Hab heute spannenderweise einen #Virus in einer #Mail bekommen, der im ACE-Format gepackt wurde.

Wer kann denn heutzutage noch ACE entpacken? Hat man drauf spekuliert, dass der bei den Virenscannern vorbei rutscht, weil sie das Archiv nicht öffnen können?

Ich verschicke demnächst meine Dateien im #ARJ-Format, mal sehen, wie viele Virenscanner das noch können.

#Snakeoil

ARJ, l'archiveur vedette des années 1990.

https://peertube.pcservice46.fr/videos/watch/56e1c029-1042-488e-839c-e34b19de3294

Today in our section on "uncoventional #Malware delivery": #ARJ archives! 📦
ARJ (Archived by Robert Jung) has been around since the MS-DOS days and is occasionally used to deliver e.g. #AgentTesla, #Formbook or #Guloader

You can recognize ARJ archives by their Magic: 60 EA
Extraction can be handled with 7zip for example.
For more information on the file format check out Ange Albertini's excellent graphic representation: https://twitter.com/angealbertini/status/1619006171360395264

As an example we dug up a #Lokibot sample from last year where the delivery chain looked like this: ARJ --> RAR --> EXE
To fool the victims into opening the next file they used the common #doubleExtension tick, e.g. .pdf.exe

IoC for those playing along at home:
162.0.223[.]13
kbfvzoboss[.]bid
alphastand[.]trade
alphastand[.]win
alphastand[.]top
➡️/alien/fre.php

PO_Payment for invoice[...].eml.arj
d0c8824d1e19ca1af0b88a477fa4cad6

SHIPPING_DL-PL-EXPRESS_EXPORT.PDF.exe
88bdf4f8fe035276da984c370e4cda2c

#infosec #cybersecurity #blueteam

This is just a modern #BBS. But thankfully with infinite modems and, being 30 years on, I don't need to download #ARJ and a #DOS #JPEG decoder for #caturday! 😺

(and I'm no longer reading Dr. Dobbs Journal and BYTE to hear about Unicode and wondering how that'll ever fit in memory and if the 16-bits that Microsoft is bravely choosing for some mysterious Windows #NT toy is really enough anyways) _(narrator: it wasn't enough)_