Olivia
Online
Matthew Mesa
@mesa_matt
Tweets are my own.
Joined December 2014
107 Following
4.6K Followers
1.8K Posts
Pinned Tweet
The adventures of Josephine Pena. From LinkedIn invitations to More_eggs Jscript Downloader:
https://t.co/xuhAbbT1f6
Zscaler's Nikolaos Pantazopoulos analyses the functionality of Raspberry Robin (also known as Roshtyak), including its execution layers, obfuscation methods and network communication process, along with its latest exploits. https://t.co/IUxXDM5Loy
https://t.co/oqd15GHNBk
And of course the earlier Rapid7 blogpost covering the Quick Assist abuse they observed:
https://t.co/LMbNiYxIRS
Who to follow
Tom Hegel
@TomHegel
@LabsSentinel Research Lead, Hunting nation-state threats @SentinelOne, bending intelligence tech to shape real-world outcomes with @ValidinLLC
James
@James_inthe_box
Antelox
@Antelox
A Civil Engineer married with Mrs IDA Pro. Sons are WinDbg and OllyDbg. We live in a VM. We eat bread and malware, APT on Sunday
Related:
https://t.co/fxhsdcVG5Y
Qakbot and other payloads delivered via ☎, Quick Assist, and social engineering. Leading to 🍝. Also with tie ins to:
https://t.co/yhRc35AN6U
Since mid-April 2024, Microsoft Threat Intelligence has observed the threat actor Storm-1811 misusing the client management tool Quick Assist to target users in social engineering attacks that lead to Black Basta ransomware. https://t.co/PA5dW6alnQ
I’ll be speaking @SLEUTHCON this year!
The lineup is amazing. I can’t wait to learn from everyone.
Full list of speakers here: https://t.co/JgghOZJYy4
Continuation of the campaign IDs first seen here:
https://t.co/vjXAlWdXH0
An embedded configuration EPOCH timestamp indicates the payload was generated on December 11. The campaign code was tchk06. Most notably, the delivered Qakbot payload was configured with the previously unseen version 0x500.
Observed Qakbot C2:
45[.]138.74.191
65[.]108.218.24
Be alert that there is Qakbot being spread in the wild:
49220571574da61781de37f35c66e8f0dadb18fdedb6d3a1be67485069cfd4b0
Campaign: tchk08
ITW URLs on Virustotal:
upd5[.]pro
upd112.appspot[.]com
Join me, @switchingtoguns, @a_de_pasquale, and our team as a Sr. Threat Researcher focusing on phishing detection. Use your skills in pattern-based detection, regex, HTML/HTTP, and current phishing landscape, to combat phishing threats for SAA customers
https://t.co/BaD7lLjC4I
@wdormann @ItsReallyNick It was disabled then. It was re-enabled by default in later versions - the versions are listed in the MSRC blog.
Ya Qbot is back, it sucks. But look what happened with Emotet when it came back. Was a half assed attempt at running a botnet which eventually disappeared without any LE. Lets make it so that becomes the case with Qbot as well.
An embedded configuration EPOCH timestamp indicates the payload was generated on December 11. The campaign code was tchk06. Most notably, the delivered Qakbot payload was configured with the previously unseen version 0x500.
Observed Qakbot C2:
45[.]138.74.191
65[.]108.218.24
Unfortunately, I had to look at their email campaigns again this week.
RIP Qbot. After having to look at Qbot email campaigns on a regular basis since ~2017, I don't think I'll miss it.
Microsoft has identified new Qakbot phishing campaigns following the August 2023 law enforcement disruption operation. The campaign began on December 11, was low in volume, and targeted the hospitality industry. Targets received a PDF from a user masquerading as an IRS employee.
So proud to be a part of this collective effort at Microsoft. Badasses at Microsoft Threat Intelligence supporting significant Digital Crimes Unit legal disruptions. This is just the beginning, so many more targets, so much more we are doing and will do #staytuned
Would you realise if java.exe spawning something dodgy was a 0-day? @0g_omkar and team did, patch your on-prem SysAid instances
Malware delivered via teams, you should have a look at this. No log, no protection, except if you configure team to only allow trusted orgs to discuss with yours. But you can’t see if it’s already in use because you don’t have logs…
https://t.co/uTDHF7PCgB
Last Seen Users on Sotwe
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.5M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.1M followers
Taylor Swift
@taylorswift13
80.9M followers
Lady Gaga
@ladygaga
72.5M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
69M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.7M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.2M followers