| VirusTotal | https://www.virustotal.com/gui/user/The_Abjuri5t |
| Location | Boston |
| BlueSky | https://bsky.app/profile/abjuri5t.bsky.social |
| Research | @SarlackLab |
Have you seen The Empire in your network?
A #cybercrime group, registered under βEVILEMPIREβ, is hosting dozens of #C2 servers between 185.172.128.0-185.172.128.255 including:
#RedLineStealer #LokiBot #HookBot #RisePro #Amadey #CobaltStrike #AsyncRAT #AMOS
Donβt let your computers enlist! Block 185.172.128.0/24 π₯
Command-and-control IPv4 map, 2024-04-09 to 2024-04-22 #PewPew
https://abjuri5t.github.io/SarlackLab/
193.233.132[.]0/24
154.216.54[.]0/23
154.219.144[.]0/23
185.216.70[.]0/24
93.123.39[.]0/24
185.172.128[.]0/24
193.222.96[.]0/24
93.123.85[.]0/24
94.156.8[.]0/24
Just published research on #RedLineStealer Command-and-Control
- meta-analysis of #C2 infrastructure π
- network #Suricata signatures π΅οΈ
- war story from late-night #IncidentResponse βοΈ
Advice: https://medium.com/@the_abjuri5t/advice-for-catching-a-redline-stealer-dca126867193
Command-and-control domain tree, 2023-05-06 to 2023-05-19 #CyberSecurity
https://abjuri5t.github.io/SarlackLab/
*.gz[.]apigw[.]tencentcs[.]com
*.sh[.]apigw[.]tencentcs[.]com
*.bj[.]apigw[.]tencentcs[.]com
*.z01[.]azurefd[.]net
*.cloudapp[.]azure[.]com
*.dsa[.]dnsv1[.]com[.]cn
Today, Twitter suspended our access to their authentication API, making it impossible for security researchers to authenticate themselves across our free platforms π« . As a result, security researchers are currently unable to share cyber threat intelligence with the community π§ .
While the changes to their APIs were announced by Twitter several months ago, no advance notice had been provided β .
The good news is that over the past months, we have been working behind the scenes on a dedicated, independent authentication system for all abuse.ch platforms. We are currently focusing all our resources on getting this live as soon as possible π .
In the meantime, please bear with us and we'll provide an update once we're up and running π .
"Command-and-Control" network activity can come in many forms - whether benign and expected remote tools, annoying online trackers, or of course #malware communication channels setup by a #ThreatActor. Below are a few tools I use while investigating external #IPs and #domains:
1. Public Reputation - Is it already known to be malicious?
- https://www.virustotal.com/gui/home/search
- https://threatfox.abuse.ch/browse/
- https://pulsedive.com/dashboard/
2. General Information - Gather some further intel on the server
- https://duckduckgo.com/
- https://www.iplocation.net/
- whois records (also available at https://who.is/, if you want a link)
- https://dnsdumpster.com/
3. Capabilities - What can it do?
- https://www.shodan.io/dashboard/
- https://urlscan.io/
- https://wheregoes.com/
- or just a local sandbox π
4. Hosting/Infrastructure Reputation - Are any of the hosting providers, 2nd level domains, or related servers known to provide services for malicious infrastructure?
- https://abjuri5t.github.io/SarlackLab/ (shameless self promotion)
- https://lots-project.com/
- https://scamalytics.com/
5. There is of course the 5th step of developing your own internal #ThreatIntelligence - but that I can't help you with
SarlackLab
abuse.ch 