging. The same web inject is used to deliver SocGholish here (hxxps://msgroup[.]space/most-funny-sports-moments-you-have-ever-seen/, where the initial C2 is mta.timeline.transversallearning[.]com)
▶️ opendir hosting both NetSupport RAT binaries and the hta file (hxxps://www.monroefmc[.]com/wp-content/uploads/2014/)
▶️ NetSupport RAT is dropped under C:\Users\<username>\AppData\Roaming\SquirellApp. Gateway IP is 185.225.75[.]33
▶️ Persistence via scheduled task "BackgroundCheck"](https://pbs.twimg.com/media/F3Q4JIHXsA0JEZa.png)
![RussianPanda9xx's tweet photo. Wild #RogueRaticate appeared 🐀 Similar infection chain as described in this thread https://t.co/6g7ANLZIya
▶️ The infected WP website: hxxps://glenpharmer[.]com/restaurant/
▶️ Did a little more digging. The same web inject is used to deliver SocGholish here (hxxps://msgroup[.]space/most-funny-sports-moments-you-have-ever-seen/, where the initial C2 is mta.timeline.transversallearning[.]com)
▶️ opendir hosting both NetSupport RAT binaries and the hta file (hxxps://www.monroefmc[.]com/wp-content/uploads/2014/)
▶️ NetSupport RAT is dropped under C:\Users\<username>\AppData\Roaming\SquirellApp. Gateway IP is 185.225.75[.]33
▶️ Persistence via scheduled task "BackgroundCheck"](https://pbs.twimg.com/media/F3Q3eV6XkAAGafk.png)
![RussianPanda9xx's tweet photo. I am naming this #RogueRaticate campaign that leverages URL shortcuts to drop #NetSupportRAT 🐀
1/
➡️ The user is getting infected via a drive-by download with the fake update screen (similar to SocGholish behavior). The initial payload is hosted on compromised WordPress websites.
➡️ The downloaded payload is a URL shortcut, also known as an Internet shortcut file (detection bypass).
💡 The URL shortcut file can be used to access and execute the payload stored on the website (hxxps://ishahcouture.com/wp-content/uploads/2021/01/Install%20Updater%20(v102.22.145)[.]url).
➡️ The HTA file spawns the decoded PowerShell command that is responsible for downloading and extracting NetSupportRAT, creating CMSTP.inf (UAC bypass) under the %TEMP% folder.
➡️ The URL where the NetSupportRAT is retrieved from hxxps://ishahcouture.com/wp-content/uploads/2020/03/ActiveGlucol[.]zip (the same website where the URL shortcut is hosted on)
➡️ After executing the HTA file, the user gets a creepy pop-up image...
➡️ The decrypted URL where the creepy image is retrieved from hxxps://cdn.mos.cms.futurecdn.net/PPrspXcTaapLpEHjBQ7CJc-970-80[.]jpg
➡️ CMSTP.inf file contains the command to create a scheduled task to run NetSupportRAT under %AppData%\ActiveGlucol\client32.exe (task name: BackgroundCheck, runs at a log on)
➡️ NetSupportRAT C2: 94.158.244[.]26:5051
Thank you @DanInglis_ and @bohansec for identifying the initial execution and malware content
@esthreat](https://pbs.twimg.com/media/FzNghJiWIAQwHA_.png)
![RussianPanda9xx's tweet photo. I am naming this #RogueRaticate campaign that leverages URL shortcuts to drop #NetSupportRAT 🐀
1/
➡️ The user is getting infected via a drive-by download with the fake update screen (similar to SocGholish behavior). The initial payload is hosted on compromised WordPress websites.
➡️ The downloaded payload is a URL shortcut, also known as an Internet shortcut file (detection bypass).
💡 The URL shortcut file can be used to access and execute the payload stored on the website (hxxps://ishahcouture.com/wp-content/uploads/2021/01/Install%20Updater%20(v102.22.145)[.]url).
➡️ The HTA file spawns the decoded PowerShell command that is responsible for downloading and extracting NetSupportRAT, creating CMSTP.inf (UAC bypass) under the %TEMP% folder.
➡️ The URL where the NetSupportRAT is retrieved from hxxps://ishahcouture.com/wp-content/uploads/2020/03/ActiveGlucol[.]zip (the same website where the URL shortcut is hosted on)
➡️ After executing the HTA file, the user gets a creepy pop-up image...
