Top Tweets for #MeshAgent
🚨최근 국내 윈도우 및 리눅스 웹 서버들을 대상으로 #MeshAgent 와 #SuperShell을 악용한 공격 사례들이 확인되고 있습니다.
조직의 네트워크 장악에 성공할 경우 민감한 정보를 탈취하거나 랜섬웨어를 감염시킬수 있으니 주의 바랍니다.
자세히 읽어보기: https://t.co/2e33wiHVdm
#ThreatIntel
🚨 Cato MDR Alert: We’ve detected a malicious IP address being used to download Quasar RAT, MeshAgent, and Defender Control via cURL.
Key IoCs, URLs and hashes in the thread below. 🧵👇
#ThreatIntel #QuasarRAT #MeshAgent #DefenderControl
"EMISSÃO DE NOTA FISCAL 7466991"
spread #MeshAgent cc @1ZRR4H @dodo_sec
⛔️vmi2471669.contaboserver[.net/?cliente?id=605&NFE=605
⛔️emitirnf.pt-app.]link/emitir-nota.php?obternota=1
⛔️C2 sso.meusams.]club
Samples
https://t.co/RZB1UwRoUT
AnyRun
https://t.co/FQlC8Ry2C7
![JAMESWT_WT's tweet photo. "EMISSÃO DE NOTA FISCAL 7466991"
spread #MeshAgent cc @1ZRR4H @dodo_sec
⛔️vmi2471669.contaboserver[.net/?cliente?id=605&NFE=605
⛔️emitirnf.pt-app.]link/emitir-nota.php?obternota=1
⛔️C2 sso.meusams.]club
Samples
https://t.co/RZB1UwRoUT
AnyRun
https://t.co/FQlC8Ry2C7 https://t.co/1LT937QplJ](https://pbs.twimg.com/media/GoOoFyuXAAADWoX.png)
![JAMESWT_WT's tweet photo. "EMISSÃO DE NOTA FISCAL 7466991"
spread #MeshAgent cc @1ZRR4H @dodo_sec
⛔️vmi2471669.contaboserver[.net/?cliente?id=605&NFE=605
⛔️emitirnf.pt-app.]link/emitir-nota.php?obternota=1
⛔️C2 sso.meusams.]club
Samples
https://t.co/RZB1UwRoUT
AnyRun
https://t.co/FQlC8Ry2C7 https://t.co/1LT937QplJ](https://pbs.twimg.com/media/GoOncC0XYAAkYEa.png)
@ShanHolo @VMware Mentioned #MeshAgent contact IP 162.0.213.235
@Namecheap
https://t.co/HhavEnonfO
Related Samples 👇
https://t.co/QfHdWIqVxj
#RMMTool
⚠️#MeshAgent
☣️VMware-viclient-0d1f65c0.exe➡️e48e5b2645ef2ad3e9a5220f0208e478
📡hxxp://162.0.213.235:443/agent.ashx
🚨Low detection ratio 2/70
🔥 Valid signature ⤵️📸
#Intrusion #Summary
1⃣TA actor likely achieved initial access via #Phishing
2⃣End user was fooled downloading fake VMware installer.
⚠️VMware-viclient-0d1f65c0.exe➡️e48e5b2645ef2ad3e9a5220f0208e478
3⃣TA dropped RMM meshagent⤵️
4⃣Conduct reconnaissance activity via "net group".
