digitalcourage.social

Brad<a href="https://infosec.exchange/tags/MalspamMonday" class="mention hashtag" rel="nofollow noopener" target="_blank">#MalspamMonday</a>Malspam Monday is when I check the inboxes of my honey pot accounts for anything interesting distributed through email.Today, I found an example of <a href="https://infosec.exchange/tags/GuLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#GuLoader</a> for <a href="https://infosec.exchange/tags/Remcos" class="mention hashtag" rel="nofollow noopener" target="_blank">#Remcos</a> <a href="https://infosec.exchange/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#RAT</a> Details at <a href="https://github.com/malware-traffic/indicators/blob/main/2025-03-24-GuLoader-for-Remcos-RAT.txt" rel="nofollow noopener" translate="no" target="_blank">https://github.com/malware-traffic/indicators/blob/main/2025-03-24-GuLoader-for-Remcos-RAT.txt</a><a href="https://infosec.exchange/tags/RemcosRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#RemcosRAT</a> <a href="https://infosec.exchange/tags/malspam" class="mention hashtag" rel="nofollow noopener" target="_blank">#malspam</a>

Brad2025-02-07 (Friday): Today's boring example of <a href="https://infosec.exchange/tags/malpsam" class="mention hashtag" rel="nofollow noopener" target="_blank">#malpsam</a> pushing <a href="https://infosec.exchange/tags/GuLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#GuLoader</a> for <a href="https://infosec.exchange/tags/AgentTesla" class="mention hashtag" rel="nofollow noopener" target="_blank">#AgentTesla</a> style malware. EXE of this malware available at <a href="https://bazaar.abuse.ch/sample/833aae0bc34e211145371b619b7c542864e9f864e26de1690fd2f6be76fcb174" rel="nofollow noopener" translate="no" target="_blank">https://bazaar.abuse.ch/sample/833aae0bc34e211145371b619b7c542864e9f864e26de1690fd2f6be76fcb174</a>

Brad2025-01-09 (Thursday): <a href="https://infosec.exchange/tags/CVE" class="mention hashtag" rel="nofollow noopener" target="_blank">#CVE</a>-2017-0199 Excel (<a href="https://infosec.exchange/tags/XLS" class="mention hashtag" rel="nofollow noopener" target="_blank">#XLS</a>) file --> <a href="https://infosec.exchange/tags/HTA" class="mention hashtag" rel="nofollow noopener" target="_blank">#HTA</a> --> <a href="https://infosec.exchange/tags/VBS" class="mention hashtag" rel="nofollow noopener" target="_blank">#VBS</a> --> <a href="https://infosec.exchange/tags/steganography" class="mention hashtag" rel="nofollow noopener" target="_blank">#steganography</a> --> <a href="https://infosec.exchange/tags/DBatLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#DBatLoader</a> or <a href="https://infosec.exchange/tags/GuLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#GuLoader</a> style malware for <a href="https://infosec.exchange/tags/AgentTesla" class="mention hashtag" rel="nofollow noopener" target="_blank">#AgentTesla</a>. Data exfil over FTP. A <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#pcap</a> from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

Scripter :verified_flashing:Researchers Unveal GuLoader Malware's Latest Anti-Analysis Techniques <a href="https://thehackernews.com/2023/12/researchers-unveal-guloader-malwares.html" rel="nofollow noopener" translate="no" target="_blank">https://thehackernews.com/2023/12/researchers-unveal-guloader-malwares.html</a> <a href="https://social.tchncs.de/tags/Cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cybercrime</a> <a href="https://social.tchncs.de/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#Malware</a> <a href="https://social.tchncs.de/tags/GuLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#GuLoader</a>

SANS Internet Storm Center - SANS.edu - Go Sentinels!ISC Diary: <a href="https://infosec.exchange/@malware_traffic" class="u-url mention" rel="nofollow noopener" target="_blank">@malware_traffic</a> saw <a href="https://infosec.exchange/tags/GuLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#GuLoader</a> or <a href="https://infosec.exchange/tags/ModiLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#ModiLoader</a>/#DBatLoader style traffic for <a href="https://infosec.exchange/tags/RemcosRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#RemcosRAT</a> <a href="https://i5c.us/d29990" rel="nofollow noopener" target="_blank">https://i5c.us/d29990</a>

