abuse.ch 

@abuse_ch@ioc.exchange
2K Followers
50 Following
176 Posts
#cybersecurity - Fighting #malware and #botnets
URLhttps://abuse.ch
Twitterhttps://twitter.com/abuse_ch
LinkedInhttps://linkedin.com/company/abuse-ch
abuse.ch 2d ago
The Spamhaus Project2d ago

Mailboxes in German-speaking countries are being targeted by an ongoing phishing spam campaign that began July 13, around midnight UTC. 🎣 πŸ‡©πŸ‡ͺ πŸ‡¦πŸ‡Ή πŸ‡¨πŸ‡­

Approx 3,500 botnet IPs have been linked to this campaign, which uses malicious, invoice-themed Scalable Vector Graphics (.svg) attachments - currently a favorite among threat actors for disseminating malware and phishing content. As expected from a relatively mature spam campaign, the SVGs are "hashbusted" to evade hash-based detection, raise operational sandboxing costs, and hamper investigations. 🧐

An earlier iteration of this spam campaign delivered malware, by luring prospective victims to a URL that ultimately infected their Windows systems with Strela Stealer. πŸ’₯ A traffic distribution system (TDS) was used to filter out security researchers and other visitors not targeted by the miscreants.

Since the start of the current campaign, spamming IPs have been added to our CSS and XBL blocklists, ensuring robust coverage by Spamhaus ZEN, which is available for free to help protect your mailboxes:

πŸ‘‰ https://www.spamhaus.org/blocklists/zen-blocklist/

SVG-based abuse is likely to remain relevant for the foreseeable future. Where possible, configure your mail infrastructure to reject emails with SVG attachments, allowing them only on a strict need-to-work basis (e.g., for graphics or design teams).

Besides using ZEN and DBL at your e-mail perimeter, ensure any outgoing network traffic is checked against DBL and DROP to protect your users from accessing phishing sites and similar threats.

πŸ‘‰ https://www.spamhaus.org/blocklists/network-protection/

ZEN Blocklist | Combined IP DNSBLs for effective email filtering

The Zen blocklist contains all IP-based DNSBLs offered free by Spamhaus (SBL, CSS, XBL, and PBL) to make querying simpler and faster.

The Spamhaus Project
abuse.ch 3d ago

Another #DarkWatchMan campaign began on 15th June, with multiple waves over the following two days πŸ”₯

DarkWatchMan is still written to disk by a .NET dropper. It also uses the same C2 and DGA as the 29th April campaign (the array contains the same initial strings for domains, and the salt for the DGA is also unchanged).

⬇️ Malware sample - initial .NET dropper: https://bazaar.abuse.ch/sample/71857a3bf008c3fae0001470b3405295f95f82a86a2cbb9ff7ed2af1bd6bab90/

πŸ“„ Malware sample - DarkWatchMan decoded: https://bazaar.abuse.ch/sample/2830f5f825518188a0e5d1f20d11ceb30b3a8ed4e150cab803f482f1b3f06b46/

abuse.ch 4d ago

We are incredibly proud to have assisted Europol πŸ‡ͺπŸ‡Ί in a global operation against the notorious pro-Russian #hacktivist group #NoName057(16) πŸ₯³

Over the years, NoName057(16) has carried out thousands of #DDoS attacks against websites of western organisations and national critical infrastructure πŸ›οΈ , aiming to spread pro-Russian ideology πŸ‡·πŸ‡Ί and stir up distrust and uncertainty in the western hemisphere 🌎 πŸ˜΅β€πŸ’«

https://www.europol.europa.eu/media-press/newsroom/news/global-operation-targets-noname05716-pro-russian-cybercrime-network

Global operation targets NoName057(16) pro-Russian cybercrime network – The offenders targeted Ukraine and supporting countries, including many EU Member States | Europol

The offenders targeted Ukraine and supporting countries, including many EU Member States. Between 14 and 17 July, a joint international operation, known as Eastwood and coordinated by Europol, targeted the pro-Russian cybercrime network NoName057(16). The actions led to the shutdown of several hundred servers worldwide, while the group's central server infrastructure was taken offline.

Europol
abuse.ch 5d ago
The Spamhaus Project6d ago

πŸ€– Jan-Jun 2025 Botnet Threat Update out now!

