Impostor certificate:
EV Code-signing certificate "Yurisk LLC", used to sign fake NordPass installer.
Abused and revoked within 1 week of issuance. Company registration says they transport freight.
Day 91 - Large EXE or MSI File Observed in User Downloads Folder
Featuring a shoutout to debloat by the awesome @squiblydoo ! Go check it out (and also his certReport tool, #ImposeCost as they say)
Fake SCPToolkit uploaded to MB by aachum:
Signed EXE "jmutanen software Oy" loads an MSI and the real SCPToolkit as a decoy. Installs ScreenConnect: microsoftnet[.]ru
Files from signer: https://bazaar.abuse.ch/browse/tag/jmutanen%20software%20Oy/
Zip with parts:
https://www.virustotal.com/gui/file/1dff513d05c2d51b18ad7f4fda789347760fc84e02cb88edb5d974f32589cf40/details
Signed DLL, 2/70 hits on VT? https://virustotal.com/gui/file/2240ccae318ec18f421d7b539b610abcda114edcd60e4da96e8ca7e502d9f6bd/behavior
Actually easy to see it downloads from PasteBin and excludes C:
I created a course with KC7Cyber
to showcase and educate: https://kc7cyber.com/modules/VT101
I like to promote it because I know details like these get looked over.
Dang. Black Basta spending $500 to run a campaign and $4,000 for the Extended Validation certificate. 🤯
Great to see the code-signing certificate abuse the other side. Great use of Cert Central: tying certificates BB talked about back to the actual malwares.
Signed malware "Webber Air Investments LLC"
First seen 23 days ago targeting YouTubers, rip.
Vidar C2: 95.217.30.53
https://bazaar.abuse.ch/browse/tag/Webber%20Air%20Investments%20LLC/
Ya'll will start seeing more files signed by Microsoft.
Please report them to centralpki@microsoft[.com or just tag me at a minimum, please.
Microsoft has been good at revoking them
This week, I've seen.
Lumma Infostealer
QuasarRAT
CobaltStrike (C2: uuuqf[.]com)
example: 40183652b178bbb018185d714c0d023d81ce1943183eb7f563ad58fc2925cd88
www.malwr4n6.com/post/dealing... explains PE file padding and how to defeat one padding technique: manually and with tools (like with my debloat tool https://github.com/Squiblydoo/debloat).
Understanding the technique is important. This technique accounts for essentially 78% of bloated files (out of 1000).
Debloat handles 91% of examples but only PE files.
When attackers use this technique with other file types, you'll be on your own until debloat adds support.
Fake Zoom reaches out to Namecheap domain ZoomInstaller[.]com
Fake MagicApp also installs Zoom; reaches out to Github and Namecheap domain MagicVision[.]io
Both suspiciously over 100MB due to .NET resource.
https://tria.ge/250308-mqs4jswjv3/behavioral2
https://tria.ge/250308-mpm6xavzdw/behavioral2
Certificate reported.
Certificate signing DarkGate malware reported: "BLVS Tech Inc."
DarkGate gets signed with a code-signing certificate fairly often. CertCentral.org is tracking 23 instances, I'm sure it happens more than that though.
SecurityAura