Andrew 🌻 Brandt 🐇<a href="https://cyberplace.social/@GossiTheDog" class="u-url mention" rel="nofollow noopener" target="_blank">@GossiTheDog</a> <a href="https://infosec.exchange/@da_667" class="u-url mention" rel="nofollow noopener" target="_blank">@da_667</a> Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the <a href="https://infosec.exchange/tags/GuLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#GuLoader</a> <a href="https://infosec.exchange/tags/maltax" class="mention hashtag" rel="nofollow noopener" target="_blank">#maltax</a> story

Sophos X-OpsWhat's up with that <a href="https://infosec.exchange/tags/GuLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#GuLoader</a> URL?The command uses a URL format that looks like a hexadecimal value, a dot, and then a decimal number.It turns out that this is a variation of the so-called <a href="https://infosec.exchange/tags/dotless" class="mention hashtag" rel="nofollow noopener" target="_blank">#dotless</a> IP address format. Back in 1999, there was a vulnerability in Internet Explorer where someone figured out this very odd bug. CVE-1999-1087 (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1087" rel="nofollow noopener" target="_blank">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1087</a>) describes this bug and the strange formatting of the URL. Back then, <a href="https://infosec.exchange/@threatresearch" class="u-url mention" rel="nofollow noopener" target="_blank">@threatresearch</a> created a little Excel spreadsheet that shows how to do this conversion. In essence, a dotless IP address is the decimal representation of a hexadecimal representation of the four octets in an IPv4 address.The spreadsheet tells the story better than I can with words, so take a look at this screenshot of it, with the update to show how the <a href="https://infosec.exchange/tags/GuLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#GuLoader</a> threat actors have adopted this method. Basically they use the hexadecimal value for the first of the four IPv4 octets, and then the decimal conversion value for the final three octets of the IPv4 address. It's very clever, because there still isn't a very strong understanding of this low-level way that network stacks interpret IPv4 addresses. Apparently PowerShell does interpret it correctly.Just another weirdness and we haven't even gotten to the malware, itself.<a href="https://infosec.exchange/tags/GuLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#GuLoader</a> <a href="https://infosec.exchange/tags/Remcos" class="mention hashtag" rel="nofollow noopener" target="_blank">#Remcos</a> <a href="https://infosec.exchange/tags/maltax" class="mention hashtag" rel="nofollow noopener" target="_blank">#maltax</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/dotlessIP" class="mention hashtag" rel="nofollow noopener" target="_blank">#dotlessIP</a> <a href="https://infosec.exchange/tags/retroCVE" class="mention hashtag" rel="nofollow noopener" target="_blank">#retroCVE</a>6/

Sophos X-OpsThe Windows <a href="https://infosec.exchange/tags/shortcut" class="mention hashtag" rel="nofollow noopener" target="_blank">#shortcut</a> pointed to a <a href="https://infosec.exchange/tags/PowerShell" class="mention hashtag" rel="nofollow noopener" target="_blank">#PowerShell</a> command. Obviously, because that's totally normal, right? 🙄But the shortcut had been modified so that the Target field in its Properties sheet appeared blank.Apparently there's a little bug in Windows. Microsoft already knows about it, because it was revealed in a blog post by researcher @x86matthew@twitter.com a year ago. If you mess around with a shortcut and prepend a big chunk of "space" characters, the Target field still works but the command will be hidden from the end user. <a href="https://www.x86matthew.com/view_post?id=embed_exe_lnk" rel="nofollow noopener" target="_blank">https://www.x86matthew.com/view_post?id=embed_exe_lnk</a>The threat actor used this exact technique.The command executed by the Windows shortcut is a PowerShell "Invoke-WebRequest" download of a VBS.<a href="https://infosec.exchange/tags/GuLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#GuLoader</a> <a href="https://infosec.exchange/tags/Remcos" class="mention hashtag" rel="nofollow noopener" target="_blank">#Remcos</a> <a href="https://infosec.exchange/tags/maltax" class="mention hashtag" rel="nofollow noopener" target="_blank">#maltax</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> 5/

