Just Another Blue TeamerMay 1, 2024

Happy Wednesday everyone!

The Proofpoint Threat Research team paired up with the Team Cymru to dissect the #Latrodectus malware. "First seen being used by #TA577 and more recently #TA578, Latrodectus is a downloader that likes to evade sandbox environments." The researchers take a deep dive into the code to see what information they could extract and found PLENTY!

After you are done reading, why not take a Cyborg Security Community Hunt Package to hunt for a threat like this? In the article, the researchers mention that the malware sets an AutoRun registry key for persistence, which is a common technique used by different adversaries and malware due to the capability and functionality of those registry keys. So, take this hunt package with you, it's dangerous out there! Enjoy and Happy Hunting!

Autorun or ASEP Registry Key Modification
https://hunter.cyborgsecurity.io/research/hunt-package/8289e2ad-bc74-4ae3-bfaa-cdeb4335135c

Source of article:
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #getHunting

Intel 471 | HUNTER

Not SimonApr 4, 2024

Proofpoint and Team Cymru collaborated on a report on Latrodectus malware. Latrodectus is an up-and-coming downloader with various sandbox evasion functionality. It first appeared in email threat campaigns in late November 2023. Latrodectus shares infrastructure overlap with historic IcedID operations. It is being distributed by financially motivated TA577, as well as TA578. Proofpoint provides malware analysis, C2 infrastructure, links to IcedID, and list of IOC. 🔗 https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice

#Latrodectus #threatintel #IcedID ##IOC #TA577 #TA578 #cybercrime

Latrodectus: This Spider Bytes Like Ice  | Proofpoint US

Proofpoint’s Threat Research team joined up with the Team Cymru S2 Threat Research team, in a collaborative effort to provide the information security community with a comprehensive view of the thr...

Proofpoint
Not SimonMar 26, 2024

Proofpoint warned that the TA577 cybercrime group, acting as initial access brokers (IAB), pivoting to stealing the NT LAN Manager (NTLM) hashes. Two distinct email-based campaigns that TA577 carried out on 26-27 February 2024 targeted hundreds of businesses. No IOC provided but Proofpoint lists defense-in-depth steps to defend against this. 🔗 https://www.proofpoint.com/us/blog/identity-threat-defense/ta577-attack-ntlm-vulnerability

cc: @selenalarson

#TA577 #cybercrime #threatintel #IAB

TA577 Assault: New Attack Exploiting NTLM Vulnerability | Proofpoint US

Discover TA577’s assault exploiting NTLM vulnerability. Learn how it happened, why, and how to defend your organization.

Proofpoint
Selena LarsonMar 4, 2024
#TA577 is a messy b that lives for drama. Learn more about their wild attack chain we spotted attempting to steal NTLM data. Great work by the team @Ffforward and Kelsey https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-theft
TA577’s Unusual Attack Chain Leads to NTLM Data Theft  | Proofpoint US

What happened  Proofpoint identified notable cybercriminal threat actor TA577 using a new attack chain to demonstrate an uncommonly observed objective: stealing NT LAN Manager (NTLM) authentication...

Proofpoint
Tony LambertMar 4, 2024
New blog post! In this one I look at a Java-based dropper for Pikabot that TA577 used in mid-February 2024.
https://forensicitguy.github.io/dissecting-java-pikabot-dropper/
#malware #pikabot #ta577
Dissecting a Java Pikabot Dropper

Tony’s blog about malware analysis and other security topics

Tony Lambert
Sekoia.ioNov 20, 2023

#DarkGate gained popularity among threat actors (e.g: #TA577, #DuckTail), our #RE analysis details the internals of the malware, how it implements technique to evade defenses: Union-API, token theft via UpdateProcThreadAttribute, APC injection.

https://blog.sekoia.io/darkgate-internals/

DarkGate Internals

Introduction & Objectives DarkGate is sold as Malware-as-a-Service (MaaS) on various cybercrime forums by RastaFarEye persona, in the past months it has been used by multiple threat actors such as TA577 and Ducktail. DarkGate is a loader with RAT capabilities developed in Delphi with modules developed in C++, which gained notoriety in the second half […]

Sekoia.io Blog
crep1xOct 24, 2023

Fake sites impersonating Zoom download page distributes #DarkGate Loader:
zoomadvertisingofferr.]com
zoomadvertisingooffer.]com

DarkGate C2: 81.19.135.]17 (likely #TA577 payload, A1111 botnet)

hxxps://zoomadvertisingofferr.]com/ZoomInstaller.msi

https://tria.ge/231021-dsawbaec67

Malware sandboxing report by Hatching Triage

Have a look at the Hatching Triage automated malware analysis report for this darkgate sample, with a score of 10 out of 10.

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲Oct 18, 2023

This #IcedID #BackConnect C2 server keeps telling the bot to sleep for 60 seconds. This goes on for 3 hours. No reverse shell, no VNC, no file manager 😿

HELLO #TA577, IT’S TIME TO WAKE UP!!

Show threadSelena LarsonFeb 1, 2023
#TA577 returned yesterday from their month long break to deliver #Qbot via URLs to zipped OneNote. #TA570 came back too (after the blog was sent for publishing) with OneNote attachments to deliver Qbot.
Show threadOpalsec Jan 31, 2023

#TA570 and #TA577 actors, distributing #Qakbot/#Qbot #malware have gotten in on the #OneNote action, delivering lures going undetected by many AV engines.

Highest number of flags is 2/60 based on this C2 IP called by malicious OneNote lures:

https://www.virustotal.com/gui/ip-address/103.214.71.45/relations

TA570/Obama Sample: https://bazaar.abuse.ch/sample/b45ace5a35914dcd4beb7486f3ddad4bbd84be245d403b9e6a3f1b907aa4ae03/

TA577/BB## Sample: https://bazaar.abuse.ch/sample/bd040a74f99bd767652abc940a4939361d214ba6407781724fde55e48fa7aecf/

VirusTotal

VirusTotal