Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
101010.pl is one of the many independent Mastodon servers you can use to participate in the fediverse.
101010.pl czyli najstarszy polski serwer Mastodon. Posiadamy wpisy do 2048 znaków.

Administered by:

Server stats:

526
active users

101010.pl: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.0-alpha.5

#qakbot

0 posts0 participants0 posts today
Public
The Spamhaus Project

🚨#IcedID, #Smokeloader, #SystemBC, #Pikabot and #Bumblebee botnets have been disrupted by Operation Endgame!! This is the largest operation EVER against botnets involved with ransomware, with gargantuan thanks to a coordinated effort led by international agencies 👏👏

As with the #Qakbot and #Emotet takedowns, Spamhaus are again providing remediation support - those affected will be contacted from today with steps to take.

👉 For more information, read our write-up here: spamhaus.org/resource-hub/malw

The Spamhaus ProjectMalware | Operation Endgame | Botnets disrupted after international action | Resources
#OperationENDGAME
Public
🛡 H3lium@infosec.exchange/:~# :blinking_cursor:

Cybercriminals are using #Scalable_Vector_Graphics (#SVG) files to deliver malware because SVG is an XML-based vector image format for two-dimensional graphics that supports interactivity and animation. SVG files can natively contain #JavaScript code, which can be executed by browsers when the SVG is loaded.
They do this by leveraging the #AutoSmuggle tool introduced in May 2022. This tool embeds malicious files into SVG/HTML content, bypassing security measures. Notably, SVG files were exploited to distribute #ransomware in 2015 and the #Ursnif malware in January 2017. A significant advancement occurred in 2022, with malware like #QakBot being delivered through SVG files containing embedded .zip archives. AutoSmuggle campaigns in December 2023 and January 2024 delivered the #XWorm #RAT and #Agent_Tesla #Keylogger, respectively, showcasing a shift towards embedding executable files directly within SVG files to evade detection by Secure Email Gateways (#SEGs). This evolution underscores the need for updated security measures to combat sophisticated malware delivery methods.
The misuse of SVG files for malware distribution dates back to 2015, with ransomware being one of the first to be delivered through this vector.
Original report: Cofense

Cofense · SVG Files Abused in Emerging Campaigns | CofenseLearn how threat actors are exploiting the use of SVG files for malware delivery and how to protect your organization from these emerging campaigns.
Replied in thread
Public
Sophos X-Ops

The good news is that these samples are all consistently caught and stopped in Sophos products with our existing endpoint detection rules.

The Evade_34b (mem/prchollow-b) detections in Sophos Endpoint trigger as soon as Qakbot tries to perform the initial process injection.

Qakbot has only trickled out a few samples, but the botnet was so large at one point, and so omnipresent, that any activity by threat actors to bring it back deserves surveillance and scrutiny. X-Ops analysts will continue to keep a close eye on any new developments.
10/10
#Qakbot #malware #spam

Replied in thread
Public
Sophos X-Ops

One final curiosity we observed: When run under Windows, the #Qakbot malware spawned a small popup box that makes it appear something called Adobe Setup was running. On some test systems, the Qakbot DLL drops a copy of itself Adobe.dll.

If the user clicks the X in the small dialog, the malware spawns a dialog that says "Are you sure you want to cancel Adobe installation?"

The #malware installs without regard to what you click.
9/

The Adobe Setup dialog that appears when Qakbot launches
Qakbot will install itself regardless of what you click in this dialog box.
Replied in thread
Public
Sophos X-Ops

Prior generations of #Qakbot added, then later removed, the ability to detect whether the malware was running inside a virtual machine. This generation has brought back those checks, and will enter an infinite loop if it finds itself in a VM.

It also places a duplicate copy of the malware in the user's %TEMP% folder with an 8-random-character filename.
8/
#malware #spam

Replied in thread
Public
Sophos X-Ops

The #Qakbot #malware still checks to see if any endpoint protection is installed, including Sophos.

If it detects us, it looks like it's supposed to inject its code into one of the following benign Windows applications: AtBroker.exe, backgroundTaskHost.exe or dxdiag.exe.

But several of the samples didn't do that: they launched a copy of itself, and then injected the unpacked payload into the copy, instead.
7/
#spam

Malware pseudocode that shows where the bot looks for the presence of Sophos, Norton, or Microsoft endpoint protection products, then decides based on what it finds which benign process it will inject itself into
Replied in thread
Public
Sophos X-Ops

The C2 communications are also now encrypted using AES-256. As we've previously written , X-Ops was able to decode the C2 communications in the prior generation of #Qakbot. We now see that the attackers have added additional text fields to the initial C2 message.

