Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
mstdn.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A general-purpose Mastodon server with a 500 character limit. All languages are welcome.

Administered by:

Server stats:

14K
active users

mstdn.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.8

#malspam

1 post1 participant0 posts today
Public
OTX Bot

Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources

This article discusses a new obfuscation technique used by threat actors to conceal malware within bitmap resources embedded in seemingly benign 32-bit .NET applications. The malware employs a multi-stage process to extract, deobfuscate, load, and execute secondary payloads, ultimately leading to the detonation of the final payload. The analysis focuses on malware samples from recent malspam campaigns targeting financial organizations in Turkey and the logistics sector in Asia. The article provides a detailed technical breakdown of the four stages involved in the malware's execution, from the initial payload to the final Agent Tesla variant. It also offers insights into effective analysis approaches and protection measures against this steganography-based threat.

Pulse ID: 681e6c6a0815759abdfae05d
Pulse Link: otx.alienvault.com/pulse/681e6
Pulse Author: AlienVault
Created: 2025-05-09 20:58:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
#AgentTesla#Asia#CyberSecurity
Public
OTX Bot

Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources

This article explores a new obfuscation technique used by threat actors to conceal malware within bitmap resources embedded in benign 32-bit .NET applications. The malware executes through a multi-stage process of extracting, deobfuscating, loading, and executing secondary payloads. The analysis focuses on a sample from recent malspam campaigns targeting financial organizations in Turkey and logistics sectors in Asia. The malware uses steganography to hide its payloads, making it challenging to detect. The article details the technical analysis of each stage, from the initial payload to the final execution of malware families like Agent Tesla, XLoader, and Remcos RAT. It also provides guidance on how to overcome this obfuscation technique using debugging methods.

Pulse ID: 681e0c16eca08864c8cd9614
Pulse Link: otx.alienvault.com/pulse/681e0
Pulse Author: AlienVault
Created: 2025-05-09 14:07:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
#AgentTesla#Asia#CyberSecurity
Public
Andrew 🌻 Brandt 🐇

Last week I posted a thread about a #spam campaign delivering a #ConnectWise client as its payload. As of this morning, the threat actors have changed the payload (virustotal.com/gui/file/30e1d0) and it appears to try to connect to the address "relay.noscreener[.]info" which resolves to 104.194.145.66.

Embedded in the installer .msi file is a file called system.config, which contains this domain name and a base64-encoded string.

The fake Social Security website is still being hosted on a compromised site that belongs to a temp agency based on the east coast of the US.

Previous thread:

infosec.exchange/@threatresear

A virustotal graph showing the relationship between the new sample, its C2 domain, and the IP address where that domain is hosted.
The system.config contents include the C2 domain and a base64-encoded value labeled "k=" -- a key, perhaps?
#malware#phishing#malspam
Continued thread
Public *
Andrew 🌻 Brandt 🐇

However, because this attack has been going on for two weeks, some endpoint protection tools (well, about a third of them) are catching on that this particular file is bad, and should feel bad.

virustotal.com/gui/file/13d71b

The most important lesson here is that attackers always come up with new ways to evade detection. Using a commercially available, normally legitimate remote access tool with a valid cryptographic signature lets the attacker bypass some kinds of endpoint detection.

Remember to check the From: address in emails, and the destination of any links they point to. You can do this by hovering your mouse over the link without clicking, and waiting a second. If it says it's from the SSA, but it isn't pointing to SSA.gov, then it's a lie.

If you find content like this useful, please follow me here, or on LinkedIn: linkedin.com/in/andrew-brandt-

9/fin

24 out of 73 endpoint protection clients tell you not to chew this gum or open this file. The others are just wrong.
#spam#malware#malspam
Continued thread
Public *
Andrew 🌻 Brandt 🐇

When clicked, the button delivers malware, but it's an unexpected payload: A client installer for the commercial remote-access tool ConnectWise.

Every time I clicked the download link, it gave me the same file with six different random digits appended to the filename. Note that it is not, as the website implies, a PDF document, but a Windows executable file, with a .exe extension.

8/

The payload icons are generic and full of terrors
Cryptographically signed by ConnectWise? It's actually a real ConnectWise client installer.
#malware#spam#malspam
Continued thread
Public
Andrew 🌻 Brandt 🐇

This is where I tell you: don't do this! I am a trained professional. I click all the bad links so you don't have to. I am going to show you what happens next.

A button appears on this page, labeled "Access Your Statement." The site serving up this payload delivers a file named "Social Security Statement Documents [six digit random number].exe"

7/

The site delivers a file named "Social Security Statement Documents [six random numbers].exe" and the numbers change every time you download the file.
#malware#spam#malspam
Continued thread
Public *
Andrew 🌻 Brandt 🐇

Finally the target lands on a page on the InMotion site that closely resembles the look-and-feel of the content in the email message.