➡️ The decrypted URL where the creepy image is retrieved from hxxps://cdn.mos.cms.futurecdn.net/PPrspXcTaapLpEHjBQ7CJc-970-80[.]jpg
➡️ CMSTP.inf file contains the command to create a scheduled task to run NetSupportRAT under %AppData%\ActiveGlucol\client32.exe (task name: BackgroundCheck, runs at a log on)
➡️ NetSupportRAT C2: 94.158.244[.]26:5051
Thank you @DanInglis_ and @bohansec for identifying the initial execution and malware content
@esthreat](https://pbs.twimg.com/media/FzNggAwWAAYu9UR.png)
![RussianPanda9xx's tweet photo. I am naming this #RogueRaticate campaign that leverages URL shortcuts to drop #NetSupportRAT 🐀
1/
➡️ The user is getting infected via a drive-by download with the fake update screen (similar to SocGholish behavior). The initial payload is hosted on compromised WordPress websites.
➡️ The downloaded payload is a URL shortcut, also known as an Internet shortcut file (detection bypass).
💡 The URL shortcut file can be used to access and execute the payload stored on the website (hxxps://ishahcouture.com/wp-content/uploads/2021/01/Install%20Updater%20(v102.22.145)[.]url).
➡️ The HTA file spawns the decoded PowerShell command that is responsible for downloading and extracting NetSupportRAT, creating CMSTP.inf (UAC bypass) under the %TEMP% folder.
➡️ The URL where the NetSupportRAT is retrieved from hxxps://ishahcouture.com/wp-content/uploads/2020/03/ActiveGlucol[.]zip (the same website where the URL shortcut is hosted on)
➡️ After executing the HTA file, the user gets a creepy pop-up image...
➡️ The decrypted URL where the creepy image is retrieved from hxxps://cdn.mos.cms.futurecdn.net/PPrspXcTaapLpEHjBQ7CJc-970-80[.]jpg
➡️ CMSTP.inf file contains the command to create a scheduled task to run NetSupportRAT under %AppData%\ActiveGlucol\client32.exe (task name: BackgroundCheck, runs at a log on)
➡️ NetSupportRAT C2: 94.158.244[.]26:5051
Thank you @DanInglis_ and @bohansec for identifying the initial execution and malware content
@esthreat](https://pbs.twimg.com/media/FzNgd0AWAAA1ppZ.png)
![RussianPanda9xx's tweet photo. Fake Sky Go installer within an ISO image distributing #redline ? 🤔 and #magnatbackdoor via the AutoIT obfuscated script. The UPX-packed payload is injected into ftp.exe process.
URL hosting the initial ISO image: www2.ejercicios-para-personas-mayores[.]com/
C2: gjiidv[.]com
Sandbox: https://t.co/FhFdefHYUv
@esthreat](https://pbs.twimg.com/media/FrIptlCWYAMsqEF.png)
![RussianPanda9xx's tweet photo. Fake Sky Go installer within an ISO image distributing #redline ? 🤔 and #magnatbackdoor via the AutoIT obfuscated script. The UPX-packed payload is injected into ftp.exe process.
URL hosting the initial ISO image: www2.ejercicios-para-personas-mayores[.]com/
C2: gjiidv[.]com
Sandbox: https://t.co/FhFdefHYUv
@esthreat](https://pbs.twimg.com/media/FrIpCyjXgAMumdc.png)
![RussianPanda9xx's tweet photo. Fake Sky Go installer within an ISO image distributing #redline ? 🤔 and #magnatbackdoor via the AutoIT obfuscated script. The UPX-packed payload is injected into ftp.exe process.
URL hosting the initial ISO image: www2.ejercicios-para-personas-mayores[.]com/
C2: gjiidv[.]com
Sandbox: https://t.co/FhFdefHYUv
@esthreat](https://pbs.twimg.com/media/FrIo54kXsAE464h.png)
![RussianPanda9xx's tweet photo. #Emotet E4: https://t.co/BUSh6SLnqj
URL: hxxps[://]esentai-gourmet[.]kz/404/EDt0f/?221133&c=1 https://t.co/zIkR3ihDjw](https://pbs.twimg.com/media/FqwMm3wWAAApvX-.png)
Olivia
Online
Dan
@DanInglis_
Joined June 2021
329 Following
48 Followers
18 Posts
In late January, Sophos MDR Incident Response responded to a cluster of simultaneous Qilin ransomware attacks on customers of a managed service provider. The attacks were enabled by the MFA phishing of an MSP administrator's ScreenConnect login. /1
Active widespread exploitation observed over the weekend via Fortinet's SQL server - please see our advisory from the 14th:
https://t.co/Z9EiRltoCC
Just before 2024, I am releasing another blog addressing the new #MetaStealer version, talking about some stealer's drama, and I also included something on the Google cookie refresher "feature" ...
https://t.co/vuNrNye0As
Happy New Year, folks! 🎇
#SolarMarker ☀️ has been active since 2020 and continually changes its tactics, delivering additional payloads in the form of stealers and hVNC backdoors. In this write-up, I will explore some of the past findings related to SolarMarker, with more to come...