We also observed that the C2 communications no longer HTTPS POST to the URI path /t4 or /t5 on the C2 server, as did the pre-takedown bots. We should now see POSTs to the /teorama505 URI, instead.
6/
#malware #spam #Qakbot

The Qakbot C2 portion of decompiled code, highlighting a location where it inserts new strings into its C2 messages
Replied in thread
Public
Sophos X-Ops

#Qakbot starts by looking if a config is stored in the Windows Registry; if it doesn't find one, it uses a basic config embedded in the malware itself. This is one piece of embedded information the new AES-256 encryption method conceals.

We have been spending time looking at how this process works, and what it tells us about the command-and-control servers the attackers have stood up.
5/
#malware #spam

Replied in thread
Public
Sophos X-Ops

The first samples we looked at from December were packed with something called the DaveCrypter, but more recently, the developers are obfuscating data in new ways.

Among the changes we've observed: The attackers are working at hardening the encryption they use to conceal strings and other information; older samples used a simple XOR encryption method; these newer samples also use XOR, but encrypt the XOR key using AES-256.
4/
#Qakbot #malware #spam

Replied in thread
Public *
Sophos X-Ops

The December and early January samples came in the form of an.MSI file – a Microsoft Software Installer executable. The .MSI drops a Windows .cab (Cabinet) archive, which in turn contains a DLL. The .MSI extracts the DLL from the .cab, and executes it using shellcode. The shellcode causes the DLL to spawn a second copy of itself and inject the bot code into the second instance's memory space.

Prior generations of #Qakbot injected their code into benign Windows processes or libraries.
3/
#Qakbot #malware #spam

A screenshot from Process Explorer showing the Qakbot binary (file.exe) spawning a second copy of itself to inject its malicious DLL into
Continued thread
Public
Sophos X-Ops

In recent weeks, Sophos X-Ops analysts have been reverse engineering the samples we first obtained in mid-December 2023. At that time, analysts saw a brief email campaign but only a couple of unique #Qakbot #malware binaries. Since then, we've gathered fewer than ten from a variety of sources.

"They seem to still be testing," one analyst said. And they're diligently incrementing the build number as they go.
2/
#spam #malware

Public *
Sophos X-Ops

Hey everyone. @threatresearch here on the X-Ops thread with a quick update about #Qakbot

After last August's international takedown of infrastructure that controlled the Qakbot botnet, a lot of people – including some here at Sophos – thought we hadn't seen the last of the #spam-delivered #malware

Unfortunately, we and others were right. Someone with access to the source code has been experimenting with new builds, making incremental changes. 1/
#threatintel #SophosXOps

Public *
The Spamhaus Project

🦆🤖 Qakbot makes a return....a not-so-welcome Christmas present!

Spamhaus researchers are observing low-volume Qakbot campaigns targeting specific business sectors. But, we do have some positive news....

Many of the observed botnet controllers are now offline, and the remaining ones are hosted by ISPs already known as rogue, and listed on the Spamhaus Extended DROP List 👉 spamhaus.org/drop/

👀 Watch this space; if anything changes, we'll keep you updated!

#Qakbot#ThreatIntel#TheDuckHuntIsBackOn
Public
Xavier «X» Santolaria :verified_paw: :donor:

📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #40/2023 is out! It includes the following and much more:

🇺🇸 🗳️ D.C. Board of #Elections confirms voter data stolen in site hack
🔓 🪪 #MGM Resorts confirms hackers stole customers’ personal data during #cyberattack
🔓 🧬 #DNA testing service 23andMe investigating theft of user data
🔓 🎧 #Sony confirms #databreach impacting thousands in the U.S.
📱 💥 Lyca Mobile Group Services Significantly Disrupted by Cyberattack
🔓 🕵🏻‍♂️ #NATO investigating breach, #leak of internal documents
🔓 🇪🇺 European Telecommunications Standards Institute Discloses Data Breach
🔓 🏨 #MotelOne discloses data breach following #ransomware attack
🇰🇵 💰 North Korea's #Lazarus Group Launders $900 Million in #Cryptocurrency
🇧🇪 🇨🇳 #Alibaba accused of ‘possible espionage’ at European hub
🇨🇳 #China-linked cyberspies #backdoor #semiconductor firms with #CobaltStrike
🥸 Meet LostTrust #ransomware — A likely rebrand of the #MetaEncryptor gang
🇬🇾 🇨🇳 #Guyana Governmental Entity Hit by #DinodasRAT in #CyberEspionage Attack
🇷🇺 🇺🇸 #FBI most-wanted Russian hacker reveals why he burned his passport
🇺🇸 🏥 #FDA cyber mandates for #medicaldevices goes into effect
☁️ 🔓 Number of Internet-Exposed #ICS Drops Below 100,000
☁️ #Microsoft Warns of Cyber Attacks Attempting to Breach Cloud via #SQL Server Instance
🦠 📈 #QakBot Threat Actors Still in Action, Using Ransom Knight and Remcos RAT in Latest Attacks
🔓 🍏 #Apple Warns of Newly Exploited iOS 17 Kernel Zero-Day
🎣 🧑🏻‍💼 US Executives Targeted in #Phishing Attacks Exploiting Flaw in Indeed Job Platform
🦠 🏦 #Zanubis #Android Banking Trojan Poses as Peruvian Government App to Target Users
🦠 🇮🇷 Iranian APT Group #OilRig Using New Menorah #Malware for Covert Operations
🔐 ☁️ #Amazon to make #MFA mandatory for 'root' #AWS accounts by mid-2024
🛡️ 🧅 #Microsoft Defender no longer flags #Tor Browser as malware
👀 X-Force uncovers global #NetScaler Gateway credential harvesting campaign
🐛 💰 Zero-days for hacking #WhatsApp are now worth millions of dollars
🩹 #Cisco fixes hard-coded root credentials in Emergency Responder
🔓 Vulnerabilities in #Supermicro BMCs could allow for unkillable server #rootkits
🔓 🐧 Looney Tunables: New #Linux Flaw Enables Privilege Escalation on Major Distributions
🐍 Warning: #PyTorch Models Vulnerable to Remote Code Execution via ShellTorch
🩹 Microsoft Edge, Teams get fixes for zero-days in #opensource libraries
🔓 🔥 Live Exploitation Underscores Urgency to Patch Critical WS-FTP Server Flaw
☁️ Cloudflare #DDoS protections ironically bypassed using #Cloudflare

