bencrypted@localhost:~$|

@[email protected]
258 Followers
168 Following
81 Posts
Threat Intel & Malware Research
Websitehttps://bencrypted.gitlab.io
KeyOxidehttps://keyoxide.org/hkp/EED4123F6008AD143DBD02C34AA0BB3EC0B61B01
bencrypted@localhost:~$|Feb 23, 2024
Sophos X-OpsFeb 23, 2024

We have just posted our latest research with our observations and analysis into ConnectWise ScreenConnect attacks.

We’ve observed multiple attacks in the past 48 hours. This has included a malware that was built using the LockBit 3 ransomware builder tool leaked in 2022: this may not have originated with the actual LockBit developers.

But we’re also seeing RATS, infostealers, password stealers and other ransomware. All of this shows that many different attackers are targeting ScreenConnect.

Anyone using ScreenConnect should take steps to immediately isolate vulnerable servers and clients, patch them and check for any signs of compromise.

We have extensive guidance and threat hunting material from our teams to help.

We’ll provide updates to our blog with more information as appropriate.

#Sophosxops #threatintel

https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/

ConnectWise ScreenConnect attacks deliver malware

Multiple attacks exploit vulnerabilities in an IT remote access tool to deliver a variety of different payloads into business environments

Sophos News
bencrypted@localhost:~$|Feb 22, 2024
Show threadSophos X-OpsFeb 22, 2024
We’ve also seen other ScreenConnect abuse in our telemetry, some delivering AsyncRAT (via WSF script execution); infostealers; and SimpleHelp Remote Access Client
bencrypted@localhost:~$|Dec 7, 2023
Colin CowieDec 7, 2023

​Would you catch this as an malicious ad?
1️⃣​ Google ad spoofing "dropbox.com"
2️⃣​ Click & redirection involving l.hyros[.]com -> drcpbox[.]net
3️⃣ Fake Dropbox Download "Dropbox-x64.msix"
4️⃣ Powershell execution of #LummaStealer

This campaign is also targeting:
🎯 Zoom (windows only)
🎯 Streamlabs (windows only)
🎯 Telegram (windows & mac)
🎯 TradingView (windows & mac)
🎯 Basecamp (windows only)

#IOCs:
🔗​https://www.virustotal.com/gui/file/60acae4c1ab23e506468ae1995868e8f76f9e7f25439fb154f987ea2e2a9b9cd
🔗​ https://virustotal.com/gui/file/264b1e91bdc38110ee707a4fb7e772433d7a6a17c2ab2d552eb5c4abbe450147

VirusTotal

VirusTotal

bencrypted@localhost:~$|Jul 27, 2023
Sophos X-OpsJul 26, 2023
Late last month we posted some early findings related to an initial-access campaign dubbed “Nitrogen,” which colleagues elsewhere in the industry have connected to certain BlackCat (aka ALPHV) infections. Our MDR protections kept those of our customers targeted by Nitrogen from crossing paths with that feral feline, so we’ve been digging into Nitrogen itself to better understand its construction and what it does to establish and entrench access. Turns out that for a BlackCat-adjacent infection, it’s a bit of a dog’s breakfast: https://news.sophos.com/en-us/2023/07/26/into-the-tank-with-nitrogen/ ‎
Into the tank with Nitrogen

The element originally known as “foul air” stinks up computers as a new initial-access campaign exhibiting some uncommon techniques

Sophos News
bencrypted@localhost:~$|Jul 22, 2023
Jérôme SeguraJul 19, 2023

It's copycat season with fake updates. (This was reported earlier).

Loaded via: itsdigitalshiva[.]com/cdn-js/wds.min.php

Payload is again NetSupport RAT after malicious JS execution.

Added regexes for detection in EKfiddle and calling it SmartApeSG (after the hosting company name).

#SocGholish

bencrypted@localhost:~$|Jul 3, 2023
Sophos X-OpsJun 30, 2023

In mid-June, Sophos identified a previously unnoted initial-access campaign targeting IT users via malicious advertising (malvertising) – one that uses interesting export forwarding and DLL pre-loading techniques to mask malicious activity, hinder analysis, and generally support its foothold once on the target network. Our colleagues at Trend are watching this adversary too, and have some thoughts on what we’re tracking as “Nitrogen,” after we observed a string in the PDB path commonly used among the samples. As we continue our own research, we are sharing early findings with the community. (1/4)

#threatintel #sophosxops

bencrypted@localhost:~$|May 23, 2023
Jérôme SeguraMay 23, 2023

Recently I spent about a week focusing on popular Google search terms and discovered that brand impersonation via malicious ads is still very much a problem.

I've documented my findings and some suggestions in this blog post: https://www.malwarebytes.com/blog/threat-intelligence/2023/05/malvertising-its-a-jungle-out-there

#malvertising

Malvertising via brand impersonation is back again

Ads containing the official website of an impersonated brand are running again, allowing fraudsters to scam users.

Malwarebytes
bencrypted@localhost:~$|Apr 27, 2023
Sophos X-OpsApr 27, 2023

Hi everyone. It's the X-Ops team with another research update.

We've been looking at the fallout of an advisory published by #PaperCut, a print-management software company.

The update to their initial posting about CVE-2023-27350 (https://www.papercut.com/kb/Main/PO-1216-and-PO-1219) reported that they're aware of attacks in the wild targeting their PaperCut MF and NG Application and Site Server software, version 8.0 and newer.

We're publishing some research today into attacks we've observed targeting this platform.

The company (and Sophos) recommend that anyone using this software patch immediately; the patch (https://www.papercut.com/kb/Main/Upgrading#application-server-upgrade) has been available since March 8th. We began to see attackers abusing the unpatched servers on April 13.

Here's a short version of our findings, with the rest published on our blog:

https://news.sophos.com/en-us/2023/04/27/increased-exploitation-of-papercut-drawing-blood-around-the-internet/

#malware #worms #malminers #exploit #ransomware

1/6

bencrypted@localhost:~$|Apr 26, 2023

Sophos MDR has observed quite the uptick in #chromeloader infections. We found one instance where the infection stemmed from a fake Youtube Video Downloader site.

🔎 Google search:download youtube video
➡️ User lands on hxxps://10downloader[.]com/en/51
➡️ User attempts to download a specific video
➡️ Redirection to hxxps://heinndoorh[.]com
➡️ Redirection to hxxps://llyighaboveth[.]com
➡️ Redirection to hxxps://adtwobrightsa.info/12557074
⬇️ Downloads the sample Your File Is Ready To Download.exe

This often leads to the creation of a schtask such as \chrome display, \chrome disp, \chrome profile, and many more.

Encoded powershell is invoked to create a registry key under HKCU:\Software\ with various paths such as:

  • AudioConverterStudio
  • FoxitSoftware
  • KCSoftwares
  • DTSoft
  • BinaryFortressSoftware

#threatintel

bencrypted@localhost:~$|Apr 21, 2023
Sophos X-OpsApr 21, 2023

Hey there. @threatresearch here again, taking over the X-Ops Mastadon to talk about some research we posted this week.

We stumbled upon a malicious tool earlier this year, while our EDR and incident response teams were called in to perform postmortem investigations of ransomware attacks.

While reviewing logs, we found that the threat actors had used a custom-designed #malware we're calling #AuKill as a way to terminate the #EDR agent and endpoint security software the target had installed.

https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver

A short 🧵 begins here

‘AuKill’ EDR killer malware abuses Process Explorer driver

Driver-based attacks against security products are on the rise

Sophos News