The link to the write-up: https://t.co/s6Aur6vWjU
@esthreat
Who to follow
Aziz Farghly ⚡
@FarghlyMal
Threat Researcher @nextronsystems
(The thoughts and content I share are personal and not representative of my employer.)
Squiblydoo 
@SquiblydooBlog
Malware Analysis
Creator of Debloat, certReport, and https://t.co/hEJGt0jzIq
Want to chat? Join the Debloat discord: https://t.co/ZcWIqa6ZA9
x3ph
@x3ph1
Hack and Hack again..
Won Top 3 in the HackTheBox ValentinesDay Tournament.
Won Top 100 in the HacktheBox Cyber Apocalypse event.
The new #Nitrogen 2.0 campaign comes back with some juicy stuff...🤿
✅ AMSI, WLDP bypass, ETW patching, AntiHook, and the implementation of KrakenMask
✅ Usage of transacted hollowing
✅ Obfuscated Python scripts delivering Sliver C2 and Cobalt Strike payloads
✅ Usage of Restic for data exfiltration
✅ Deployment of ALPHV/BlackCat in the final phase
Check out our blog for more details:
https://t.co/ZdzKtenfFx
@esthreat
Wild #RogueRaticate appeared 🐀 Similar infection chain as described in this thread https://t.co/6g7ANLZIya
▶️ The infected WP website: hxxps://glenpharmer[.]com/restaurant/
▶️ Did a little more digging. The same web inject is used to deliver SocGholish here (hxxps://msgroup[.]space/most-funny-sports-moments-you-have-ever-seen/, where the initial C2 is mta.timeline.transversallearning[.]com)
▶️ opendir hosting both NetSupport RAT binaries and the hta file (hxxps://www.monroefmc[.]com/wp-content/uploads/2014/)
▶️ NetSupport RAT is dropped under C:\Users\<username>\AppData\Roaming\SquirellApp. Gateway IP is 185.225.75[.]33
▶️ Persistence via scheduled task "BackgroundCheck"
![RussianPanda9xx's tweet photo. Wild #RogueRaticate appeared 🐀 Similar infection chain as described in this thread https://t.co/6g7ANLZIya
▶️ The infected WP website: hxxps://glenpharmer[.]com/restaurant/
▶️ Did a little more digging. The same web inject is used to deliver SocGholish here (hxxps://msgroup[.]space/most-funny-sports-moments-you-have-ever-seen/, where the initial C2 is mta.timeline.transversallearning[.]com)
▶️ opendir hosting both NetSupport RAT binaries and the hta file (hxxps://www.monroefmc[.]com/wp-content/uploads/2014/)
▶️ NetSupport RAT is dropped under C:\Users\<username>\AppData\Roaming\SquirellApp. Gateway IP is 185.225.75[.]33
▶️ Persistence via scheduled task "BackgroundCheck"](https://pbs.twimg.com/media/F3Q5g_OXsA4kPyr.png)
I am naming this #RogueRaticate campaign that leverages URL shortcuts to drop #NetSupportRAT 🐀
1/
➡️ The user is getting infected via a drive-by download with the fake update screen (similar to SocGholish behavior). The initial payload is hosted on compromised WordPress websites.
➡️ The downloaded payload is a URL shortcut, also known as an Internet shortcut file (detection bypass).
💡 The URL shortcut file can be used to access and execute the payload stored on the website (hxxps://ishahcouture.com/wp-content/uploads/2021/01/Install%20Updater%20(v102.22.145)[.]url).
➡️ The HTA file spawns the decoded PowerShell command that is responsible for downloading and extracting NetSupportRAT, creating CMSTP.inf (UAC bypass) under the %TEMP% folder.
➡️ The URL where the NetSupportRAT is retrieved from hxxps://ishahcouture.com/wp-content/uploads/2020/03/ActiveGlucol[.]zip (the same website where the URL shortcut is hosted on)
➡️ After executing the HTA file, the user gets a creepy pop-up image...
