Marcel SIneM(S)US<p>«Dabei versprechen die Täter, gecrackte Software anzubieten[...].»<br>— Alles Anfänger, der darauf hereinfällt :mastolol: Kennt ihr noch astalavista.box.sk :mastocheeky: (Gibt es die Seite eigentlich noch?🤔)</p><p>IT-Sicherheitsforscher entdecken <a href="https://social.tchncs.de/tags/Tiktok" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Tiktok</span></a>-Kampagne zur <a href="https://social.tchncs.de/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Malware</span></a>-Installation | Security <a href="https://www.heise.de/news/Social-Engineering-Kampagne-Tiktok-Videos-mit-Anleitung-zu-Malware-Installation-10398870.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">heise.de/news/Social-Engineeri</span><span class="invisible">ng-Kampagne-Tiktok-Videos-mit-Anleitung-zu-Malware-Installation-10398870.html</span></a> <a href="https://social.tchncs.de/tags/SocialMedia" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SocialMedia</span></a> <a href="https://social.tchncs.de/tags/SocialEngineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SocialEngineering</span></a> <a href="https://social.tchncs.de/tags/Infostealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Infostealer</span></a> <a href="https://social.tchncs.de/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StealC</span></a> <a href="https://social.tchncs.de/tags/Vidar" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vidar</span></a></p>
toad.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon server operated by David Troy, a tech pioneer and investigative journalist addressing threats to democracy. Thoughtful participation and discussion welcome.
Administered by:
Server stats:
211active users
toad.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.1
#stealc
0 posts · 0 participants · 0 posts today
ccinfo.nl<p>TikTok staat bekend als platform voor creatieve content maar wordt nu ook gebruikt als lokaas voor cybercriminelen. <br>Podcast Youtube: <a href="https://youtu.be/cPADO5G5kJ0?si=7n-L01IBSzdX67DL" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">youtu.be/cPADO5G5kJ0?si=7n-L01</span><span class="invisible">IBSzdX67DL</span></a></p><p>Podcast Spotify: <a href="https://open.spotify.com/episode/2ZcrbUvXIOfBpPuaq7VQt7?si=61ccef7960ac43c7" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">open.spotify.com/episode/2Zcrb</span><span class="invisible">UvXIOfBpPuaq7VQt7?si=61ccef7960ac43c7</span></a></p><p>Artikel Cybercrimeinfo: <a href="https://www.ccinfo.nl/menu-onderwijs-ontwikkeling/cybercrime/malware/2527960_hoe-tiktok-verandert-in-een-digitale-valstrik-infostealer-malware-via-virale-video-s" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">ccinfo.nl/menu-onderwijs-ontwi</span><span class="invisible">kkeling/cybercrime/malware/2527960_hoe-tiktok-verandert-in-een-digitale-valstrik-infostealer-malware-via-virale-video-s</span></a></p><p><a href="https://mastodon.social/tags/TikTok" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TikTok</span></a> <a href="https://mastodon.social/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://mastodon.social/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://mastodon.social/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a> <a href="https://mastodon.social/tags/infostealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infostealer</span></a> <a href="https://mastodon.social/tags/socialengineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>socialengineering</span></a> <a href="https://mastodon.social/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://mastodon.social/tags/digitaleveiligheid" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>digitaleveiligheid</span></a> <a href="https://mastodon.social/tags/PowerShell" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PowerShell</span></a> <a href="https://mastodon.social/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StealC</span></a> <a href="https://mastodon.social/tags/Vidar" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vidar</span></a> <a href="https://mastodon.social/tags/jongerenonline" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jongerenonline</span></a> <a href="https://mastodon.social/tags/cyberdreiging" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cyberdreiging</span></a> <a href="https://mastodon.social/tags/cyberbewustzijn" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cyberbewustzijn</span></a> <a href="https://mastodon.social/tags/darkweb" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>darkweb</span></a> <a href="https://mastodon.social/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a> <a href="https://mastodon.social/tags/gratissoftware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>gratissoftware</span></a> <a href="https://mastodon.social/tags/cyberaanval" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cyberaanval</span></a> <a href="https://mastodon.social/tags/digitalevalstrik" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>digitalevalstrik</span></a></p>
Infoblox Threat Intel<p>Last week, Microsoft reported that their Digital Crimes Unit (DCU) and international partners disrupted Lumma Stealer by taking down 2,300 domains critical to the malware's operation. Shortly after, Palo Alto's Unit 42 reported about cyber campaigns that previously dropped Lumma Stealer are now distributing StealC infostealer payloads. We analyzed the DNS infrastructure related to the attacks and discovered a large number of malicious registered domain generation algorithm (RDGA) domains. Based on passive DNS, the threat actor that controls the infrastructure configured the domains to a staging environment via a dedicated Panama IP address (self-signed SSL) before deploying them. We identified 144 unique domains in this IP space, and all of them were detected as "suspicious" by our algorithms 1-2 months before they were activated for malicious activity.<br> <br>Disrupting criminal operations is difficult and they will find ways to resurface. However, this example proves that blocking connections at the DNS level can often protect users against the new versions before they emerge. The infostealer actors made a quick turn, but we were already blocking their path. Our specialty is in DNS analytics, so we use DNS signatures, as opposed to malware signatures, for preemptive security. We love this stuff.<br> <br>Here are some examples of the RDGA domains:<br>2323dot2[.]cfd, 2323dot2[.]cyou, 2323dot2[.]my, 232pip1[.]my, 232pip1[.]sbs, 832pip[.]cfd, 832pip[.]cyou, 832pip[.]my, 832pip[.]sbs, b3cloud[.]cfd, b3cloud[.]cyou, b3cloud[.]my, b3cloud[.]sbs, bin48[.]cfd, bin48[.]cyou, bin48[.]my, bin898293[.]cfd, bin898293[.]cyou, bin898293[.]my, bin898293[.]sbs, bit7dl[.]cfd, bit7dl[.]cyou, bit7dl[.]my, bit7dl[.]sbs, bot113cloud[.]cfd, bot113cloud[.]cyou, bot113cloud[.]my<br> <br>These campaigns share similar TTPs with those that we reported several months ago. The threat actor that we discussed in this post (<a href="https://infosec.exchange/@InfobloxThreatIntel/114027715851469775" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@InfobloxThre</span><span class="invisible">atIntel/114027715851469775</span></a>) also distributed Lumma Stealer and used RDGA domains, but incorporated additional components, such as traffic distribution systems (TDS), web trackers, and cloakers.<br> <br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infostealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infostealer</span></a> <a href="https://infosec.exchange/tags/lummastealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lummastealer</span></a> <a href="https://infosec.exchange/tags/stealc" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>stealc</span></a> <a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tds</span></a> <a href="https://infosec.exchange/tags/tracker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tracker</span></a> <a href="https://infosec.exchange/tags/cloaker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cloaker</span></a> <a href="https://infosec.exchange/tags/rdga" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rdga</span></a></p>
securityaffairs<p>Fake software activation videos on <a href="https://infosec.exchange/tags/TikTok" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TikTok</span></a> spread <a href="https://infosec.exchange/tags/Vidar" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vidar</span></a>, <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StealC</span></a><br><a href="https://securityaffairs.com/178269/cyber-crime/fake-software-activation-videos-on-tiktok-spread-vidar-stealc.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">securityaffairs.com/178269/cyb</span><span class="invisible">er-crime/fake-software-activation-videos-on-tiktok-spread-vidar-stealc.html</span></a><br><a href="https://infosec.exchange/tags/securityaffairs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>securityaffairs</span></a> <a href="https://infosec.exchange/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hacking</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a></p>
Brad<p>2025-05-22 (Thursday): After the recent <a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> disruption, I found an active sample today, so how effective was the disruption, really? </p><p>SHA256 hash for the installer EXE for Lumma Stealer: </p><p>8619bea9571a4dcc4b7f4ba494d444b8078d06dea385dc0caa2378e215636a65</p><p>Analysis: </p><p>- <a href="https://tria.ge/250523-afpxxsfm5t" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">tria.ge/250523-afpxxsfm5t</span><span class="invisible"></span></a><br>- <a href="https://app.any.run/tasks/add82eaa-bdb8-43b9-885b-c0a58cc2530c" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/tasks/add82eaa-bdb</span><span class="invisible">8-43b9-885b-c0a58cc2530c</span></a></p><p>To be fair, I investigated a campaign that was pushing Lumma Stealer earlier this week, and it had switched to <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StealC</span></a> v2 malware earlier today (2025-05-22):</p><p>- <a href="https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-05-22-campaign-switches-from-Lumma-to-StealC-v2.txt" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/PaloAltoNetworks/Un</span><span class="invisible">it42-timely-threat-intel/blob/main/2025-05-22-campaign-switches-from-Lumma-to-StealC-v2.txt</span></a></p><p>So the disruption was at least somewhat effective based on what I'm seeing. I don't have eyes on the criminal underground, though, so I don't know what's happening with Lumma Stealer's customers.</p>
The New Oil<p><a href="https://mastodon.thenewoil.org/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StealC</span></a> <a href="https://mastodon.thenewoil.org/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> enhanced with stealth upgrades and data theft tools</p><p><a href="https://www.bleepingcomputer.com/news/security/stealc-malware-enhanced-with-stealth-upgrades-and-data-theft-tools/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/stealc-malware-enhanced-with-stealth-upgrades-and-data-theft-tools/</span></a></p><p><a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a></p>
Still<p>Finally got around to taking a look at StealcV2 today after a few weeks that it's been out</p><p>Initial loader (536a64b3267c5056b261d71324793571d02a8714bcb8f395927f72f77d004f56) <br>-> CF obfuscated shellcode (bdace8aba0dbcac81811d833605fadc157ed95864537d5bf1fc28f125becef1f )<br>-> Rust-based (1.85.1) loader/injector (f6ce652432d8baf56195c49d34ad89bd7cf933a6af864973f7b03e6bb3acc88e)<br>-> StealcV2 payload (a26095cf5fff9a7ec04c3fd3fb60372f38f3dc300addf4983e0ce4f7490ef7b2)</p><p>Looks like it might have been a major rewrite? I'm not sure I haven't closely compared it against the StealcV1 yet. Strings are Base64 RC4 encoded. The RC4 patterns used in the binary currently causes false negative in capa at the moment - I've filed an issue accordingly.</p><p>We also wrote a new YARA rule to detect StealcV2 on stream as well. Surprisingly, my heuristics-based Chromium ABE stealer YARA rule we wrote half a year ago still matches this sample and other known StealcV2 samples.</p><p>C2<br>- 91.92.46[.]133/8f11bd01520293d6.php </p><p>Samples, IoCs, and more <br><a href="https://github.com/Still34/malware-lab/tree/main/reworkshop/2025-04-26" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/Still34/malware-lab</span><span class="invisible">/tree/main/reworkshop/2025-04-26</span></a> </p><p><a href="https://infosec.exchange/tags/threathunting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threathunting</span></a> <a href="https://infosec.exchange/tags/stealc" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>stealc</span></a></p>
Brad<p>2025-04-22 (Tuesday): Always fun to find the fake CAPTCHA pages with the <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a> style instructions trying to convince viewers to infect their computers with malware. </p><p>Saw <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StealC</span></a> from an infection today. </p><p>Indicators available at <a href="https://github.com/malware-traffic/indicators/blob/main/2025-04-22-IOCs-for-ClickFix-style-campaign-leading-to-StealC-infection.txt" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/malware-traffic/ind</span><span class="invisible">icators/blob/main/2025-04-22-IOCs-for-ClickFix-style-campaign-leading-to-StealC-infection.txt</span></a></p><p><a href="https://infosec.exchange/tags/ClipboardHijacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClipboardHijacking</span></a> <a href="https://infosec.exchange/tags/Pastejacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Pastejacking</span></a></p>
𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@malware_traffic" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>malware_traffic</span></a></span> <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StealC</span></a> is exfiltrating a great deal of juicy information from that victim's PC.</p>
Brad<p>2025-03-26 (Wednesday): <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SmartApeSG</span></a> traffic for a fake browser update page leads to a <a href="https://infosec.exchange/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupport</span></a> <a href="https://infosec.exchange/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RAT</span></a> infection. A zip archive for <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StealC</span></a> sent over the <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupportRAT</span></a> C2 traffic.</p><p>The <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StealC</span></a> infection uses DLL side-loading by a legitimate EXE to <a href="https://infosec.exchange/tags/sideload" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sideload</span></a> the malicious DLL.</p><p>A <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pcap</span></a> from an infection, the associated <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> samples, and <a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IOCs</span></a> are available at at <a href="https://www.malware-traffic-analysis.net/2025/03/26/index.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">malware-traffic-analysis.net/2</span><span class="invisible">025/03/26/index.html</span></a></p>
Brad<p>Social media post I wrote for my employer at <a href="https://www.linkedin.com/posts/unit42_smartapesg-netsupportrat-stealc-activity-7297994624814432256-HOrX/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">linkedin.com/posts/unit42_smar</span><span class="invisible">tapesg-netsupportrat-stealc-activity-7297994624814432256-HOrX/</span></a><br>and <a href="https://x.com/Unit42_Intel/status/1892229005702471868" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">x.com/Unit42_Intel/status/1892</span><span class="invisible">229005702471868</span></a></p><p>2025-02-18 (Tuesday): Legitimate but compromised websites with an injected script for <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SmartApeSG</span></a> lead to a fake browser update page that distributes <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupportRAT</span></a> malware. During an infection run, we saw follow-up malware for <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StealC</span></a>. More info at <a href="https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-18-IOCs-for-SmartApeSG-fake-browser-update-leads-to-NetSupport-RAT-and-StealC.txt" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/PaloAltoNetworks/Un</span><span class="invisible">it42-timely-threat-intel/blob/main/2025-02-18-IOCs-for-SmartApeSG-fake-browser-update-leads-to-NetSupport-RAT-and-StealC.txt</span></a></p><p>A <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pcap</span></a> from the infection traffic, the associated malware, and other info are available at <a href="https://malware-traffic-analysis.net/2025/02/18/index.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">malware-traffic-analysis.net/2</span><span class="invisible">025/02/18/index.html</span></a></p>
ESET Research<p><a href="https://infosec.exchange/tags/ESETResearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESETResearch</span></a>’s monitoring of <a href="https://infosec.exchange/tags/AceCryptor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AceCryptor</span></a> revealed a significant decrease in prevalence of the malware in H2 2024: we only observed around 3k unique samples as opposed to 13k in H1 2024. Overall hits went down by 68% compared to H1, and by 87% compared to H2 2023.</p><p>Similarly, the number of unique users targeted by AceCryptor campaigns decreased by 58% between H1 and H2 2024, and the decrease was even more pronounced when compared to H2 2023, amounting to 85%.</p><p>As for the malware families packed by the cryptor, we could yet again see the usual suspects such as <a href="https://infosec.exchange/tags/Rescoms" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Rescoms</span></a>, <a href="https://infosec.exchange/tags/Smokeloader" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Smokeloader</span></a>, and <a href="https://infosec.exchange/tags/Stealc" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Stealc</span></a> among the most delivered threats.</p><p>While much smaller in scale than in previous periods, we still detected two notable campaigns of the malware. First, on July 11, 2024, 500 victims in Germany 🇩🇪 were sent emails with malicious attachments disguised as financial documents inside a password protected archive.</p><p>Instead of the documents, the archive contained an AceCryptor executable packing the Racoon Stealer successor <a href="https://infosec.exchange/tags/RecordBreaker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RecordBreaker</span></a>, which then exfiltrated the victim information to a C&C server with the IP address of 45[.]153[.]231[.]163.</p><p>Then on September 23, 2024 more than 1,600 endpoints of small businesses in Czechia 🇨🇿 received emails whose attachments contained an AceCryptor binary packing the <a href="https://infosec.exchange/tags/XWorm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>XWorm</span></a> RAT 🪱🐀. As a C&C, XWorm RAT used easynation[.]duckdns[.]org.</p><p>The list of 🔍 Indicators of Compromise (IoCs) can be found in our GitHub repository: <a href="https://github.com/eset/malware-ioc/tree/master/ace_cryptor" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/eset/malware-ioc/tr</span><span class="invisible">ee/master/ace_cryptor</span></a></p>
MistressPrime :verified:<p>Cybercriminals are targeting Google Chrome users by exploiting a technique that traps them in kiosk mode, which prevents access to usual escape methods like pressing F11 or ESC. The attack starts by infecting a system with malware, such as StealC, which forces Chrome into full-screen mode, making it appear as though a Google login is required. Once the user enters their credentials, the malware harvests the data and sends it to the attackers.</p><p>This tactic leverages user frustration, as they believe entering credentials is the only way to regain control of their system. Similar attacks have also been seen on Android devices, where malware mimics legitimate Google apps to steal login credentials.</p><p>To counter this, users are advised to use specific key combinations, like Alt + F4 or Ctrl + Shift + Esc, to exit kiosk mode and terminate Chrome through task manager. </p><p>Additionally, ensuring malware protection and downloading apps only from trusted sources can help mitigate the risk of such attacks.<br><a href="https://anti-social.online/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://anti-social.online/tags/chrome" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>chrome</span></a> <a href="https://anti-social.online/tags/stealc" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>stealc</span></a> <a href="https://anti-social.online/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <br><a href="https://www.forbes.com/sites/daveywinder/2024/09/17/hackers-force-chrome-users-to-hand-over-google-passwords-heres-how" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">forbes.com/sites/daveywinder/2</span><span class="invisible">024/09/17/hackers-force-chrome-users-to-hand-over-google-passwords-heres-how</span></a></p>
The Spamhaus Project<p>This June saw the return of <a href="https://infosec.exchange/tags/Vidar" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vidar</span></a>, in at #9 with a +2,358% increase in samples shared on abuse.ch's URLhaus. But it's no match for fellow stealers, <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StealC</span></a> and <a href="https://infosec.exchange/tags/Amadey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Amadey</span></a>, with 2,6,28 and 1,771 samples shared respectively (!) 😲 </p><p>👉 Read the Malware Digest stats here: <a href="https://www.spamhaus.org/malware-digest/#urlhaus" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">spamhaus.org/malware-digest/#u</span><span class="invisible">rlhaus</span></a> </p><p><a href="https://infosec.exchange/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Malware</span></a> <a href="https://infosec.exchange/tags/URLHaus" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>URLHaus</span></a> <a href="https://infosec.exchange/tags/ThreatIntelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatIntelligence</span></a></p>
𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲<p>NetworkMiner 2.9 Released!</p><ul><li><a href="https://infosec.exchange/tags/TZSP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TZSP</span></a> support</li><li><a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StealC</span></a> extractor</li><li>Improved <a href="https://infosec.exchange/tags/Modbus" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Modbus</span></a> parser</li><li><a href="https://infosec.exchange/tags/JA4" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JA4</span></a> support</li><li><a href="https://infosec.exchange/tags/GTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GTP</span></a> decapsulation</li></ul><p><a href="https://netresec.com/?b=245092b" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">netresec.com/?b=245092b</span><span class="invisible"></span></a></p>
The Spamhaus Project<p>This month StealC 🔝 tops the charts for malware families associated with malware sites at 4,577 samples shared on URLHaus. Meanwhile Cobalt Strike remains #1 for IOCs shared - find out which malware are in the Top10 at the links below:</p><p>ThreatFox | IOCs shared:<br>👉 <a href="https://www.spamhaus.org/malware-digest/#threatfox" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">spamhaus.org/malware-digest/#t</span><span class="invisible">hreatfox</span></a></p><p>URLHaus | Malware sites:<br>👉 <a href="https://www.spamhaus.org/malware-digest/#urlhaus" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">spamhaus.org/malware-digest/#u</span><span class="invisible">rlhaus</span></a></p><p>All the data in the Malware Digest is provided by <span class="h-card" translate="no"><a href="https://ioc.exchange/@abuse_ch" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>abuse_ch</span></a></span>'s community driven open platforms.</p><p><a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StealC</span></a> <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CobaltStrike</span></a> <a href="https://infosec.exchange/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Malware</span></a> <a href="https://infosec.exchange/tags/abuseCH" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>abuseCH</span></a> <a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IOCs</span></a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatIntel</span></a></p>