⬆️ Total of 17,258 botnet C&Cs observed, up by +26%.
⬇️ Botnet C&Cs continue to drop for πŸ‡§πŸ‡¬ Bulgaria (-40%) and πŸ‡²πŸ‡½ Mexico (-25%)
➑️ Pentest frameworks represent 43% of Top 20 malware associated with Botnet C&Cs.

πŸ‡ΊπŸ‡² Meanwhile, three US-based networks suffered significant increases for hosting the most active botnet C&Cs….

Find out which ones in the latest FREE report hereπŸ‘‡
https://www.spamhaus.org/resource-hub/botnet-c-c/botnet-threat-update-january-to-june-2025

#Botnet #Malware #ThreatIntel

abuse.ch 6d ago

Unknown Java #RAT using Halkbank as a lure πŸͺ, targeting Turkish citizens πŸ‡ΉπŸ‡·

Halkbank Ekstre.jar
\AppData\Roaming\strlogs\keylogs_4558.html

Botnet C2:
πŸ“‘77.90.153.31:5590 (AS214943 RAILNET πŸ‡ΊπŸ‡Έ)

Malware sample:
πŸ“„https://bazaar.abuse.ch/sample/daf23a217b188f63657b051fda8bbd6eb341172b9519b9b5bff1a60eb4dda5a1/

Anyone knows what kind of RAT this is?

MalwareBazaar | SHA256 daf23a217b188f63657b051fda8bbd6eb341172b9519b9b5bff1a60eb4dda5a1

Information on malware sample (SHA256 daf23a217b188f63657b051fda8bbd6eb341172b9519b9b5bff1a60eb4dda5a1)

abuse.ch Jun 25

We've just onboard another malware analysis service on MalwareBazaar: Malva.RE πŸŽ‰

MalwareBazaar now includes detection from Malva.RE as well as tags and malware configuration filesπŸͺ²πŸ”

Here's a sample report:
πŸ‘‰ https://bazaar.abuse.ch/sample/aff5bd7c765c3a784149990bafc44c1fd73b46a1807ed4eeee324236ed6768c4/#intel

abuse.ch Jun 23

Yep…we’re mentioning it again because 13th time’s the lucky one, right? 😜

πŸ“’ It’s only 7 days until you’ll need to authenticate to access data via API across ALL our platforms.

We’re doing this update to help us manage heavy usage and keep things running smoothly for everyone πŸ‘‰ #SteadyPlatform #SteadySignal.

If you use our APIs, make sure you’re set up by June 30th: #AuthenticateNow

abuse.ch Jun 20

Active #CobaltStrike botnet C2 with watermark 100000000 πŸ”₯

⛔️https://api.micosoftr .icu/djiowejdf
⛔️https://www.googleapi .top/jquery-3.3.1.min.js

Pointing to:
πŸ“‘43.163.107 .212:443 Tencent πŸ‡¨πŸ‡³

Sample:
πŸ“„https://bazaar.abuse.ch/sample/91e851f8cd9a32f9077f9fbbf1a64278e6be460ed5908778e4b45e62e495167e/

IOCs on ThreatFox 🦊
https://threatfox.abuse.ch/browse/tag/cs-watermark-100000000/

MalwareBazaar | SHA256 91e851f8cd9a32f9077f9fbbf1a64278e6be460ed5908778e4b45e62e495167e (CobaltStrike)

Information on CobaltStrike malware sample (SHA256 91e851f8cd9a32f9077f9fbbf1a64278e6be460ed5908778e4b45e62e495167e)

abuse.ch Jun 19

We are happy to announce the integration of @kunai_project Linux Sandbox on MalwareBazaar πŸ₯³

Sample ELF X86 report ‡️
https://bazaar.abuse.ch/sample/0d2211b7e92fcc6a9f7c94d4adf8e47f6f97e31dacd3b2ffb6cce3c485fcef26/

abuse.ch Jun 18

There's a #MassLogger malware campaign using an allegedly compromised email accountπŸͺof an employee at the Ministry of Agriculture, Water Management and Forestry of Bosnia and Herzegovina πŸ‡§πŸ‡¦, used to exfiltrate data from compromised devices through SMTP πŸ”₯

Corresponding malware sample:
πŸ‘‰ https://bazaar.abuse.ch/sample/455358c970f202a4fa3fb055dbfa05212d5468f23e7cc2967be6fee33120dd53/