Sophos X-OpsWe did get a copy of the original Zip archive from the <a href="https://infosec.exchange/tags/MDR" class="mention hashtag" rel="nofollow noopener" target="_blank">#MDR</a> investigation. The attacker (or the cloud provider) had already pulled down the file by the time we got to it but the customer still had a copy. We then began looking for similar files on OSINT sources and found a bunch more.The Zip files contained two files, each. One is a Windows <a href="https://infosec.exchange/tags/shortcut" class="mention hashtag" rel="nofollow noopener" target="_blank">#shortcut</a> file, and the other was a benign file. The benign file was an MP3 recording of a live music performance - a file that sounds like someone playing an Oud, the stringed instrument similar to a lute used widely in the middle east. (If any musical aficionados can confirm the instrument or identify the song, reach out to <a href="https://infosec.exchange/@threatresearch" class="u-url mention" rel="nofollow noopener" target="_blank">@threatresearch</a> and let him know.)We've uploaded the recording here: <a href="http://sndup.net/dh43" rel="nofollow noopener" target="_blank">http://sndup.net/dh43</a>But although the file was legitimately an MP3, you can see they were named with the wrong file suffix. If you double-click the benign file, Windows says it can't open it. So it encourages the recipient to double-click the other icon, the one that looks like it's supposed to be a PDF document. It wasn't a PDF document.<a href="https://infosec.exchange/tags/GuLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#GuLoader</a> <a href="https://infosec.exchange/tags/Remcos" class="mention hashtag" rel="nofollow noopener" target="_blank">#Remcos</a> <a href="https://infosec.exchange/tags/maltax" class="mention hashtag" rel="nofollow noopener" target="_blank">#maltax</a> 4/

Sophos X-OpsIn the case of this infection, the attacker didn't send anything malicious until the person they contacted replied to this benign "introduction"/solicitation email. It was smart because it kept them off the radar for our <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener" target="_blank">#spam</a> traps.The link pointed to a file hosted in a large cloud storage provider. The file was a password-protected Zip archive, and all the archives we came across used the same password: Fresh@123The Zip's contents were pretty weird, and then it got weirder.<a href="https://infosec.exchange/tags/GuLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#GuLoader</a> <a href="https://infosec.exchange/tags/Remcos" class="mention hashtag" rel="nofollow noopener" target="_blank">#Remcos</a> <a href="https://infosec.exchange/tags/maltax" class="mention hashtag" rel="nofollow noopener" target="_blank">#maltax</a>3/

Sophos X-Ops<a href="https://infosec.exchange/@SophosXOps" class="u-url mention" rel="nofollow noopener" target="_blank">@SophosXOps</a> First found out about the campaign when one of the affected companies reached out to us about alerts they were seeing on their dashboard. The <a href="https://infosec.exchange/tags/Sophos" class="mention hashtag" rel="nofollow noopener" target="_blank">#Sophos</a> <a href="https://infosec.exchange/tags/MDR" class="mention hashtag" rel="nofollow noopener" target="_blank">#MDR</a> team began to investigate, found the <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> immediately, collected evidence, and removed it. It would have been a fairly boring, mundane story of <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> cleanup but then we found out about the way the target was initially infected.The threat actor sent a moderately generic, entirely benign email to the tax preparation firm asking them if they're taking on new clients. There was no malicious attachment or link, just a conversational, chatty email from the kind of person who might, actually, be a prospective client to a tax preparer.<a href="https://infosec.exchange/tags/GuLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#GuLoader</a> <a href="https://infosec.exchange/tags/Remcos" class="mention hashtag" rel="nofollow noopener" target="_blank">#Remcos</a> <a href="https://infosec.exchange/tags/maltax" class="mention hashtag" rel="nofollow noopener" target="_blank">#maltax</a>2/

