π’ UPDATE | We've had to make the difficult decision to reschedule tomorrow's YouTube Live with Roman and Carel Bitter, CEO at Spamhaus Technology, as one of our presenters is still unwell. π€§
We're sorry for any inconvenience caused, as we know how tricky it can be to juggle a busy schedule!
π The good news is that you won't have to wait too long - new date/time below:ππ
π February 12th
β° 10 AM EST | 3 PM GMT | 4 PM CET
Here's a reminder of the link to join ‡οΈ
https://www.youtube.com/live/dRmqWob3WSk
Hit "notify me" on YouTube to ensure you don't miss it. π
[#]NewDate #abusech #Spamhaus #StrengthInUnity #SharingIsCaring
=> More informations about this toot | View the thread
Apparently, this #Mirai threat actor was feeling creative when registering the #botnet C2 domain names! π€¦
Mirai sample:
π https://bazaar.abuse.ch/sample/2e82e8d271a19c6c2429c420b6a8d5d5c25bebf27e29d82c94ef0e85c9e904fe/
Botnet C2 domains:
π‘ https://threatfox.abuse.ch/browse/malware/elf.mirai/
=> More informations about this toot | View the thread
[#]opendir with lots of PowerShell fun (spreading #FormBook it seems) ‡οΈ
https://urlhaus.abuse.ch/host/87.120.120.56/
=> View attached media | View attached media
=> More informations about this toot | View the thread
Canada Revenue Agency (CRA) π¨π¦ themed #ClickFix campaign, using a fake captcha to spread #malware ‡οΈ
FakeCaptcha:
π±οΈ https://urlhaus.abuse.ch/url/3423002/
HTA download URL:
π https://urlhaus.abuse.ch/url/3418524/
Dropped HTA:
π https://bazaar.abuse.ch/sample/06e2adebb2b96be6cf7c2482c9948d9d21dcd1e16618800c71231951bed7b4d0/
=> More informations about this toot | View the thread
Next month, our platforms are evolving! π
Authenticated users can expect more threat-hunting features π with access to NEW capabilities, including false-positive lists, URLhaus hunting functionality, and more!
β° Reminder: API query limits for unauthenticated users start in February- to avoid disruptions, authenticate now.
You can find all the details here β‘οΈ https://abuse.ch/blog/community-first/
[#]PlatformUpdates #February2025 #AuthenticateNow
=> More informations about this toot | View the thread
π Our YouTube Live with Spamhaus has a new date! ππ
π February 5th
β° 10 AM EST | 3 PM GMT | 4 PM CET
Roman and Carel will be back, fully recharged, and ready to answer your questions! πͺ
Here's a reminder of the link to join ‡οΈ
https://www.youtube.com/live/dRmqWob3WSk
Hit "notify me" on YouTube to make sure you don't miss it π
[#]SeeYouThere #abusech #Spamhaus #StrengthInUnity
=> More informations about this toot | View the thread
π’ UPDATE | We're postponing tomorrow's YouTube Live. The lurgy has hit one of our presenters, and theyβre currently resting (drowning!) under a mountain of tissues. π€§
...and letβs face it: a snotty presenter is not a camera-friendly presenter!
We'll share a new date and time soon, so keep an eye out - thanks for your patience and understanding! π
[#]GetWellSoon #StrengthInUnity
=> More informations about this toot | View the thread
π₯ Join us Jan 23rd at 10am EST | 3pm GMT | 4pm CET on YouTube LIVE!
Roman HΓΌssy, will be joined by Carel Bitter, CEO at Spamhaus, to answer your questions. Want to know more about our alliance, history, or what the future holds? π€ Bring your questions and weβll do our best to answer them!
Hereβs the link to join (click βnotify meβ to mark it in your calendar ποΈ):
β‘οΈ https://youtube.com/live/dRmqWob3WSk?feature=share
PS. Weβve never done a live before so it should be fun!! π€©
[#]Spamhaus #abusech #StrengthInUnity #YouTubeLive
=> More informations about this toot | View the thread
abuse.ch and Spamhaus share a significant history together π€². Today, we are really excited to share this video where we talk about our alliance π€
We share the importance of putting community at the heart of everything we do, and the impact weβre making π₯ Take a look and see why this collaboration is so important for our community.
π₯ Watch now here: https://youtu.be/20qfQWgOQXQ
[#]SharingIsCaring #Spamhaus #abusech #StrengthInUnity
=> More informations about this toot | View the thread
π Only a few weeks left until our new features and authentication launch! Hereβs a reminder of what to expect. β¨
NEW capabilities, including:
β False-positive lists to refine your searches
β URLhaus hunting tools for deeper insights
β And so much more!
And donβt forget: API query limits for unauthenticated users start soon. If access to this data is important to you, please start to plan for authentication now.
π Discover all the benefits of authenticating here ‡οΈ
https://abuse.ch/blog/community-first/
[#]PlatformUpdates #February2025 #AuthenticateNow
=> More informations about this toot | View the thread
The year is about to end π So let's have a look which networks are hosting most active malware distribution sites π
Actually, it doesn't surprise that the networks leading the ranking, proton66 and ELITETEAM, are bulletproof hosters who refuse to react on abuse reports sent by URLhaus βοΈ Both get upstream connectivity from Russian network operators π·πΊ
If you want to do yourself something good, drop πconnections from/to these network at your perimeter!
π https://www.spamhaus.org/blocklists/do-not-route-or-peer/
=> More informations about this toot | View the thread
MalwareBazaar will now parse shell scripts automatically and will try to identify any payload URLs present in it ππποΈ This will make your life easier when hunting for Linux/Unix malware such as #Mirai and #Gafgyt πͺ
Here's an example:
π https://bazaar.abuse.ch/sample/ec46f105b049d6674acbf45639883623f2f1cb3eed50eedb4b0e25a27a7b67e2/
=> More informations about this toot | View the thread
You can now manage your YARA rules for live hunting on #YARAify using the API π₯³π
Deploy a YARA rule through the API:
https://yaraify.abuse.ch/api/#deploy-yara
Sample script:
https://github.com/abusech/YARAify/blob/main/upload_yara_rule.py
Happy hunting! π―
=> More informations about this toot | View the thread
Can someone label this #Ransomware family? Spread through malspam with a VBS attachment ππ
Ransom note: Decryptfiles.txt π
Email: edfr789@tutanota.com / edfr789@tutamail.com π§
VBS:
π https://bazaar.abuse.ch/sample/f7cbe1d0926c6e0895951882ff430d624630cd14b4d3b1a4c837a3feac71dd48/
Payload (exe):
βοΈ https://bazaar.abuse.ch/sample/d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3/
Payload (dll):
π±οΈ https://bazaar.abuse.ch/sample/4b4a87552c44158fb53a72c7294319b0ddde9f99f460425ad5997d3b9121cd1e/
Decoy PDF ‡οΈβ€΅οΈβ€΅οΈβ€΅οΈ
=> More informations about this toot | View the thread
ZLoader threat actor π·πΊ π
IP address: 45.138.74.40 (Aeza International LTD π¬π§ )
User Agent: PresidentPutin
=> More informations about this toot | View the thread
π Reminder: Updates are coming to all our platforms in Feb 2025! π π
Hereβs a quick recap: π
β‘οΈ Authenticated users will gain access to NEW features, including false-positive lists, URLhaus hunting functionality, and more!
β‘οΈ API query limits are coming for unauthenticated users to improve platform stability for all users.
Why wait? In addition to uploading contributions, API users should also authenticate now to retrieve data across all platforms.
Learn more about these updates and authentication benefits here ‡οΈ
https://abuse.ch/blog/community-first/
=> More informations about this toot | View the thread
On the 1st of December, the notorious Socks5Systemz payload server hosted at AS57678 (Cat Technologies ππ°) that is already active for several months started to serve a new version of Socks5Systemz ‡οΈ
π https://urlhaus.abuse.ch/url/3189430/
This is the first major change since 2023 in Socks5Systemz and includes:
π New RC4 key used during C2 communication: hi_few5i6ab&7#d3
π Direct IP communication through HTTP(s) for botnet command and control instead of the usage of a DGA and a custom DNS server
π Backconnect TCP port changed from 2023 to 2024
Current botnet C2 servers:
188.119.66.185:443 CHANGWAY ππ°
45.155.249.212:443 RACKPLACE π©πͺ
91.211.249.30:443 PODAON π±π»
Malware sample:π https://bazaar.abuse.ch/sample/528334ed9e4567a89f3cf4e4700946056499624dcfdd3b32a7800abc08eff9fe/
Socks5Systemz IOCs:π¦Β
https://threatfox.abuse.ch/browse/malware/win.socks5_systemz/
=> View attached media | View attached media
=> More informations about this toot | View the thread
We've observed a #BumbleBee malspam campaign using Cisco AnyConnect as a lure πͺπ
The malspam contains a PDF with a link to a fake AnyConnect installer. Once downloaded and executed, the payload will open Cisco AnyConnect on the Microsoft App Store to mask the BumbleBee infectionπ₯
The BumbleBee payload comes with a DGA of 300 .live domains. Active #botnet C2s ‡οΈ
45urhm0ldgxb .live (149.154.153.2 - EDIS-AS-EU, π¦πΉ)
gx6xly9rp6vl .live (45.155.37.158 - SHOCK-1, πΊπΈ)
bw59chpi635u .live (79.132.130.23 - SERVINGA, π©πͺ)
peck4grakjq3 .live (45.83.20.213 - STARK-INDUSTRIES, π¬π§)
7mhh5gky493r .live (46.249.38.179 - SERVERIUS-AS, π³π±)
Payload delivery URLs:
π https://urlhaus.abuse.ch/host/95.164.90.189/
BumbleBee payload:
π https://bazaar.abuse.ch/sample/b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8/
=> View attached media | View attached media
=> More informations about this toot | View the thread
More new stuff for our valued community! π π
A dedicated Slack channel, exclusively for our top contributors π€© This will be a space to connect, collaborate, and share CTI.
Hang tight, invites are coming! π
[#]TopContributors #CTI #SharingIsCaring
=> More informations about this toot | View the thread
Weβre seeing an increase in activity from Coper (Octo2) π Recent investigations into malware samples have identified approximately 30 distinct threat actors using the malware to target and infect Android devices πͺ² π
In the past few days, 10,000 IPs have connected to our sinkhole π£οΈ
The majority of these IPs are located in TΓΌrkiye πΉπ·, followed by Spain πͺπΈ
Coper IOCs are available on ThreatFox π¦
π https://threatfox.abuse.ch/browse.php?search=malware%3Aapk.coper
=> More informations about this toot | View the thread
=> This profile with reblog | Go to abuse_ch@ioc.exchange account This content has been proxied by September (3851b).Proxy Information
text/gemini
