101010.pl

Brad2025-05-22 (Thursday): After the recent <a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#LummaStealer</a> disruption, I found an active sample today, so how effective was the disruption, really? SHA256 hash for the installer EXE for Lumma Stealer: 8619bea9571a4dcc4b7f4ba494d444b8078d06dea385dc0caa2378e215636a65Analysis: - <a href="https://tria.ge/250523-afpxxsfm5t" rel="nofollow noopener" translate="no" target="_blank">https://tria.ge/250523-afpxxsfm5t</a> - <a href="https://app.any.run/tasks/add82eaa-bdb8-43b9-885b-c0a58cc2530c" rel="nofollow noopener" translate="no" target="_blank">https://app.any.run/tasks/add82eaa-bdb8-43b9-885b-c0a58cc2530c</a>To be fair, I investigated a campaign that was pushing Lumma Stealer earlier this week, and it had switched to <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#StealC</a> v2 malware earlier today (2025-05-22):- <a href="https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-05-22-campaign-switches-from-Lumma-to-StealC-v2.txt" rel="nofollow noopener" translate="no" target="_blank">https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-05-22-campaign-switches-from-Lumma-to-StealC-v2.txt</a>So the disruption was at least somewhat effective based on what I'm seeing. I don't have eyes on the criminal underground, though, so I don't know what's happening with Lumma Stealer's customers.

The New Oil<a href="https://mastodon.thenewoil.org/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#StealC</a> <a href="https://mastodon.thenewoil.org/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> enhanced with stealth upgrades and data theft tools<a href="https://www.bleepingcomputer.com/news/security/stealc-malware-enhanced-with-stealth-upgrades-and-data-theft-tools/" rel="nofollow noopener" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/stealc-malware-enhanced-with-stealth-upgrades-and-data-theft-tools/</a><a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a>

StillFinally got around to taking a look at StealcV2 today after a few weeks that it's been outInitial loader (536a64b3267c5056b261d71324793571d02a8714bcb8f395927f72f77d004f56) -> CF obfuscated shellcode (bdace8aba0dbcac81811d833605fadc157ed95864537d5bf1fc28f125becef1f ) -> Rust-based (1.85.1) loader/injector (f6ce652432d8baf56195c49d34ad89bd7cf933a6af864973f7b03e6bb3acc88e) -> StealcV2 payload (a26095cf5fff9a7ec04c3fd3fb60372f38f3dc300addf4983e0ce4f7490ef7b2)Looks like it might have been a major rewrite? I'm not sure I haven't closely compared it against the StealcV1 yet. Strings are Base64 RC4 encoded. The RC4 patterns used in the binary currently causes false negative in capa at the moment - I've filed an issue accordingly.We also wrote a new YARA rule to detect StealcV2 on stream as well. Surprisingly, my heuristics-based Chromium ABE stealer YARA rule we wrote half a year ago still matches this sample and other known StealcV2 samples.C2 - 91.92.46[.]133/8f11bd01520293d6.php Samples, IoCs, and more <a href="https://github.com/Still34/malware-lab/tree/main/reworkshop/2025-04-26" rel="nofollow noopener" translate="no" target="_blank">https://github.com/Still34/malware-lab/tree/main/reworkshop/2025-04-26</a> <a href="https://infosec.exchange/tags/threathunting" class="mention hashtag" rel="nofollow noopener" target="_blank">#threathunting</a> <a href="https://infosec.exchange/tags/stealc" class="mention hashtag" rel="nofollow noopener" target="_blank">#stealc</a>

Brad2025-04-22 (Tuesday): Always fun to find the fake CAPTCHA pages with the <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#ClickFix</a> style instructions trying to convince viewers to infect their computers with malware. Saw <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#StealC</a> from an infection today. Indicators available at <a href="https://github.com/malware-traffic/indicators/blob/main/2025-04-22-IOCs-for-ClickFix-style-campaign-leading-to-StealC-infection.txt" rel="nofollow noopener" translate="no" target="_blank">https://github.com/malware-traffic/indicators/blob/main/2025-04-22-IOCs-for-ClickFix-style-campaign-leading-to-StealC-infection.txt</a><a href="https://infosec.exchange/tags/ClipboardHijacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#ClipboardHijacking</a> <a href="https://infosec.exchange/tags/Pastejacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#Pastejacking</a>

