Something new is coming for abuse.ch contributors... watch this space! ๐
#ComingSoon #CommunityHub #SharingIsCaring ๐ป๐ฅ๐

| URL | https://abuse.ch |
| https://twitter.com/abuse_ch | |
| https://linkedin.com/company/abuse-ch |
Something new is coming for abuse.ch contributors... watch this space! ๐
#ComingSoon #CommunityHub #SharingIsCaring ๐ป๐ฅ๐
RE: https://infosec.exchange/@spamhaus/116804685911276876
New loader in town SolarisLoader spotted by @spamhaus and abuse.ch ๐ฅ
๐ก SolarisLoader IOCs (botnet C2 servers):
https://threatfox.abuse.ch/browse/tag/SolarisLoader/
๐ SolarisLoader malware samples:
https://bazaar.abuse.ch/browse/tag/SolarisLoader/
โ๏ธ SolarisLoader configs are available:
https://github.com/spamhaus/CTI/tree/main/solarisloader
Our platforms were recently targeted by a large-scale web scraping operation originating from devices that are apparently participating in residential proxy networks ๐๏ธ ๐ฅ๏ธ . The vast majority of these requests were successfully blocked by our existing mitigations ๐ . However, the sheer volume of traffic caused temporary disruptions to both the MalwareBazaar and URLhaus platforms โ ๏ธ
To put the scale into perspective, our web platforms typically handle approximately 1,500 requests per second (excluding traffic to our community API and commercial APIs). During this incident, the scraping operation leveraged more than 135,000 unique IP addresses, most of which could be identified as nodes in residential proxy networks ๐
The offender attempted to remain undetected by sending very few requests (less than 5) per IP address to the platforms ๐ต
Below are the top networks sourcing this traffic (by unique IPs):
2,961 AS25019 SAUDINETSTC ๐ธ๐ฆ
1,995 AS206206 KNET ๐ฎ๐ถ
1,984 AS9121 TTNet ๐น๐ท
1,954 AS3215 Orange ๐ซ๐ท
1,871 AS12322 PROXAD ๐ซ๐ท
1,550 AS5410 BOUYGTEL-ISP ๐ซ๐ท
1,531 AS37705 TOPNET ๐น๐ณ
1,413 AS8193 BRM-AS ๐บ๐ฟ
We are sharing details of the involved IPs, along with the relevant timestamps, here for your awareness โคต๏ธ
Botnet C2 tied to an unidentified #malware family trying to hide as FortiGate device ๐
๐ Domain: az2030port.duckdns .org
๐ก C2: 178.16.55.28:2030 โก๏ธ Omegatech LTD๐ณ๐ฑ
๐ SSL certificate: FortiGate, O=Fortinet Ltd.
Corresponding malware samples โคต๏ธ
https://hunting.abuse.ch/hunt/6a285c89c73e5/178.16.55.28/
My favorite Remus botnet C2 domain so far ๐
havelbeenpwned .net โคต๏ธ
NICENIC INTERNATIONAL๐จ๐ณ
103.211.219.238:4219โคต๏ธ
AS394695 PUBLIC-DOMAIN-REGISTRY ๐ฎ๐ณ
Malware sample:
https://bazaar.abuse.ch/sample/75fce6ec4b0815d7ccc9d87c2687c3c379c8e446739b3302b72688dd632c9f9e/
More #Remnus IOCs available on ThreatFox ๐ฆ
https://threatfox.abuse.ch/browse/malware/win.remus/
/cc @troyhunt
Malspam ๐ง targeting Spanish users ๐ช๐ธ
Email โก๏ธ geo filter โก๏ธ mediafire โก๏ธ iso โก๏ธ vbs
1st stage - geo filter ๐
vmi3228488.contaboserver .net Contabo ๐ฉ๐ช
2nd stage - payload ๐
https://urlhaus.abuse.ch/url/3824487/
Dropped iso:
https://bazaar.abuse.ch/sample/faaa4d005314440dfd7ed5fa2f522e1a2642f08ec3bf0c1e2779a39bf4268349/
Botnet C2:
๐ก 54.197.208.68 Amazon ๐บ๐ธ