The page tells the visitor, in part "Download your statement as a PDF file" and "For security reasons, we recommend accessing your statement through your secure device."

Spoiler alert: It was not a PDF file.

(Edit: A reader informs me that this appears to be the hosting space used by the temp agency website, and that for whatever reason, the URL appears differently here.)

6/

A fake Social Security Administration page that tries to get you to download an executable. The screenshot of the page shows a grey box on the page. Apparently the scammers were trying to load the SSA logo from SSA's own website in this spot, and the website did not allow third-party loading of the logo from their website on other websites, so it just shows as a grey box. This is good, scam-hardened web design practice. The other logo on the page is hosted locally on the website hosting the scam.
#malware#spam#malspam
Continued thread
Public
Andrew 🌻 Brandt 🐇

The target's browser then lands on another website, hosted by a large hosting service, InMotion Hosting. As with the temp agency website, the attackers have set up multiple URLs on this site, where the first URL performs a 302 redirect to go to the second URL, for no apparent reason other than to create the URL equivalent of a Rube Goldberg contraption.

5/

A compromised site redirects to a site controlled by the threat actor, hosted by InMotion Hosting
#malware#spam#malspam
Continued thread
Public
Andrew 🌻 Brandt 🐇

That link then immediately 302 redirects the target's browser to a link on a second website, one that belongs to a temp agency based in the US state of Maryland.

The attackers have created two URLs on this company's site for this purpose. The first one redirects to the second one.

Again, the site appears to have been compromised and used specifically for the purpose of obfuscating the redirection chain.

4/

Redirecting to a page on the same website, for no apparent reason
#malware#spam#malspam
Continued thread
Public
Andrew 🌻 Brandt 🐇

In this attack, the spammers have been sending emails that look like this official-appearing notification from the Social Security Administration.

The message says "Your Social Security Statement is ready to review" and includes a button at the bottom labeled "Download Statement."

The button links to a shortened URL that uses the link-shortening service t.ly to lead the target to a chain of 302 redirects. Malware spammers often do this to fool web reputation services and obfuscate the final destination of the link.

2/

A page from t.ly that shows the short link leads to a page that is...definitely not hosted on ssa.gov
#malware#spam#malspam
Public
Niebezpiecznik News

⚠️ Uwaga na e-maile z kancelarii prawnych

Na skrzynki Polaków znów trafiają pisma, w których oszuści podszywają się pod różne znane kancelarie prawne. Wiadomości informują o naruszeniu praw autorskich i wyglądają profesjonalnie. Zawierają też link do skanu pisma z “dowodami naruszeń praw autorskich”.

I to właśnie kliknięcie na ten link, pobranie oraz uruchomienie podlinkowanych plików może spowodować infekcję komputera złośliwym oprogramowaniem oraz — w konsekwencji — kradzież danych oraz stratę kont w serwisach społecznościowych. Na atak powinni uważać zwłaszcza posiadacze kont na Facebooku.
Po czym rozpoznać, że to oszustwo? E-maile są wysyłane z różnych adresów w domenie GMail. Link do pisma z dowodami, wbrew opisowi, nie prowadzi do PDF. I na marginesie — choć otrzymanie wiadomości o naruszeniu praw autorskich może wywołać stres, to warto mieć świadomość, że poważna korespondencja z kancelarii prawnych, jeśli ma być wiążąca, powinna dotrzeć do nas w formie papierowej.
Otrzymałem taką wiadomość — co robić, jak żyć?

Jeśli otrzymałeś taką wiadomość, nic nie musisz robić. Możesz ją zignorować. Żadne Twoje dane nie wyciekły, a żadna z opublikowanych przez Ciebie treści nie naruszyła praw autorskich innych firm.
Jeśli tylko pobrałeś załącznik — nie zostałeś zainfekowany.

Jeśli pobrałeś załącznik, rozpakowałeś go i uruchomiłeś aplikację z załącznika, to jak najszybciej poddaj swój komputer analizie pod kątem złośliwego oprogramowania z innego urządzenia zaloguj się na wszystkie istotne konta oraz zmień na nich hasła, a tam gdzie to możliwe, wyloguj również “pozostałe sesje/urządzenia”.

To ostrzeżenie wysłaliśmy także jako alert do użytkowników naszej bezpłatnej aplikacji CyberAlerty. Jeśli też chcesz być informowany o atakach, [...]

#Cyberalert #Malspam #PrawaAutorskie #SpearPhishing

niebezpiecznik.pl/post/uwaga-n

NieBezpiecznik.pl⚠️ Uwaga na e-maile z kancelarii prawnych
ExploreLive feeds
About