bencrypted@localhost:~$|

@[email protected]
258 Followers
168 Following
81 Posts
Threat Intel & Malware Research
Websitehttps://bencrypted.gitlab.io
KeyOxidehttps://keyoxide.org/hkp/EED4123F6008AD143DBD02C34AA0BB3EC0B61B01
bencrypted@localhost:~$|Jun 10, 2024

@debacle

Agreed there! It would certainly be nice to have the freedom of say the matrix protocol to run in the web browser.

Since writing this, I've also been reached out to regarding the lack of reproducible builds wrt clients. I still need to do more research, however seems the safest bet for Android users in particular would be a pivot to the Molly derivative.

Show threadbencrypted@localhost:~$|Jun 7, 2024

@lippard Great point! I have used Threema, and it's a very clean interface.

Downside is that it is still centralized where you can't stand up your own instance(s). If that were a possibility, it would be a perfect contender.

Simplex and some other P2P messengers like Briar are candidates, but they don't quite fit the bill wrt user experience (yet atleast)

Show threadbencrypted@localhost:~$|Jun 7, 2024
@lippard Will give this a look and adjust accordingly. Please let me know if there are any other issues you see!
bencrypted@localhost:~$|Feb 23, 2024
Sophos X-OpsFeb 23, 2024

We have just posted our latest research with our observations and analysis into ConnectWise ScreenConnect attacks.

We’ve observed multiple attacks in the past 48 hours. This has included a malware that was built using the LockBit 3 ransomware builder tool leaked in 2022: this may not have originated with the actual LockBit developers.

But we’re also seeing RATS, infostealers, password stealers and other ransomware. All of this shows that many different attackers are targeting ScreenConnect.

Anyone using ScreenConnect should take steps to immediately isolate vulnerable servers and clients, patch them and check for any signs of compromise.

We have extensive guidance and threat hunting material from our teams to help.

We’ll provide updates to our blog with more information as appropriate.

#Sophosxops #threatintel

https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/

ConnectWise ScreenConnect attacks deliver malware

Multiple attacks exploit vulnerabilities in an IT remote access tool to deliver a variety of different payloads into business environments

Sophos News
bencrypted@localhost:~$|Feb 22, 2024
Show threadSophos X-OpsFeb 22, 2024
We’ve also seen other ScreenConnect abuse in our telemetry, some delivering AsyncRAT (via WSF script execution); infostealers; and SimpleHelp Remote Access Client
bencrypted@localhost:~$|Dec 7, 2023
Colin CowieDec 7, 2023

​Would you catch this as an malicious ad?
1️⃣​ Google ad spoofing "dropbox.com"
2️⃣​ Click & redirection involving l.hyros[.]com -> drcpbox[.]net
3️⃣ Fake Dropbox Download "Dropbox-x64.msix"
4️⃣ Powershell execution of #LummaStealer

This campaign is also targeting:
🎯 Zoom (windows only)
🎯 Streamlabs (windows only)
🎯 Telegram (windows & mac)
🎯 TradingView (windows & mac)
🎯 Basecamp (windows only)

#IOCs:
🔗​https://www.virustotal.com/gui/file/60acae4c1ab23e506468ae1995868e8f76f9e7f25439fb154f987ea2e2a9b9cd
🔗​ https://virustotal.com/gui/file/264b1e91bdc38110ee707a4fb7e772433d7a6a17c2ab2d552eb5c4abbe450147

VirusTotal

VirusTotal

bencrypted@localhost:~$|Aug 24, 2023
@malware_traffic The irony is their overall negligence with PPC advertising and malware distribution via Firebase and AMP :)
bencrypted@localhost:~$|Jul 27, 2023
Sophos X-OpsJul 26, 2023
Late last month we posted some early findings related to an initial-access campaign dubbed “Nitrogen,” which colleagues elsewhere in the industry have connected to certain BlackCat (aka ALPHV) infections. Our MDR protections kept those of our customers targeted by Nitrogen from crossing paths with that feral feline, so we’ve been digging into Nitrogen itself to better understand its construction and what it does to establish and entrench access. Turns out that for a BlackCat-adjacent infection, it’s a bit of a dog’s breakfast: https://news.sophos.com/en-us/2023/07/26/into-the-tank-with-nitrogen/ ‎
Into the tank with Nitrogen

The element originally known as “foul air” stinks up computers as a new initial-access campaign exhibiting some uncommon techniques

Sophos News
bencrypted@localhost:~$|Jul 22, 2023
Jérôme SeguraJul 19, 2023

It's copycat season with fake updates. (This was reported earlier).

Loaded via: itsdigitalshiva[.]com/cdn-js/wds.min.php

Payload is again NetSupport RAT after malicious JS execution.

Added regexes for detection in EKfiddle and calling it SmartApeSG (after the hosting company name).

#SocGholish

bencrypted@localhost:~$|Jul 3, 2023
Sophos X-OpsJun 30, 2023

In mid-June, Sophos identified a previously unnoted initial-access campaign targeting IT users via malicious advertising (malvertising) – one that uses interesting export forwarding and DLL pre-loading techniques to mask malicious activity, hinder analysis, and generally support its foothold once on the target network. Our colleagues at Trend are watching this adversary too, and have some thoughts on what we’re tracking as “Nitrogen,” after we observed a string in the PDB path commonly used among the samples. As we continue our own research, we are sharing early findings with the community. (1/4)

#threatintel #sophosxops