The latest research and news from Unit 42, the Palo Alto Networks (
@paloaltontwks
) Threat Intelligence and Security Consulting Team covering incident response.
Today, we exposed "BendyBear," one of the most sophisticated, well-engineered and difficult-to-detect samples of shellcode employed by an APT, says the Unit 42 researcher who analyzed it.
🦈 Good news everyone! 🦈
@malware_traffic
is back with another great
#Wireshark
tutorial - this one covers a recent infection with the information stealer Qakbot (aka Qbot).
2023-12-07 (Thursday) - PDF file found on VirusTotal led to
#DarkGate
infection - Windows shortcut retrieved DarkGate install script from DNS TXT record - activity may have started as early as 2023-11-27 - IOCs available at
#TimelyThreatIntel
#Wireshark
2023-10-12 (Thursday): The latest example of
#DarkGate
malware distributed through Microsoft Teams. Attacker poses as target organization's CEO and sends victim a Teams invite. Message contains password-protected zip archive. IOCs available at
2023-01-16 (Monday) - Google ad led to fake software site sending malware. Post-infection activity for
#Gozi
(
#ISFB
/
#Ursnif
) and
#RedlineStealer
. Seeing this for different software searches. Indicators for an infection from a fake 7-Zip page available at
2023-01-31 (Tuesday) -
#Qakbot
(
#Qbot
) returns after one month hiatus, now using OneNote (.one) files as initial lure. Saw
#CobaltStrike
on 104.237.219[.]36 using ciruvowuto[.]com as the domain. Also saw VNC traffic from this infection. IoCs available at
2023-02-07 (Tuesday): Among the wave of
#Qakbot
malspam, we found an email with a
#OneNote
attachment pushing probable
#Matanbuchus
malware. IoCs from an infection run available at
2022-11-28 (Monday) - Thanks to
@pr0xylife
for sharing a
#Qakbot
(
#Qbot
) sample from today. We generated a Qakbot infection that led to
#CobaltStrike
(
#BEACON
) on 108.177.235[.]29:443 using jesofidiwi[.]com as its domain. IoCs available at
2023-01-23 (Monday) - Google ad led to a fake AnyDesk page. Distributed malicious .msi package first reported to VirusTotal in December 2022. This malware contacts a domain associated with
#TA505
infrastructure from 2020. Indicators available at
2023-10-03 (Tuesday) -
#Pikabot
infection led to
#CobaltStrike
HTTPS C2 traffic using zzerxc[.]com on 179.60.149[.]244:443. List of indicators available at . Thanks to the
@Cryptolaemus1
crew for initially reporting today's Pikabot activity!
2022-10-04 (Tuesday) -
#HTMLsmuggling
used to distribute
#IcedID
(
#Bokbot
) which led to
#CobaltStrike
- Unusual traffic over TCP port 8080 included plain text instructions to retrieve and run Cobalt Strike - IOCs available at
2022-07-21 (Thursday) - password-protected zip archive --> ISO --> Windows shortcut runs hidden DLL for
#IcedID
(
#Bokbot
) - Led to
#DarkVNC
on 212.114.52[.]91:8080 and
#CobaltStrike
on 194.135.24[.]240:443 - Full list of IOCs available at:
2022-11-07 (Monday) - We saw
#IcedID
(
#Bokbot
) again from an
#Emotet
infection. We also saw
#Bumblebee
malware during the same infection. IOCs available at
2023-01-12 (Thursday) -
#IcedID
(
#Bokbot
) infection leads to
#CobaltStrike
using fepopeguc[.]com on 185.173.34[.]36:443 for its C2 traffic. List of indicators available at
Malicious activity tracked under the campaign
#OperationMidnightEclipse
is targeting CVE-2024-3400, which exploits a vulnerability in certain versions of PAN-OS software. This threat brief covers mitigations and product protections:
2023-08-09 (Wednesday) — Trojanized Webex .msix installer package contains PowerShell script to install
#IcedID
(
#Bokbot
). We also saw
#BackConnect
traffic and
#KeyholeVNC
from the infection. List of indicators available at
2024-03-19 (Tuesday):
#DarkGate
infection from malicious Excel file. Since last week, DarkGate started using AutoHotkey script instead of AutoIt script for its infection. Indicators from an infection available at
#Unit42ThreatIntel
#TimelyThreatIntel
2023-05-17 (Wednesday): Today, this week's BB28
#Qakbot
-style distribution chain pushed
#Pikabot
instead of Qakbot. Followed up with
#CobaltStrike
using
#DNSTunneling
. We later saw additional Cobalt Strike traffic over HTTPS. List of IOCs available at
2023-04-03 (Monday) - IoC update: A consistently reliable indicator of
#Qakbot
(
#Qbot
) over the past few years has been C2 traffic using TCP port 65400. Since 2021-09-20, this has occurred on 23.111.114[.]52. However, today Qakbot TCP port 65400 traffic switched to 172.107.98[.]3
2023-03-07 (Tuesday) - Like
@Cryptolaemus1
and many others, we've also seen new
#Emotet
#malspam
and the associated malware (inflated Word docs and inflated Emotet DLL files) - Some IoCs from today's Emotet are available at
2022-02-02 (Wednesday) - Example of
#CobaltStrike
sent to an
#Emotet
-infected Windows client - Sample available at: - Cobalt Strike HTTPS C2 traffic on 66.42.65[.]229:443 at grizmit[.]com
The Unit 42 Managed Threat Hunting team observed
#Mythic
being delivered by
#Blister
and
#Socgholish
(Socgholish → Blister → Mythic). Mythic using makethumbmoney[.]com on 104.243.33[.]129:443 for its C2 traffic.
