Important Message to All my Followers & Readers.
Please keep in mind that:
I am absolutely not connected with cybersecurity or IT, it is not my profession because I do not have a profession.
And I do not have education. Do not trust what I do.
Thank you for reading.
#Ramnit
It's an old trick,but it still works.Hiding a file in html code of a hex bytes and a simple VBScript dropper on same page. An example of searching for such pages using
#Shodan
(approx. this is just an example,the query may be different😉)
IPs list->
Dear all! Before you search for something in [Shodan, Censys, ZoomEye, etc], try to find something that will help you search. You can start with TwittDeck. Just a tip.
From time to time people ask me about news aggregator services / RSS feeds that I use
The truth is, I'm just a
#Tweetdeck
power user
+ keyword based columns
+ filters on engagements
+ notifications on rarely updated columns
Some tips:
Trojan for linux in golang spotted ITW / low detection
url: hxxp://45.32.132.166 <- You're welcome to visit!)
Sample 'ltmp' on VT & bazaar ->
70f58625baf28f632fcee71c709078a8
Version for windows ->
e96e2bbe4db122abc73bcd5b149488f4 (VT 6/69)
#opendir
MedusaLocker 📸
ip: 185.232.164.6
url: hxxp://85.217.170.156 /repeater.php
Sample 'scpvss.exe' on VT ->
See also sample on bazaar ->
fd9b18f720c9c48d0088a00afa6bb87f
#opendir
ChinaChopper & CVE-2021-21985
An interesting combination of links to github, isn't it? What would we do without these wonderful comments?!
cdk on VT ->
Go
#ransomware
on Go... OR Not?
Samples on VT & bazaar ->
0e3dc5ad55829e35e8b0b668fffd2658 goransom_linux64\.elf
bd12b3601bd72416d9520e41963125ea goransom_windows64\.exe
Cc:
@Arkbird_SOLG
🚮FYI
FUD ELF Go1ang
Very suspicious files on web server.
155fbe012e0a9069c1254786a3da20e9 <- mpuyg(?)
36bdca61fe21f96a1729ca0cdb2ad8fb <- wmrqc [Client]
e00f9d212e7fc83b7d11586f85f42450 <- frpc
Another one Winnti panel😇
C2:
ip: 114.132.246.103 :520
#1
Sample 'server.exe' on VT & bazaar ->
6db6ec5bae1438faf87e2ad4378e083c
#2
See also already known sample '1.exe' on VT ->
url: wuxi.tanxinyu\.cn
ip: 82.156.28.253
Just example of course😎
#opendir
#ransomware
hacktool
ip: 95.213.145.101 :8000 🇷🇺
fe2491d1fed2f1029052207bb75a61b2 main\.exe
I couldn't see the source code, but judging by the strings, this is a script generation tool for 'lock' and 'still'😎
Ref[1]:
My writeup on OP Red Deer is up!
Uncovering
#Aggah
campaign towards Israel. 🇮🇱
What’s included in the writeup?
➡️ Impersonation to “Israel Post” (Israel biggest postal company)
➡️ execution chain summary
➡️ SSL certificate hunting
➡️ Opendir hunting
➡️ Bunch of IOCs