My favorite Remus botnet C2 domain so far 😄

havelbeenpwned .net ⤵️
NICENIC INTERNATIONAL🇨🇳

103.211.219.238:4219⤵️
AS394695 PUBLIC-DOMAIN-REGISTRY 🇮🇳

Malware sample:
https://bazaar.abuse.ch/sample/75fce6ec4b0815d7ccc9d87c2687c3c379c8e446739b3302b72688dd632c9f9e/

More #Remnus IOCs available on ThreatFox 🦊
https://threatfox.abuse.ch/browse/malware/win.remus/

/cc @troyhunt

Malspam 📧 targeting Spanish users 🇪🇸

Email ➡️ geo filter ➡️ mediafire ➡️ iso ➡️ vbs

1st stage - geo filter 🛑
vmi3228488.contaboserver .net Contabo 🇩🇪

2nd stage - payload 📄
https://urlhaus.abuse.ch/url/3824487/

Dropped iso:
https://bazaar.abuse.ch/sample/faaa4d005314440dfd7ed5fa2f522e1a2642f08ec3bf0c1e2779a39bf4268349/

Botnet C2:
📡 54.197.208.68 Amazon 🇺🇸

SparkRAT ➡️ ChromeSetup.msi ➡️ FUD 🔥

msftconnecttest .xyz ⤵️
Creation Date: 2024-12-02 ⤵️
After more than a year, this domain still has a detection rate of 1/93 🤯

Pointing to ⤵️
154.31.222.217:443 ➡️ DControl

Chinese? 🇨🇳
lang="zh-cn"

Malware sample:
https://bazaar.abuse.ch/sample/91a2945d99ee794a0461427a14ca731187b8143b847b85993ea7d5367c2c1c0c/

Proofpoint recently identified a fake RMM (Remote Monitoring and Management Tool) called #TrustConnect and #DocConnect🔎💻 Pivoting the threat in our collection reveals that the threat actors spread the same malware under additional names, including:

➡️SoftConnect
➡️HardConnect
➡️AxisControl

It also seems that the threat actor was previously playing around with the legitimate RMM #ScreenConnect (aka ConnectWise) before switching to their own fake RMM 🛠️

What also stands out: the majority of the botnet C2s were hosted at Contabo GmbH 🇩🇪

We track the threat on our platforms as #FakeRMM ⤵️

IOCs on ThreatFox:
🦊 https://threatfox.abuse.ch/browse/tag/FakeRMM/

Malware samples:
📄 https://bazaar.abuse.ch/browse/tag/FakeRMM/

Rogue #ScreenConnect RMM 🕵️‍♂️

Botnet C2:
📡 no.windowupdateservice .com
📡 relay.windowupdateservice .com
📡193.26.115.51:8041

Payload delivery URL:
🌐 https://urlhaus.abuse.ch/url/3782937/

Malware sample 📄:
https://bazaar.abuse.ch/sample/77dc5435a2572a8d608e6285da887fd9aa3b16f8a9ea8c0520908990ae44015c/

More ScreenConnect RMM IOCs ⤵️
https://threatfox.abuse.ch/browse/tag/ScreenConnect/

Yet another RAT in town: RemoteX 🖥️

🪲 Dropped by Amadey
📃 Written in Golang
💻 Uses HKCU\...\CurrentVersion\Run\RemoteX for persitence (lame 🚽)
🌐 Uses WebSocket for C2 communication
🕵️‍♂️ Unauthenticated RAT admin panel 🤡

Botnet C2:
📡 109.107.168.147:80 (Partner Hosting LTD 🇬🇧)

Malware sample ⤵️
https://bazaar.abuse.ch/sample/d631655ad3ef9e7c854c86ae399a9c830bef784c6a51468d192f65a79bbb7c8b/

Xillen Stealer 🎣, heavily dropped by Amadey 🔥

Botnet C2:
https://goldenring[.]live/api/logs/check

"Invisible. Undetectedable. Unstopable." 🤡

👉 https://github.com/BengaminButton/XillenStealer

Samples ⤵️
https://bazaar.abuse.ch/browse/signature/XillenStealer/

Additional IOCs on ThreatFox 🦊
https://threatfox.abuse.ch/browse/tag/XillenStealer/

Brazilian banker 🇧🇷

GHOST panel 🧐

007consultoriafinanceira .net ➡️ GoDaddy 🇺🇸
83.229.17.124:80 ➡️ Clouvider 🇺🇸

Payload delivery URL 🌐:
https://urlhaus.abuse.ch/url/3759148/

Malware sample (MSI) ⚙️:
https://bazaar.abuse.ch/sample/2cbafc607c5d38a891ab89799f98b6b754b519706eb6597e4c4f2d4f6fc5db21/