📚 This week's recommended reading is: "8 Steps to Better Security: A Simple Cyber Resilience Guide for Business" by Kim Crawley

Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️

infosec-mashup.santolaria.net/

X’s Infosec Newsletter · InfoSec MASHUP - Week 40/2023By Xavier «X» Santolaria
Public *
Brad

This article from @TalosSecurity is wrong: infosec.exchange/@TalosSecurit

The activity reported in this Talos article is not associated with #Qakbot.

Why do I say this?

This Talos article is "...connecting the metadata in the LNK files used in the new campaign to the machines used in previous Qakbot campaigns."

Talos identifies these campaigns as "AA" and "BB." But the other data Talos presents isn't associated with infrastructure for the "AA" and "BB" campaigns that have pushed Qakbot before.

That "AA" and "BB" infrastructure has been active since last month, pushing #DarkGate, #Pikabot, and #IcedID. This distribution network is run by a threat actor Proofpoint identifies as #TA577. TA577 was one of the distributors of Qakbot before Qakbot got taken down.

I would never have called TA577 the threat actor behind Qakbot, but Talos does in the article. It is merely a threat actor that distributed Qakbot.

From what I can tell, this Knight ransomeware activity is not connected with the AA/BB/TA577 distributor who has previously spread Qakbot and other malware.

Mastodon 🐘Cisco Talos Intelligence Group (@TalosSecurity@mstdn.social)Attached: 1 image The actors behind the #Qakbot malware are still active, despite a recent takedown announcement from the FBI. Talos research found a new malware they're spreading, including a #ransomware and backdoor via phishing emails https://blog.talosintelligence.com/qakbot-affiliated-actors-distribute-ransom/
Public
Blue DeviL // SCT

@kienbigmummy shared his slides on Qakbot; one of the most active malware family. QakBot is famous about stealing information. @kienbigmummy reveals secrets on this malware where he made an excellent presentation at Security Bootcamp 2023 (SBC2023).

kienmanowar.wordpress.com/2023

malpedia.caad.fkie.fraunhofer.

0day in {REA_TEAM} · Unveiling Qakbot: Exploring one of the Most Active Threat ActorsI would like to share my presentation at the Security Bootcamp 2023 (SBC2023) event, which took place over three days from September 8th to September 10th, 2023, in Da Nang city. 2023 is the 10th a…
#malware#qakbot#informationstealer
Public
The Shadowserver Foundation

Announcement: Shadowserver Qakbot Historical Bot Infections Special Report

We are pleased to announce another one-off Special Report following the Federal Bureau of Investigation (FBI) and partners recent disruption operation against the #Qakbot botnet. The law enforcement action uninstalled the malware from infected computers globally, and this Special Report disseminates information from a seized database listing over 700,000 previously infected victim computers from July 2019 to August 2023.

This Special Report is distributed to Network Owners and National CSIRTs in support of the law enforcement operation and our own mission to make the Internet more secure for everyone. It enables system defenders to examine their estate and remediate computers that may have had Qakbot and other secondary malware dropped by Qakbot.

You can read more about the report: shadowserver.org/news/qakbot-h

If you are already signed up for Shadowserver Reports, look out for this Special Report dated 2023-08-24. If you receive it then your network had Qakbot infection(s) in the past and could still have secondary infections. If you are not already signed up for our free daily network reporting - please do so here: shadowserver.org/what-we-do/ne

Direct link to special report page: shadowserver.org/what-we-do/ne

Report filename prefix is 2023-08-24. Searchable under the API using the date 2023-09-08.

ExploreLive feeds
About