RE: https://mastodon.social/@cisakevtracker/116438818135438196
Oh no, we're doing TeamCity again? 
I regret to inform you that Cyber Satan is in play.
| Github | https://github.com/j91321 |
| Bluesky | https://bsky.app/profile/j91321.bsky.social |
Ján Trenčanský
- 177 Followers
- 276 Following
- 780 Posts
EDR R&D team lead at ESET. Opinions are my own.
I regret to inform you that Cyber Satan is in play.
I regret to inform you that Cyber Satan is in play.
da_667
Recent news about Ghost Murmur, reminded me what a delightful read Ben R. Rich memoir Skunk Works is. One story that particularly stuck with me is how RS-71 designation had to be changed to SR-71. Lyndon B. Johnson misspoke at a press conference, and thirty thousand blueprints had to be changed. Something that any engineer who had their product renamed by marketing can relate to.
Opened YouTube and saw recommended video with title: Going to prison: What awaits you and how to prepare?
YouTube algorithm WHAT DO YOU KNOW?
YouTube algorithm WHAT DO YOU KNOW?
ESET ResearchCisco Talos recently published an analysis of an EDR killer used by the #Qilin #ransomware gang. #ESETresearch tracks this threat as #CardSpaceKiller and we recently provided additional insights in our blog https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/
While we didn’t obtain direct evidence, we strongly believe that CardSpaceKiller is offered as a product on the darknet for reasons covered in the blog. We’ve detected it used by #Akira, #Medusa, and #MedusaLocker affiliates too.
The packer (identified as VX Crypt by Sophos) is not unique to this killer; it’s a PaaS used with other malware like #BumbleBee. But it is the single choice for the killer’s developer; unprotected samples were used only in 2025-02 https://www.sophos.com/en-us/blog/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/
Beyond msimg32.dll mentioned in the Talos‘ blog, VX Crypt also names the payloads rtworkq.dll and version.dll, all abusing DLL side-loading for evasion. We’ve also observed an EXE variant in the wild, named 0th3r_av5.exe https://blog.talosintelligence.com/qilin-edr-killer/
Additional IoCs: 127B50C8185986A52AE66BF6E7E67A6FD787C4FC (version.dll)
22640D48F2E2A56C7A0708356B2B6990676B58B3 (version.dll)
3030DF03F36EC4C96B36B2E328FE3D7D9082811A (0th3r_av5.exe)
52D0358FF84295D231BC180CEDFDAF96631D67B4 (rtworkq.dll)
5D3CF785A440133A899412B800742716287D0B06 (msimg32.dll)
A3BDB419703A70157F2B7BD1DC2E4C9227DD9FE8 (0th3r_av5.exe)
grey 
The cybersecurity industry is in it's nuclear scare era. Everyone is hypecycle focused on the newest biggest bomb while losing to poor rice farmers with wooden guns.
#ESETresearch has identified an Akira lookalike ransomware campaign targeting South America. The threat actor is using a Babukbased encryptor that appends the .akira extension and drops a ransom note that mimics Akira both in Tor URLs and the overall content.
The ransom note is almost identical to Akira’s with some parts omitted. The crucial difference is the planted Tor link that is not under Akira’s control. The ransom note is also named ___________akira_readme.txt (the leading underscores is another difference to real Akira).
The ransom note also references the official Akira leak sites (Dedicated Leak Sites - DLSs), but plants a custom Tor link for the ransom payment negotiation. The link is currently not working. Notably, Akira itself warns about potential copycats on their DLS.
Aside from the encryptor, the threat actor utilized Mimikatz and exfiltrated sensitive data using rclone. Copycat attempts like this one are rare, but not unheard of. Victims should never trust threat actors based solely on their claims.
IoCs: 9B484760D563B3768EAA93802AFD4EA9C3F92780 (win.exe)
https://akirad2pbdhjlczfbunj4jbbv7ox4ixdti3xq35mqxsl3yzjqhg3lmqd[.]onion
The ransom note is almost identical to Akira’s with some parts omitted. The crucial difference is the planted Tor link that is not under Akira’s control. The ransom note is also named ___________akira_readme.txt (the leading underscores is another difference to real Akira).
The ransom note also references the official Akira leak sites (Dedicated Leak Sites - DLSs), but plants a custom Tor link for the ransom payment negotiation. The link is currently not working. Notably, Akira itself warns about potential copycats on their DLS.
Aside from the encryptor, the threat actor utilized Mimikatz and exfiltrated sensitive data using rclone. Copycat attempts like this one are rare, but not unheard of. Victims should never trust threat actors based solely on their claims.
IoCs: 9B484760D563B3768EAA93802AFD4EA9C3F92780 (win.exe)
https://akirad2pbdhjlczfbunj4jbbv7ox4ixdti3xq35mqxsl3yzjqhg3lmqd[.]onion
Complete list of indicators:
Windows
Antivirus indicator:
- JS/Agent.UHP
EDR indicators:
- Suspicious script interpreter started - cscript [F0447b]
- Script started from %TEMP% [F0443a]
- Script interpreter saved default script file [A0317]
- Curl uploaded file [A0521]
- Renamed PowerShell Execution [D0411]
- PowerShell Suspicious Activity Executed [D0413]
- PowerShell Engine Loaded in Non-PowerShell Process [D1206]
Linux
Antivirus indicator:
- Python/Agent.CMH
EDR indicators:
- Script Dropped to Temporary Directory [L0331]
- File Dropped by Network Transfer Utility / Service [L0316]
macOS
Antivirus indicator:
- OSX/Agent.GN
EDR indicator:
- Suspicious File Dropped by Network Utility [G0305]
- Executable Dropped by Network Utility via Applescript Ancestor [G0314]
- Process Discovery [G1102]
ESET Inspect killed the Axios compromise execution chain on Windows straight out-of-the-box. Renaming PowerShell is a terrible tradecraft if it was intended as EDR evasion.