Brad2025-03-26 (Wednesday): <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#SmartApeSG</a> traffic for a fake browser update page leads to a <a href="https://infosec.exchange/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupport</a> <a href="https://infosec.exchange/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#RAT</a> infection. A zip archive for <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#StealC</a> sent over the <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupportRAT</a> C2 traffic.The <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#StealC</a> infection uses DLL side-loading by a legitimate EXE to <a href="https://infosec.exchange/tags/sideload" class="mention hashtag" rel="nofollow noopener" target="_blank">#sideload</a> the malicious DLL.A <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#pcap</a> from an infection, the associated <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> samples, and <a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener" target="_blank">#IOCs</a> are available at at <a href="https://www.malware-traffic-analysis.net/2025/03/26/index.html" rel="nofollow noopener" translate="no" target="_blank">https://www.malware-traffic-analysis.net/2025/03/26/index.html</a>

BradSocial media post I wrote for my employer at <a href="https://www.linkedin.com/posts/unit42_smartapesg-netsupportrat-stealc-activity-7297994624814432256-HOrX/" rel="nofollow noopener" translate="no" target="_blank">https://www.linkedin.com/posts/unit42_smartapesg-netsupportrat-stealc-activity-7297994624814432256-HOrX/</a> and <a href="https://x.com/Unit42_Intel/status/1892229005702471868" rel="nofollow noopener" translate="no" target="_blank">https://x.com/Unit42_Intel/status/1892229005702471868</a>2025-02-18 (Tuesday): Legitimate but compromised websites with an injected script for <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#SmartApeSG</a> lead to a fake browser update page that distributes <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupportRAT</a> malware. During an infection run, we saw follow-up malware for <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#StealC</a>. More info at <a href="https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-18-IOCs-for-SmartApeSG-fake-browser-update-leads-to-NetSupport-RAT-and-StealC.txt" rel="nofollow noopener" translate="no" target="_blank">https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-18-IOCs-for-SmartApeSG-fake-browser-update-leads-to-NetSupport-RAT-and-StealC.txt</a>A <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#pcap</a> from the infection traffic, the associated malware, and other info are available at <a href="https://malware-traffic-analysis.net/2025/02/18/index.html" rel="nofollow noopener" translate="no" target="_blank">https://malware-traffic-analysis.net/2025/02/18/index.html</a>

ESET Research<a href="https://infosec.exchange/tags/ESETResearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#ESETResearch</a>’s monitoring of <a href="https://infosec.exchange/tags/AceCryptor" class="mention hashtag" rel="nofollow noopener" target="_blank">#AceCryptor</a> revealed a significant decrease in prevalence of the malware in H2 2024: we only observed around 3k unique samples as opposed to 13k in H1 2024. Overall hits went down by 68% compared to H1, and by 87% compared to H2 2023.Similarly, the number of unique users targeted by AceCryptor campaigns decreased by 58% between H1 and H2 2024, and the decrease was even more pronounced when compared to H2 2023, amounting to 85%.As for the malware families packed by the cryptor, we could yet again see the usual suspects such as <a href="https://infosec.exchange/tags/Rescoms" class="mention hashtag" rel="nofollow noopener" target="_blank">#Rescoms</a>, <a href="https://infosec.exchange/tags/Smokeloader" class="mention hashtag" rel="nofollow noopener" target="_blank">#Smokeloader</a>, and <a href="https://infosec.exchange/tags/Stealc" class="mention hashtag" rel="nofollow noopener" target="_blank">#Stealc</a> among the most delivered threats.While much smaller in scale than in previous periods, we still detected two notable campaigns of the malware. First, on July 11, 2024, 500 victims in Germany 🇩🇪 were sent emails with malicious attachments disguised as financial documents inside a password protected archive.Instead of the documents, the archive contained an AceCryptor executable packing the Racoon Stealer successor <a href="https://infosec.exchange/tags/RecordBreaker" class="mention hashtag" rel="nofollow noopener" target="_blank">#RecordBreaker</a>, which then exfiltrated the victim information to a C&C server with the IP address of 45[.]153[.]231[.]163.Then on September 23, 2024 more than 1,600 endpoints of small businesses in Czechia 🇨🇿 received emails whose attachments contained an AceCryptor binary packing the <a href="https://infosec.exchange/tags/XWorm" class="mention hashtag" rel="nofollow noopener" target="_blank">#XWorm</a> RAT 🪱🐀. As a C&C, XWorm RAT used easynation[.]duckdns[.]org.The list of 🔍 Indicators of Compromise (IoCs) can be found in our GitHub repository: <a href="https://github.com/eset/malware-ioc/tree/master/ace_cryptor" rel="nofollow noopener" translate="no" target="_blank">https://github.com/eset/malware-ioc/tree/master/ace_cryptor</a>