➡️ The decrypted URL where the creepy image is retrieved from hxxps://cdn.mos.cms.futurecdn.net/PPrspXcTaapLpEHjBQ7CJc-970-80[.]jpg
➡️ CMSTP.inf file contains the command to create a scheduled task to run NetSupportRAT under %AppData%\ActiveGlucol\client32.exe (task name: BackgroundCheck, runs at a log on)
➡️ NetSupportRAT C2: 94.158.244[.]26:5051
Thank you @DanInglis_ and @bohansec for identifying the initial execution and malware content
@esthreat
![RussianPanda9xx's tweet photo. I am naming this #RogueRaticate campaign that leverages URL shortcuts to drop #NetSupportRAT 🐀
1/
➡️ The user is getting infected via a drive-by download with the fake update screen (similar to SocGholish behavior). The initial payload is hosted on compromised WordPress websites.
➡️ The downloaded payload is a URL shortcut, also known as an Internet shortcut file (detection bypass).
💡 The URL shortcut file can be used to access and execute the payload stored on the website (hxxps://ishahcouture.com/wp-content/uploads/2021/01/Install%20Updater%20(v102.22.145)[.]url).
➡️ The HTA file spawns the decoded PowerShell command that is responsible for downloading and extracting NetSupportRAT, creating CMSTP.inf (UAC bypass) under the %TEMP% folder.
➡️ The URL where the NetSupportRAT is retrieved from hxxps://ishahcouture.com/wp-content/uploads/2020/03/ActiveGlucol[.]zip (the same website where the URL shortcut is hosted on)
➡️ After executing the HTA file, the user gets a creepy pop-up image...
➡️ The decrypted URL where the creepy image is retrieved from hxxps://cdn.mos.cms.futurecdn.net/PPrspXcTaapLpEHjBQ7CJc-970-80[.]jpg
➡️ CMSTP.inf file contains the command to create a scheduled task to run NetSupportRAT under %AppData%\ActiveGlucol\client32.exe (task name: BackgroundCheck, runs at a log on)
➡️ NetSupportRAT C2: 94.158.244[.]26:5051
Thank you @DanInglis_ and @bohansec for identifying the initial execution and malware content
@esthreat](https://pbs.twimg.com/media/FzNhz1TXsAEwLfA.png)
#gootloader unloaded
https://t.co/xRZ6YpPJGf
#qakbot not letting off
https://t.co/9ZedButM1L
Fake Sky Go installer within an ISO image distributing #redline ? 🤔 and #magnatbackdoor via the AutoIT obfuscated script. The UPX-packed payload is injected into ftp.exe process.
URL hosting the initial ISO image: www2.ejercicios-para-personas-mayores[.]com/
C2: gjiidv[.]com
Sandbox: https://t.co/FhFdefHYUv
@esthreat
![RussianPanda9xx's tweet photo. Fake Sky Go installer within an ISO image distributing #redline ? 🤔 and #magnatbackdoor via the AutoIT obfuscated script. The UPX-packed payload is injected into ftp.exe process.
URL hosting the initial ISO image: www2.ejercicios-para-personas-mayores[.]com/
C2: gjiidv[.]com
Sandbox: https://t.co/FhFdefHYUv
@esthreat](https://pbs.twimg.com/media/FrIq3MpWcAElRk2.png)
#Emotet E4: https://t.co/BUSh6SLnqj
URL: hxxps[://]esentai-gourmet[.]kz/404/EDt0f/?221133&c=1
![RussianPanda9xx's tweet photo. #Emotet E4: https://t.co/BUSh6SLnqj
URL: hxxps[://]esentai-gourmet[.]kz/404/EDt0f/?221133&c=1 https://t.co/zIkR3ihDjw](https://pbs.twimg.com/media/FqwM_q2XoAAquxX.png)
#redline stealer
https://t.co/H1z8rGiX3l
An outage at one of the largest ISPs in Canada, @Rogers Communications, started earlier today, July 8, 2022, and is ongoing after more than 12 hours.
In this blog post, we explain what we've been seeing, including some non-successful attempts:
https://t.co/Mb49tw5IRJ
New Solarmarker
New persistence script; same persistence methods: drops file in Startup to call newly registered file extensions. Samples on VT and MalwareBazaar
Dropper/Loader EXE: https://t.co/6EjuYWs7aj
Backdoor DLL: https://t.co/vSS1HLKnL4
C2: 92.204.160.114
@th3_protoCOL
the latest #squirrelwaffle sample seems to be writing to c:\rimta\mse*.ocx where * is numerical in this case. Similar to previous conventions.
Full list:
c:\datop\test*.test
c:\datop\good*.good
C:\Datop\best*.ocx
C:\Jambo\xrv*.ocx
c:\rimta\mse*.ocx
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60M followers