Our telemetry revealed an interesting case of
#BoggySerpens
(
#MuddyWater
) against a Middle East target: Persistence through scheduled task that runs PowerShell to abuse AutodialDLL registry key. AutodialDLL loads DLL for C2 framework. Details at
2022-11-03 (Thursday) -
#Emotet
once again pushing massive amounts of malspam. Researchers are now seeing
#IcedID
(
#Bokbot
) as follow-up activity. We've seen IcedID from Emotet before, especially in 2018 & 2019. IOCs for this new infection are available at
2022-05-03 (Tuesday) -
#ContactForms
campaign pushes
#Bumblebee
malware, leads to
#CobaltStrike
- Cobalt Strike traffic seen from 4 different IP addresses using 3 different domains - IOCs from the infection are available at:
New
#Linux
#ransomware
#Monti
targets
#ESXi
. Similar to
#Conti
, but Monti uses extension .puuuk
IoCs: monti5o7lvyrpyk26lqofnfvajtyqruwatlfaazgm3zskt3xiktudwid[.]onion/chat/c7c5b8b0703950c40e6614bf957f94c1/
Hash:
edfe81babf50c2506853fd8375f1be0b7bebbefb2e5e9a33eff95ec23e867de1
2023-10-17 (Tuesday):
#TA577
#Pikabot
infection with HTTPS
#CobaltStrike
traffic on 45.155.249[.]171:443 using ponturded[.]com. Thanks to the
@Cryptolaemus1
group for their initial post on today's Pikabot activity! IOCs from our infection run available at
2022-09-29 (Thursday) -
#Qakbot
(
#Qbot
) infection led to HTTP
#CobaltStrike
traffic on 194.165.16[.]64:80 using onefile[.]icu as its domain. IOCs available at - Of note, Qakbot HTTPS C2 traffic during this infection used TLSv1.3 instead of TLSv1.2.
2022-01-12 (Wednesday) - Malspam campaign using links to download Excel Add-in files (.xll file extension) delivered
#IcedID
(
#Bokbot
) which led to
#CobaltStrike
and
#DarkVNC
activity. IOCs available at:
2021-11-15 (Monday) -
#Matanbuchus
Loader delivered
#Qakbot
(
#Qbot
) distribution tag obama128b - Led to spambot activity and
#CobaltStrike
- IOCs available at: - Unit42 originally reviewed Matanbuchus in June 2021 at:
Increased visibility into the TTPs of Chinese hackers is one of the outcomes of the data leaks affecting Chinese IT company i-Soon (aka Auxun). Our observations link leaked texts to two Chinese-affiliated APTs.
2022-04-05 (Monday) - From a
#Bumblebee
malware infection, we saw
#CobaltStrike
traffic from 23.108.57[.]23 using cuhitiro[.]com as its domain. More info available at:
2022-04-14 (Thursday) - Ongoing activity using URL --> zip --> .msi -->
#Qakbot
-->
#CobaltStrike
. Researchers started seeing this infection method as early as Monday (2022-04-11). IOCs for today's activity available at:
A new method for delivering
#RedLineStealer
via
#OneNote
attachments was observed (e03d1dc90b981455ff453c996a919848074c6e735719148eeb8e1185935c28b3). Extracted C2 configuration: {"C2 url": ["172.245.45.213:3235"], "Bot Id": "Skijay2"}
2022-08-03 (Wednesday) -
#IcedID
(
#Bokbot
) from emails with zip attachments containing ISO images - Led to
#CobaltStrike
stager from hxxp://voxepimid[.]com/Lssaas.dll - CobaltStrike C2 on 185.173.34[.]75:443 muwokok[.]com - IOCs at:
2022-06-28 (Tuesday) -
#TA578
thread-hijacked email pushed
#IcedID
(
#Bokbot
) - Led to
#DarkVNC
on 91.238.50[.]80:8080, then
#CobaltStrike
on 217.79.243[.]147:8080 using bcnupdate[.]com and on 194.37.97[.]139:8080 using solvesalesoft[.]com - IOCs at:
2022-03-01 (Tuesday) -
#Emotet
epoch4 infection with
#CobaltStrike
as follow-up malware - Cobalt Strike HTTP C2 traffic on 139.60.161[.]225 over port 80 using klycnmik[.]com as the domain - IOCs available at:
We're observing that ROMCOM RAT is now being packaged as an installer for Veeam Backup and Recovery software. This is in addition to the KeePass Password Manager and SolarWinds Orion installers identified by BlackBerry yesterday.