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲NetworkMiner 2.9 Released!<ul><li><a href="https://infosec.exchange/tags/TZSP" class="mention hashtag" rel="nofollow noopener" target="_blank">#TZSP</a> support</li><li><a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#StealC</a> extractor</li><li>Improved <a href="https://infosec.exchange/tags/Modbus" class="mention hashtag" rel="nofollow noopener" target="_blank">#Modbus</a> parser</li><li><a href="https://infosec.exchange/tags/JA4" class="mention hashtag" rel="nofollow noopener" target="_blank">#JA4</a> support</li><li><a href="https://infosec.exchange/tags/GTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#GTP</a> decapsulation</li></ul><a href="https://netresec.com/?b=245092b" rel="nofollow noopener" translate="no" target="_blank">https://netresec.com/?b=245092b</a>

mithrandirI've just published a new write up, detailing a killchain leading to the <a href="https://defcon.social/tags/Stealc" class="mention hashtag" rel="nofollow noopener" target="_blank">#Stealc</a> information stealer. Even took a stab at writing a string decryption script for the payload.General summary: Search for IP Scanning Tool --> <a href="https://defcon.social/tags/Google" class="mention hashtag" rel="nofollow noopener" target="_blank">#Google</a> malvertising --> NSIS Package --> PowerShell Script --> .NET Loader --> Dropper --> StealC PayloadIOCs: 31.41.244[.]65 snow.cdn-b1d8e9.workers[.]dev api-cdn12.azureedge[.]net givingspirit[.]us advanced-ip-scanner[.]net cdn-c08e638.azureedge[.]net/download.html?q=ipscanner<a href="https://rerednawyerg.github.io/posts/malwareanalysis/stealc_ipscanner/" rel="nofollow noopener" target="_blank">https://rerednawyerg.github.io/posts/malwareanalysis/stealc_ipscanner/</a><a href="https://defcon.social/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://defcon.social/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://defcon.social/tags/ioc" class="mention hashtag" rel="nofollow noopener" target="_blank">#ioc</a>