RMM #MeshAgent abused by #APT36
#NKN client + GDrive APIs
[email protected]
#SaadaC2
title=="Saada C2 - Login"
saadac3.accesscam[.]org
saadac2.mywire[.]org
145.223.103.223
185.208.158.138
13.53.214.28
13.48.24.5
#TransparentTribe #APT
![PrakkiSathwik's tweet photo. RMM #MeshAgent abused by #APT36
#NKN client + GDrive APIs
id-19-down@dotted-banner-447000-h2.iam.gserviceaccount.com
#SaadaC2
title=="Saada C2 - Login"
saadac3.accesscam[.]org
saadac2.mywire[.]org
145.223.103.223
185.208.158.138
13.53.214.28
13.48.24.5
#TransparentTribe #APT https://t.co/Yv0c3SCChb](https://pbs.twimg.com/media/GnOT7UFaIAA6ho_.png)
Mostly #DISGOMOJI of #APT36
[1/n]
"Password" file is stager that downloads:
HOME/.x96_32-linux-gnu/x96coreinfo
73ad8a312c11733ba4c97cc1c6f4f37a
-(#AES/#RC4 encrypted)
ServiceManager.txt
43e4260c595b20e357be75c0c1fbec29
HOME/.config/x96-dependencies.jar
#TransparentTribe #APT
![PrakkiSathwik's tweet photo. Mostly #DISGOMOJI of #APT36
[1/n]
"Password" file is stager that downloads:
HOME/.x96_32-linux-gnu/x96coreinfo
73ad8a312c11733ba4c97cc1c6f4f37a
-(#AES/#RC4 encrypted)
ServiceManager.txt
43e4260c595b20e357be75c0c1fbec29
HOME/.config/x96-dependencies.jar
#TransparentTribe #APT https://t.co/wLSNCK9m5W](https://pbs.twimg.com/media/Gm5KhXabYAAluOd.png)
@DaveLikesMalwre @500mk500 @UK_Daniel_Card OK today work💯
#meshagent
Samples
https://t.co/OLMxQjEZu7
AnyRun
https://t.co/Qq7h1pYKDV
#opendir at: http://79.124.58.130
malicious #meshagent (https://t.co/FfLVL6CcTm…);
c2: 94.232.43.185
🇷🇺Breakdown: Russian Hacking Group, Awaken Likho
Awaken Likhodistributed malicious URLs via phishing emails and exploited #MeshAgent for C2 server purposes, gaining remote access to infected PCs.
Check out the details of the tactics that were used in the attacks and learn how to detect C2 server IPs using #Criminal_IP!
https://t.co/7Ag36mqElu
#Meshagent #Malware
☣️0d6e405856f8687fb1a06645a85bb0f3
📡hxxp://94.232.43.185:443/agent.ashx
🤖Botnet: workgroup-09/28/2024
Low detection ratio 13/72
cc:@JAMESWT_MHT
Next up an unclear finding:
#MeshAgent is a legitimate Remote Control solution sometimes abused for fraud.
kaminet . eu
contains an opendir which is exclusively serving MeshAgent.
There is a FB page for Kaminet IT support but also a Indonesian Research org (Webpage pwnd!)
6/x
@angel11VR @malwrhunterteam @DissectMalware @James_inthe_box @Antelox @vxunderground @Cyber0verload Mentioned #Signed #AnonVnc #MeshAgent
"Shenzhen Variable Engine E-commerce Co., Ltd."
❇️Samples
https://t.co/Zdb00M3e25
Today #AnonVnc #MeshAgent from fake emails mimic Secret Service of Ukraine. gbshost .net & filedn .eu. Needs Admin priv. Persist by Startup folder. @malwrhunterteam @DissectMalware @James_inthe_box @JAMESWT_MHT @Antelox @vxunderground @Cyber0verload
AnonVNC Panel IP Address: 186.2.171[.]76
![Root0ne's tweet photo. AnonVNC Panel IP Address: 186.2.171[.]76 https://t.co/YN32DFqNtU](https://pbs.twimg.com/media/GUTusJRXAAAwFXS.jpg)
![Root0ne's tweet photo. AnonVNC Panel IP Address: 186.2.171[.]76 https://t.co/YN32DFqNtU](https://pbs.twimg.com/media/GUTuMiIXoAEY--K.jpg)
![Root0ne's tweet photo. AnonVNC Panel IP Address: 186.2.171[.]76 https://t.co/YN32DFqNtU](https://pbs.twimg.com/media/GUTttKoWwAAmjNf.jpg)
![Root0ne's tweet photo. AnonVNC Panel IP Address: 186.2.171[.]76 https://t.co/YN32DFqNtU](https://pbs.twimg.com/media/GUTs2dIXcAANKVS.jpg)
"LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader" published by CiscoTalos. #InkBox, #InkLoader, #LilacSquid, #MeshAgent, #UAT-4820, #PurpleInk, #QuasarRAT, #CTI, #OSINT, #LAZARUS https://t.co/Ecbw8CW5KW
First time encountering #MeshAgent in a #DFIR encounter.
I've seen it being mentioned in the past here but other than that... Don't sleep on it, add it to your RMM detection queries, rules, etc.!
Config can be found in the Registry or .msh file!
https://t.co/XojBD0gv5k
Last Seen Hashtags on Sotwe
نيج_كويتى
Seen from United Kingdom
gorącypotok
Seen from United States
momson #xlii
Seen from United States
いじめは許さん
Seen from United States
キラキラスティック
Seen from Germany
leak
Seen from United States
chagatayulusoy
Seen from Spain
新宿観光アンバサダー
Seen from Italy
lamesslifemxdf
Seen from Brazil
thicktrunktuesday
Seen from India
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers