101010.pl

Sekoia.ioOur new report describes one of the latest observed infection chains (delivering <a href="https://infosec.exchange/tags/AsyncRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#AsyncRAT</a>) relying on the <a href="https://infosec.exchange/tags/Cloudflare" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cloudflare</a> tunnel infrastructure and the attacker’s <a href="https://infosec.exchange/tags/TTPs" class="mention hashtag" rel="nofollow noopener" target="_blank">#TTPs</a> with a principal focus on detection opportunities. <a href="https://blog.sekoia.io/detecting-multi-stage-infection-chains-madness/" rel="nofollow noopener" translate="no" target="_blank">https://blog.sekoia.io/detecting-multi-stage-infection-chains-madness/</a>

Hackread.comWatch Out!🚨 New phishing scam targets hotel staff with fake <a href="https://mstdn.social/tags/Booking" class="mention hashtag" rel="nofollow noopener" target="_blank">#Booking</a>.com emails. A fake CAPTCHA leads to AsyncRAT malware via a Windows Run trick.Read more: <a href="https://hackread.com/booking-com-phishing-scam-fake-captcha-asyncrat/" rel="nofollow noopener" translate="no" target="_blank">https://hackread.com/booking-com-phishing-scam-fake-captcha-asyncrat/</a><a href="https://mstdn.social/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberSecurity</a> <a href="https://mstdn.social/tags/AsyncRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#AsyncRAT</a> <a href="https://mstdn.social/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a> <a href="https://mstdn.social/tags/Scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#Scam</a>

ESET Research<a href="https://infosec.exchange/tags/ESETresearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#ESETresearch</a> has uncovered the <a href="https://infosec.exchange/tags/MirrorFace" class="mention hashtag" rel="nofollow noopener" target="_blank">#MirrorFace</a> Operation AkaiRyū, which extends the group’s usual focus beyond Japan into Europe. The initial lure centered around Expo 2025 in Japan, compromising a Central European diplomatic institute. <a href="https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/" rel="nofollow noopener" translate="no" target="_blank">https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/</a>Surprisingly, <a href="https://infosec.exchange/tags/MirrorFace" class="mention hashtag" rel="nofollow noopener" target="_blank">#MirrorFace</a> used <a href="https://infosec.exchange/tags/ANEL" class="mention hashtag" rel="nofollow noopener" target="_blank">#ANEL</a> – a backdoor historically linked only to <a href="https://infosec.exchange/tags/APT10" class="mention hashtag" rel="nofollow noopener" target="_blank">#APT10</a> – highlighting a shift in the group’s tactics and reinforcing suspicions that MirrorFace could be part of the APT10 umbrella. Operation AkaiRyū began with targeted spearphishing emails referencing the victim’s past correspondence and Expo 2025 , persuading recipients to download malicious attachments. Once the files were opened, a layered compromise chain ensued . Collaborating with the victim allowed us to perform in-depth analysis, shedding light on MirrorFace’s post-compromise behavior – from credential harvesting to dropping additional tools for lateral movement. <a href="https://infosec.exchange/tags/MirrorFace" class="mention hashtag" rel="nofollow noopener" target="_blank">#MirrorFace</a> used an intricate execution chain to stealthily run a highly tweaked <a href="https://infosec.exchange/tags/AsyncRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#AsyncRAT</a> within <a href="https://infosec.exchange/tags/WindowsSandbox" class="mention hashtag" rel="nofollow noopener" target="_blank">#WindowsSandbox</a>, hampering detection efforts. This is the first time we’ve seen MirrorFace employ AsyncRAT. In another twist, <a href="https://infosec.exchange/tags/MirrorFace" class="mention hashtag" rel="nofollow noopener" target="_blank">#MirrorFace</a> utilized <a href="https://infosec.exchange/tags/VSCode" class="mention hashtag" rel="nofollow noopener" target="_blank">#VSCode</a> remote tunnels, a tactic enabling covert access and command execution on compromised machines. This approach has also been seen with other China-aligned cyberespionage groups. The group primarily leveraged <a href="https://infosec.exchange/tags/ANEL" class="mention hashtag" rel="nofollow noopener" target="_blank">#ANEL</a> as a first-stage backdoor, <a href="https://infosec.exchange/tags/HiddenFace" class="mention hashtag" rel="nofollow noopener" target="_blank">#HiddenFace</a> – MirrorFace’s flagship backdoor – was dropped later in the attack to bolster persistence . Notably absent this time was <a href="https://infosec.exchange/tags/LODEINFO" class="mention hashtag" rel="nofollow noopener" target="_blank">#LODEINFO</a>, which <a href="https://infosec.exchange/tags/MirrorFace" class="mention hashtag" rel="nofollow noopener" target="_blank">#MirrorFace</a> typically employs.We presented our findings about Operation AkaiRyū conducted by <a href="https://infosec.exchange/tags/MirrorFace" class="mention hashtag" rel="nofollow noopener" target="_blank">#MirrorFace</a> at @jpcert_ac on January 22, 2025: <a href="https://jsac.jpcert.or.jp" rel="nofollow noopener" translate="no" target="_blank">https://jsac.jpcert.or.jp</a>. IoCs available in our GitHub repo: <a href="https://github.com/eset/malware-ioc/tree/master/mirrorface" rel="nofollow noopener" translate="no" target="_blank">https://github.com/eset/malware-ioc/tree/master/mirrorface</a>

BradTwo new posts this week on the malware-traffic-analysis.net website:2024-03-13: <a href="https://infosec.exchange/tags/GootLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#GootLoader</a> activity at <a href="https://www.malware-traffic-analysis.net/2024/03/14/index.html" rel="nofollow noopener" translate="no" target="_blank">https://www.malware-traffic-analysis.net/2024/03/14/index.html</a>2024-03-14: <a href="https://infosec.exchange/tags/AsyncRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#AsyncRAT</a> and <a href="https://infosec.exchange/tags/XWorm" class="mention hashtag" rel="nofollow noopener" target="_blank">#XWorm</a> infection at <a href="https://www.malware-traffic-analysis.net/2024/03/14/index.html" rel="nofollow noopener" translate="no" target="_blank">https://www.malware-traffic-analysis.net/2024/03/14/index.html</a><a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#pcap</a> files... malware samples... You all know the deal.These are based on social media posts from my employer. I authored GootLoader social media post. <a href="https://defcon.social/@mithrandir" class="u-url mention" rel="nofollow noopener" target="_blank">@mithrandir</a> authored the AsyncRAT/XWorm social media post, and I got a good pcap out of it.Shout out to <a href="https://defcon.social/@mithrandir" class="u-url mention" rel="nofollow noopener" target="_blank">@mithrandir</a> !!!

Brad2024-02-21 (Wednesday): From a social media post I wrote for my employer, posted at <a href="https://www.linkedin.com/posts/unit42_parrottds-socgholish-asyncrat-activity-7166192124441415681-rnLv" rel="nofollow noopener" translate="no" target="_blank">https://www.linkedin.com/posts/unit42_parrottds-socgholish-asyncrat-activity-7166192124441415681-rnLv</a> and <a href="https://twitter.com/Unit42_Intel/status/1760426508558950518" rel="nofollow noopener" translate="no" target="_blank">https://twitter.com/Unit42_Intel/status/1760426508558950518</a>Site with <a href="https://infosec.exchange/tags/ParrotTDS" class="mention hashtag" rel="nofollow noopener" target="_blank">#ParrotTDS</a> redirects to <a href="https://infosec.exchange/tags/SocGholish" class="mention hashtag" rel="nofollow noopener" target="_blank">#SocGholish</a> fake browser update page. SocGholish payload installs <a href="https://infosec.exchange/tags/AsyncRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#AsyncRAT</a>. List of indicators at <a href="https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-02-21-IOCs-from-SocGholish-AsyncRAT-infection.txt" rel="nofollow noopener" translate="no" target="_blank">https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-02-21-IOCs-from-SocGholish-AsyncRAT-infection.txt</a>A <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#pcap</a> of traffic from an infection run and the associated malware samples/artifacts are available at <a href="https://malware-traffic-analysis.net/2024/02/21/index.html" rel="nofollow noopener" translate="no" target="_blank">https://malware-traffic-analysis.net/2024/02/21/index.html</a>

ricardo :mastodon:Stealthy <a href="https://fosstodon.org/tags/AsyncRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#AsyncRAT</a> malware attacks targets US infrastructure for 11 months<a href="https://www.bleepingcomputer.com/news/security/stealthy-asyncrat-malware-attacks-targets-us-infrastructure-for-11-months/" rel="nofollow noopener" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/stealthy-asyncrat-malware-attacks-targets-us-infrastructure-for-11-months/</a>

🛡 H3lium@infosec.exchange/:~# :blinking_cursor:"⚠️ <a href="https://infosec.exchange/tags/AsyncRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#AsyncRAT</a>'s New WSF Script Attack Method Unveiled 🛡️🕵️‍♂️🐀 "AsyncRAT, known for its stealth and data extraction capabilities, now employs WSF scripts in its attack chain. This shift from .chm files to WSF scripts, as reported by AhnLab's ASEC, enhances its evasion techniques. The WSF script, hidden in a .zip file from phishing emails, downloads a Visual Basic script which then executes a .jpg file disguised as a .zip, eventually leading to a PowerShell-scripted fileless attack.Key insights:<ul><li>Complex infection chain starting with spam emails.</li><li>Use of PowerShell, VBScript, and BAT files to inject into RegSvcs.exe, evading antivirus detection.</li><li>Final attack phase: Portable Executable (PE) file injected into RegSvcs.exe, establishing a connection with AsyncRAT server for data exfiltration.</li></ul>Stay vigilant against this sophisticated threat and ensure robust security protocols.🔐Source: <a href="https://asec.ahnlab.com/en/59573/" rel="nofollow noopener" target="_blank">AhnLab Security Emergency response Cente</a> and <a href="https://gbhackers.com/asyncrat-wsf-script-files/" rel="nofollow noopener" target="_blank">GBHackers</a>Tags: <a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberSecurity</a> <a href="https://infosec.exchange/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#Malware</a> <a href="https://infosec.exchange/tags/AsyncRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#AsyncRAT</a> <a href="https://infosec.exchange/tags/FilelessAttack" class="mention hashtag" rel="nofollow noopener" target="_blank">#FilelessAttack</a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a> <a href="https://infosec.exchange/tags/DataExfiltration" class="mention hashtag" rel="nofollow noopener" target="_blank">#DataExfiltration</a> <a href="https://infosec.exchange/tags/ThreatIntelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatIntelligence</a> <a href="https://infosec.exchange/tags/InfoSecExchange" class="mention hashtag" rel="nofollow noopener" target="_blank">#InfoSecExchange</a> 🌍💻🔍🐀

mithrandirCompleted Part 3 of my personal <a href="https://defcon.social/tags/SocGholish" class="mention hashtag" rel="nofollow noopener" target="_blank">#SocGholish</a> series.The article digs into the follow-up payloads delivered once the Update.js is executed on a victim machine.Interestingly, I saw <a href="https://defcon.social/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupport</a> RAT and an unknown (to me) PowerShell C2 beacon be delivered together.If anyone can shed more light on what the PowerShell beacon may be, it would be much appreciated! Seems to be inspired by <a href="https://defcon.social/tags/AsyncRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#AsyncRAT</a>, though.Big thanks to <a href="https://infosec.exchange/@rmceoin" class="u-url mention" rel="nofollow noopener" target="_blank">@rmceoin</a> for help along the way.<a href="https://rerednawyerg.github.io/posts/malwareanalysis/socgholish_part3" rel="nofollow noopener" target="_blank">https://rerednawyerg.github.io/posts/malwareanalysis/socgholish_part3</a>

Opalsec :verified:This week's edition of SOC Goulash, our Weekend Wrap-Up of infosec news, is live and hot off the press!<a href="https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-be1" rel="nofollow noopener" target="_blank">https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-be1</a>Building on last week's flagging of the increase in abuse of <a href="https://infosec.exchange/tags/Malvertising" class="mention hashtag" rel="nofollow noopener" target="_blank">#Malvertising</a>, researchers have observed it being abused to deliver <a href="https://infosec.exchange/tags/ASyncRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#ASyncRAT</a> and <a href="https://infosec.exchange/tags/xworm" class="mention hashtag" rel="nofollow noopener" target="_blank">#xworm</a> payloads, as well as to harvest master passwords for Password Manager solutions like <a href="https://infosec.exchange/tags/Bitwarden" class="mention hashtag" rel="nofollow noopener" target="_blank">#Bitwarden</a> and <a href="https://infosec.exchange/tags/1Password" class="mention hashtag" rel="nofollow noopener" target="_blank">#1Password</a>. <a href="https://infosec.exchange/tags/Hive" class="mention hashtag" rel="nofollow noopener" target="_blank">#Hive</a> ransomware have had their infrastructure seized in a multi-national law enforcement operation. The authorities lurked in their infrastructure for six months, gathering communications & information on their members and stealing 1,300 decryption keys that enabled them to avert ~$130 million in potential ransom payments.North Korea's crypto-hunting actors have been agile in adopting emerging tradecraft and developing novel payloads. With $1 billion worth of funds brought into the hermit kingdom in 2022, orgs in the <a href="https://infosec.exchange/tags/cryptocurrency" class="mention hashtag" rel="nofollow noopener" target="_blank">#cryptocurrency</a> and <a href="https://infosec.exchange/tags/DeFi" class="mention hashtag" rel="nofollow noopener" target="_blank">#DeFi</a> space will need to be on guard coming into 2023.<a href="https://infosec.exchange/tags/PlugX" class="mention hashtag" rel="nofollow noopener" target="_blank">#PlugX</a> malware continues to be developed, with new variants spotted in the wild capable of spreading via USB, upgrading old installations, and pilfering documents from hosed computers.<a href="https://infosec.exchange/tags/vulnerabilities" class="mention hashtag" rel="nofollow noopener" target="_blank">#vulnerabilities</a> in the Realtek SDK have been exploited nearly 130 million times between August and December last year alone by botnets seeking to grow their numbers.Security researchers Horizon3 intend to release a PoC <a href="https://infosec.exchange/tags/exploit" class="mention hashtag" rel="nofollow noopener" target="_blank">#exploit</a> for CVSS 9.8 RCE vulnerabilities in VMWare's vRealize Log Insight product this week - make sure you're patched!For our paid subscribers, we've got some additional articles on: 1. The adoption of OneNote for payload delivery, and tips for analysis; 2. An overview of CVE-2022-34689, a critical Windows vulnerability that could be abused to intercept & decrypt encrypted communications or spoof code-signing of malicious executables; 3. A vulnerability/not-vulnerability in <a href="https://infosec.exchange/tags/KeePass" class="mention hashtag" rel="nofollow noopener" target="_blank">#KeePass</a>, with no patch and an unknown scope of impact, allowing attackers to dump plaintext credentials from the Password Manager.As always, there's a tonne of additional goodies to be found in the newsletter that I couldn't cover here, so check it out here: <a href="https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-be1" rel="nofollow noopener" target="_blank">https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-be1</a><a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/CyberAttack" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberAttack</a> <a href="https://infosec.exchange/tags/Hacked" class="mention hashtag" rel="nofollow noopener" target="_blank">#Hacked</a> <a href="https://infosec.exchange/tags/cyber" class="mention hashtag" rel="nofollow noopener" target="_blank">#cyber</a> <a href="https://infosec.exchange/tags/news" class="mention hashtag" rel="nofollow noopener" target="_blank">#news</a> <a href="https://infosec.exchange/tags/cybernews" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybernews</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/infosecnews" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosecnews</a> <a href="https://infosec.exchange/tags/informationsecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#informationsecurity</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#hacking</a> <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://infosec.exchange/tags/technology" class="mention hashtag" rel="nofollow noopener" target="_blank">#technology</a> <a href="https://infosec.exchange/tags/hacker" class="mention hashtag" rel="nofollow noopener" target="_blank">#hacker</a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#vulnerability</a> <a href="https://infosec.exchange/tags/vulnerabilities" class="mention hashtag" rel="nofollow noopener" target="_blank">#vulnerabilities</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/ransomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#ransomware</a> <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener" target="_blank">#dfir</a> <a href="https://infosec.exchange/tags/redteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#redteam</a> <a href="https://infosec.exchange/tags/soc" class="mention hashtag" rel="nofollow noopener" target="_blank">#soc</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/malvertising" class="mention hashtag" rel="nofollow noopener" target="_blank">#malvertising</a> <a href="https://infosec.exchange/tags/passwordmanager" class="mention hashtag" rel="nofollow noopener" target="_blank">#passwordmanager</a> <a href="https://infosec.exchange/tags/vmware" class="mention hashtag" rel="nofollow noopener" target="_blank">#vmware</a> <a href="https://infosec.exchange/tags/poc" class="mention hashtag" rel="nofollow noopener" target="_blank">#poc</a>

Recent searches

Search options

Administered by:

Server stats:

#AsyncRAT