Sophos X-OpsHey everybody, it's <a href="https://infosec.exchange/@threatresearch" class="u-url mention" rel="nofollow noopener" target="_blank">@threatresearch</a> taking control of the Sophos X-Ops Mastodon feed with an update about the <a href="https://infosec.exchange/tags/research" class="mention hashtag" rel="nofollow noopener" target="_blank">#research</a> I've been working on for several weeks with my Labs and <a href="https://infosec.exchange/tags/MDR" class="mention hashtag" rel="nofollow noopener" target="_blank">#MDR</a> colleagues, just published this morning.In February, a <a href="https://infosec.exchange/tags/tax" class="mention hashtag" rel="nofollow noopener" target="_blank">#tax</a> <a href="https://infosec.exchange/tags/accounting" class="mention hashtag" rel="nofollow noopener" target="_blank">#accounting</a> firm reached out to us about a strange email exchange they had (and the aftermath), and the more we started digging, the more we found.The big takeaway is that an unknown threat actor group appears to have been targeting the kinds of small- to medium-sized businesses that perform tax preparation services in the United States with a social engineering method that kept their activities under the radar...until it delivered <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> to those targets. The campaign seemed to start in late January and has ramped up significantly in the past few weeks. There are thousands of CPA and accounting businesses in the US and this is their busiest time of the year, and they handle a lot of financially sensitive documents.The delivery method was a type of malware called <a href="https://infosec.exchange/tags/GuLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#GuLoader</a>, and the payload was a commodity <a href="https://infosec.exchange/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#RAT</a> malware called <a href="https://infosec.exchange/tags/remcos" class="mention hashtag" rel="nofollow noopener" target="_blank">#remcos</a> A short thread begins here:<a href="https://news.sophos.com/en-us/2023/04/13/tax-firms-targeted-by-precision-malware-attacks/" rel="nofollow noopener" target="_blank">https://news.sophos.com/en-us/2023/04/13/tax-firms-targeted-by-precision-malware-attacks/</a>

Scripter :verified_flashing:GuLoader Malware Utilizing New Techniques to Evade Security Software <a href="https://thehackernews.com/2022/12/guloader-malware-utilizing-new.html" rel="nofollow noopener" target="_blank">https://thehackernews.com/2022/12/guloader-malware-utilizing-new.html</a> <a href="https://social.tchncs.de/tags/Cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cybercrime</a> <a href="https://social.tchncs.de/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#Malware</a> <a href="https://social.tchncs.de/tags/GuLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#GuLoader</a>

Tarnkappe.info📬Phishing-Mails: Vermeintlicher „Jens Spahn“ verschickt Schadsoftware📬 <a href="https://tarnkappe.info/phishing-mails-vermeintlicher-jens-spahn-verschickt-schadsoftware/" rel="nofollow noopener" target="_blank">https://tarnkappe.info/phishing-mails-vermeintlicher-jens-spahn-verschickt-schadsoftware/</a> <a href="https://social.tchncs.de/tags/Trojan" class="mention hashtag" rel="nofollow noopener" target="_blank">#Trojan</a>.GuLoader <a href="https://social.tchncs.de/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a>-Mails <a href="https://social.tchncs.de/tags/G%C3%BCntherEnnen" class="mention hashtag" rel="nofollow noopener" target="_blank">#GüntherEnnen</a> <a href="https://social.tchncs.de/tags/JensSpahn" class="mention hashtag" rel="nofollow noopener" target="_blank">#JensSpahn</a> <a href="https://social.tchncs.de/tags/GuLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#GuLoader</a> <a href="https://social.tchncs.de/tags/Hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#Hacking</a> <a href="https://social.tchncs.de/tags/CERT" class="mention hashtag" rel="nofollow noopener" target="_blank">#CERT</a>

Recent searches

Search options

Administered by:

Server stats:

#GuLoader