Opalsec :verified:Happy Monday folks, I hope you had a restful weekend and managed to take a breather from all things cyber! Time to get back into it though, so let me give you hand - catch up on the week’s infosec news with the latest issue of our newsletter:<a href="https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf" rel="nofollow noopener" target="_blank">https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf</a><a href="https://infosec.exchange/tags/Emotet" class="mention hashtag" rel="nofollow noopener" target="_blank">#Emotet</a> are back and are using…OneNote lures? ISO disk images? Malvertising? Nah – they’re sticking with tier tried and true TTPs – their Red Dawn maldoc template from last year; macro-enabled documents as lures, and null-byte padding to evade automated scanners. We’ve highlighted a report on the Xenomorph <a href="https://infosec.exchange/tags/Android" class="mention hashtag" rel="nofollow noopener" target="_blank">#Android</a> Banking Trojan, which added support for targeting accounts of over 400 banks; automated bypassing of MFA-protected app logins, and a Session Token stealer module. With capabilities like these becoming the norm, is it time to take a closer look at the threat Mobile Malware could pose to enterprise networks?North Korean hackers have demonstrated yet again that they’re tracking and integrating the latest techniques, and investing in malware development. A recent campaign saw eight new pieces of malware distributed throughout the kill chain, leveraging <a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#Microsoft</a> <a href="https://infosec.exchange/tags/InTune" class="mention hashtag" rel="nofollow noopener" target="_blank">#InTune</a> to deliver payloads and an in-memory dropper to abuse the <a href="https://infosec.exchange/tags/BYOVD" class="mention hashtag" rel="nofollow noopener" target="_blank">#BYOVD</a> technique and evade EDR solutions.A joint investigation by <a href="https://infosec.exchange/tags/Mandiant" class="mention hashtag" rel="nofollow noopener" target="_blank">#Mandiant</a> and <a href="https://infosec.exchange/tags/SonicWall" class="mention hashtag" rel="nofollow noopener" target="_blank">#SonicWall</a> has unearthed a two-year campaign by Chinese actors, enabled through exploitation of unpatched SMA100 appliances and delivery of tailored payloads. A critical vulnerability reported by <a href="https://infosec.exchange/tags/Fortinet" class="mention hashtag" rel="nofollow noopener" target="_blank">#Fortinet</a> this week helps reinforce the point that perimeter devices need to be patched with urgency, as it’s a well-documented target for Chinese-affiliated actors.<a href="https://infosec.exchange/tags/HiatusRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#HiatusRAT</a> is a novel malware targeting <a href="https://infosec.exchange/tags/DrayTek" class="mention hashtag" rel="nofollow noopener" target="_blank">#DrayTek</a> routers, sniffing network traffic and proxying C2 traffic to forward-deployed implants. TTPs employed in recent <a href="https://infosec.exchange/tags/BatLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#BatLoader</a> and <a href="https://infosec.exchange/tags/Qakbot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Qakbot</a> campaigns are also worth taking note of, as is <a href="https://infosec.exchange/tags/GoBruteforcer" class="mention hashtag" rel="nofollow noopener" target="_blank">#GoBruteforcer</a>, a new malware family targeting specific web server applications to brute force logins and deploy an IRC bot for C2.Those in Vulnerability Management should take particular note of the <a href="https://infosec.exchange/tags/Veeam" class="mention hashtag" rel="nofollow noopener" target="_blank">#Veeam</a> vulnerability, which appears trivial to exploit and actually delivers plaintext credentials to the attacker. CISA have also taken note of nearly 40k exploit attempts of a 2 year old code-exec-as-root vulnerability in the <a href="https://infosec.exchange/tags/VMWare" class="mention hashtag" rel="nofollow noopener" target="_blank">#VMWare</a> Cloud Foundation product in the last two months, so make sure you’re patched against it.<a href="https://infosec.exchange/tags/Redteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#Redteam</a> members have some excellent reading to look forward to, looking at HTTP request smuggling to harvest AD credentials and persisting with a MitM Exchange server, as well as a detailed post that examines <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#CobaltStrike</a>’s reflective loading capability;The <a href="https://infosec.exchange/tags/blueteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#blueteam</a> has some great tradecraft tips from <a href="https://infosec.exchange/@inversecos" class="u-url mention" rel="nofollow noopener" target="_blank">@inversecos</a> on <a href="https://infosec.exchange/tags/Azure" class="mention hashtag" rel="nofollow noopener" target="_blank">#Azure</a> DFIR, as well as tools to help scan websites for malicious objects, and to combat the new <a href="https://infosec.exchange/tags/Stealc" class="mention hashtag" rel="nofollow noopener" target="_blank">#Stealc</a> <a href="https://infosec.exchange/tags/infostealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#infostealer</a> and well-established Raccoon Stealer.Catch all this and much more in this week's newsletter:<a href="https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf" rel="nofollow noopener" target="_blank">https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf</a><a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/cyber" class="mention hashtag" rel="nofollow noopener" target="_blank">#cyber</a> <a href="https://infosec.exchange/tags/news" class="mention hashtag" rel="nofollow noopener" target="_blank">#news</a> <a href="https://infosec.exchange/tags/cybernews" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybernews</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/infosecnews" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosecnews</a> <a href="https://infosec.exchange/tags/informationsecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#informationsecurity</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/newsletter" class="mention hashtag" rel="nofollow noopener" target="_blank">#newsletter</a> <a href="https://infosec.exchange/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#hacking</a> <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://infosec.exchange/tags/technology" class="mention hashtag" rel="nofollow noopener" target="_blank">#technology</a> <a href="https://infosec.exchange/tags/hacker" class="mention hashtag" rel="nofollow noopener" target="_blank">#hacker</a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#vulnerability</a> <a href="https://infosec.exchange/tags/vulnerabilities" class="mention hashtag" rel="nofollow noopener" target="_blank">#vulnerabilities</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/ransomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#ransomware</a> <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener" target="_blank">#dfir</a> <a href="https://infosec.exchange/tags/soc" class="mention hashtag" rel="nofollow noopener" target="_blank">#soc</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/DarkWeb" class="mention hashtag" rel="nofollow noopener" target="_blank">#DarkWeb</a> <a href="https://infosec.exchange/tags/mdm" class="mention hashtag" rel="nofollow noopener" target="_blank">#mdm</a> <a href="https://infosec.exchange/tags/dprk" class="mention hashtag" rel="nofollow noopener" target="_blank">#dprk</a> <a href="https://infosec.exchange/tags/FortiOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#FortiOS</a> <a href="https://infosec.exchange/tags/FortiProxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#FortiProxy</a>

Recent searches

Search options

Administered by:

Server stats:

#stealc