2022-06-17 (Friday) - Today we saw
#Matanbuchus
actiity - This activity led to
#CobaltStrike
using gudugil[.]com on 23.82.141[.]136:443 - IOCs available at:
2023-05-02 (Tuesday): obama259
#Qakbot
(
#Qbot
) infection led to
#BackConnect
activity on 46.151.30[.]109:443. Approximately 12 hours later,
#DarkCatVNC
traffic appeared using the same IP address. IOCs available at
When writing signatures to detect RDP vulnerabilities and prevent attacks, it's sometimes necessary to decrypt RDP traffic. Learn how in our latest Wireshark tutorial.
2024-03-27 (Wednesday): With the recent rise in malicious Google ads impersonating legitimate software, today we found one leading to a fake Cisco AnyConnect page pushing
#NetSupportRAT
. Indicators available at
#Unit42ThreatIntel
#RemoteAccessTrojan
2022-07-25 (Monday) - More
#IcedID
(
#Bokbot
) from emails with password-protected zip files containing ISO image - Led to
#CobaltStrike
binary from hxxp://209.222.98[.]13/download/msb.exe - CobaltStrike C2 on 172.93.193[.]21:443 sezijiru[.]com - IOCs at:
When reviewing suspicious network activity, we often run across encrypted traffic. This tutorial describes how to decrypt HTTPS traffic from a pcap in Wireshark.
2023-04-05 (Wednesday): OneNote file has embedded .vbe file to distribute Java-based
#STRAAT
malware. The .vbe will install Java if the victim doesn't have it. We saw an attacker open files from the infected Windows host's Documents folder. More info at
2022-06-09 (Thursday) -
#TA578
#Bumblebee
malware infection led to
#CobaltStrike
activity on 23.82.141[.]226:443 using zupeyico[.]com -
IOCs available at:
Unit 42 Managed Services spotted active exploitations of the new FortiClient EMS vulnerability CVE-2023-48788 since Sunday 2024-03-24. This led to unauthorized installations of
#Atera
Agent,
#ScreenConnect
and
#Meterpreter
. List of indicators available at
2023-03-16 (Thursday):
#Emotet
now also using
#OneNote
files, but we're still seeing zip attachments with inflated Word docs. IoCs from our latest infection and info on the malware (OneNote files, zip archives, inflated Word docs, etc.) available at
2024-04-04 (Thursday): We generated an infection in a lab environment based on the latest round of
#KoiLoader
/
#KoiStealer
activity. Initial bank-themed lures started earlier this week on 2024-04-02. Some indicators available at
#Unit42ThreatIntel
New
#Buhti
#Ransomware
written in
#Golang
targets the
#Linux
platform.
Go build-id: 8yZfeORaUS9t0VEvm/6XZH_UamxCKSLaG5ICV9/o5iSux6xbO8HBoNLibae/0NSWg12Yrs4I1IE91H9o
MD5: 6dc27523eb048bb7197bfdf39d6d15dd
We urge everyone to share what they know about the supply-chain attack on SolarWinds Orion software so that we as a cybersecurity community get a complete picture. We’ve put together a timeline.
Here's
@malware_traffic
's tutorial on how to identify a notorious piece of malware that's been around since 2016.
#Unit42WiresharkWeek
Part 5: Examining Trickbot Infections
2023-03-06 (Monday): Malspam targeting Italy leads to
#Gozi
(
#ISFB
/
#Ursnif
) infection - URL and server hosting malicious files from our test run still active today (Thursday 2023-03-09) - IoCs from our infection run available at
2021-04-26 (Monday) -
#IcedID
(
#Bokbot
) with
#CobaltStrike
from
StolenImages_Evidence.zip - List of indicators available at:
- includes download links for malware samples, artifacts, and
#pcap
of
infection traffic
2022-08-08 (Monday)
#IcedID
(
#Bokbot
) infection led to
#CobaltStrike
. Possible Cobalt Strike C2 on 23.106.223[.]135:443 rehazosipa[.]com. Saw stager on 104.238.220[.]131/download/sys.exe & Cobalt Strike C2 on 172.93.179[.]196:443 waafefuvuko[.]com. IOCs at
We observed multiple infections of
#ApolloRAT
using fake installers, creating persistence in the user’s startup folder with a binary called MicrosofOffice.exe
(imphash: 5bd3497bfd913b30bbdb13331f9ba919)