mstdn.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A general-purpose Mastodon server with a 500 character limit. All languages are welcome.

Administered by:

Server stats:

18K
active users

#Malware

177 posts95 participants37 posts today

🚨 New #Stegocampaign abuses obfuscated registry to execute payload
The attack is carried out through users following instructions, such as downloading a REG file that adds a #malicious script to Autorun. While exploiting Autorun has been rarely used recently, we found a sample actively using this method.

🔗 Execution chain:
PDF ➡️ Phish link ➡️ REG file adds a script to Autorun ➡️ OS reboot ➡️ CMD ➡️ PowerShell ➡️ #Wscript ➡️ Stegocampaign payload (DLL) extraction ➡️ Malware extraction and injection into AddInProcess32 ➡️ XWorm

⚠️ Victims receive a phishing PDF containing a link to download a .REG file. By opening it, users unknowingly modify the registry with a #script that fetches a VBS file from the web and adds it to Autorun.

Upon system reboot, the #VBS file launches #PowerShell, triggering an execution chain that ultimately infects the operating system with #malware.

👾 Then, #ReverseLoader downloads #XWorm, initiating its execution. The payload contains a DLL file embedded in an image, which then extracts XWorm from its resources and injects it into the AddInProcess32 system process.

❗️ This chain of actions abuses legitimate system tools and relies on user actions, making it difficult for automated security solutions to detect.
This puts organizations at risk by allowing attackers to evade detection, potentially leading to data breaches and access to sensitive data. #ANYRUN Sandbox offers full control over the VM, which allows you to interact with malware and manipulate its behavior.

👨‍💻 See analysis with a reboot:
app.any.run/tasks/068db7e4-6ff

🚀 #ANYRUN's interactive VMs let users manually execute each step of the entire attack chain, even without a system reboot:
app.any.run/tasks/f9f07ae8-343

🔍 Use this TI Lookup search query to find similar samples to enrich your company's detection systems:
intelligence.any.run/analysis/

Analyze and investigate the latest malware and phishing threats with #ANYRUN 🛡️

🔥 Next week | New features coming to ALL platforms on Tues, 25th Feb!

Here’s a reminder of what’s new for "authenticated" users:

✅ False Positive List – for all platforms, accessible via GUI and API
✅ URLhaus Hunting Functionality – respond faster to new malware URLs and payloads.
✅ YARAify File Auto-Deletion – Live now!
... and much more!

👀 Stay tuned for another hunting game-changer… but we’re keeping this one under wraps until Tuesday!

Punkteklau im Supermarkt: Cyberkriminelle stehlen Rewe-Bonuspunkte

Über eine Funktion zum gemeinsamen Sammeln klauen Gauner derzeit in einer Bonus-App Guthaben und versilbern es im Markt. Was hinter der Masche steckt.

heise.de/news/Punkteklau-im-Su

heise online · Punkteklau im Supermarkt: Cyberkriminelle stehlen Rewe-Bonuspunkte
More from Dr. Christopher Kunz

Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency

A new malware called Zhong Stealer has been identified targeting the cryptocurrency and fintech sectors through a phishing campaign. The attackers exploited chat support platforms, posing as customers to trick agents into downloading the malware. Zhong Stealer's execution flow involves multiple stages, including initial contact, downloader execution, persistence establishment, reconnaissance, credential theft, and data exfiltration. The malware uses various tactics such as disabling event logging, modifying registry keys, harvesting credentials, scheduling tasks, and communicating via non-standard ports. It exfiltrates stolen data to a command-and-control server in Hong Kong. Organizations are advised to train support teams, restrict file execution, monitor network traffic, and use real-time analysis tools to protect against this threat.

Pulse ID: 67b50f00d0d71213b3bbc065
Pulse Link: otx.alienvault.com/pulse/67b50
Pulse Author: AlienVault
Created: 2025-02-18 22:51:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

Malicious Signal, Line, and Gmail Installers Target Chinese-Speaking Users with Backdoors

A malicious campaign is targeting Chinese-speaking users by distributing backdoored executables through fake download pages for popular apps like Signal, Line, and Gmail. The attackers use seemingly unrelated domain names and rely on search engine manipulation to lure victims. The malware follows a consistent execution pattern, involving temporary file extraction, process injection, security modifications, and network communications. It exhibits infostealer-like functionality and has been identified as 'MicroClip'. The campaign uses centralized infrastructure hosted on Alibaba servers in Hong Kong. Users are advised to be cautious of unofficial download sites and verify software sources to protect against such threats.

Pulse ID: 67b50f055ec9320f1c0ce50c
Pulse Link: otx.alienvault.com/pulse/67b50
Pulse Author: AlienVault
Created: 2025-02-18 22:51:49

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.