Not Simon<p><strong>Proofpoint</strong> identified multiple YouTube channels distributing malware by promoting cracked and pirated video games and related content. The video descriptions include links leading to the download of Vidar, StealC and Lumma information stealers. IOC provided. 🔗 <a href="https://www.proofpoint.com/us/blog/threat-insight/threat-actors-deliver-malware-youtube-video-game-cracks" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">proofpoint.com/us/blog/threat-</span><span class="invisible">insight/threat-actors-deliver-malware-youtube-video-game-cracks</span></a></p><p><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/IOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IOC</span></a> <a href="https://infosec.exchange/tags/YouTube" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>YouTube</span></a> <a href="https://infosec.exchange/tags/Vidar" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vidar</span></a> <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StealC</span></a> <a href="https://infosec.exchange/tags/Lumma" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Lumma</span></a> <a href="https://infosec.exchange/tags/infostealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infostealer</span></a></p>
Not Simon<p><strong>ASEC</strong> describes a StealC infostealer campaign which had an usually large number of downloads recently. "There is a high possibility that it was disguised as a program also popular in Korea." Part of the infection chain uses steganography. The malware originally targeted Windows 11 OS, but adapted for older versions later. IOC provided. 🔗 <a href="https://asec.ahnlab.com/en/63308/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">asec.ahnlab.com/en/63308/</span><span class="invisible"></span></a></p><p><a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StealC</span></a> <a href="https://infosec.exchange/tags/infostealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infostealer</span></a> <a href="https://infosec.exchange/tags/IOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IOC</span></a></p>
The Spamhaus Project<p>❗Since mid-December, researchers at Spamhaus have observed an uptick in activity from GCleaner (a.k.a OnlyLogger) malware. Here we can see GCleaner is clearly active, dropping Stealc malware….. </p><p>Researchers are seeing two variants of GCleaner, with different infrastructure and URLs for the first request:</p><p>1️⃣ A loader - packed with common packers like Dave packer </p><p>2️⃣ Impersonating BroomCleaner (as OnlyLogger impersonated GCleaner)</p><p>In the example shared, GCleaner is impersonating BroomStealer, and using a library embedded in the NSIS installer to perform the requests.</p><p>Is anyone else seeing this activity? Please share your insights in the comments 👇</p><p>👀 We'll keep you updated, as we learn more.</p><p><a href="https://infosec.exchange/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Malware</span></a> <a href="https://infosec.exchange/tags/GCleaner" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GCleaner</span></a> <a href="https://infosec.exchange/tags/Stealc" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Stealc</span></a> <a href="https://infosec.exchange/tags/OnlyLogger" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OnlyLogger</span></a> <a href="https://infosec.exchange/tags/BroomStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BroomStealer</span></a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatIntel</span></a> <a href="https://infosec.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatHunting</span></a></p>
mithrandir<p>I've just published a new write up, detailing a killchain leading to the <a href="https://defcon.social/tags/Stealc" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Stealc</span></a> information stealer. </p><p>Even took a stab at writing a string decryption script for the payload.</p><p>General summary:<br>Search for IP Scanning Tool --><br><a href="https://defcon.social/tags/Google" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Google</span></a> malvertising --> <br>NSIS Package --> <br>PowerShell Script --><br>.NET Loader --><br>Dropper --><br>StealC Payload</p><p>IOCs:<br>31.41.244[.]65<br>snow.cdn-b1d8e9.workers[.]dev<br>api-cdn12.azureedge[.]net<br>givingspirit[.]us<br>advanced-ip-scanner[.]net<br>cdn-c08e638.azureedge[.]net/download.html?q=ipscanner</p><p><a href="https://rerednawyerg.github.io/posts/malwareanalysis/stealc_ipscanner/" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">rerednawyerg.github.io/posts/m</span><span class="invisible">alwareanalysis/stealc_ipscanner/</span></a></p><p><a href="https://defcon.social/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://defcon.social/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://defcon.social/tags/ioc" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ioc</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload