DMV.Community

2 posts2 participants0 posts today

OTX BotRemcos RAT Malware Disguised as Major Carrier's WaybillA sophisticated malware campaign has been discovered, utilizing the Remcos RAT disguised as a shipping company waybill. The attack begins with an email containing an HTML script, which when executed, downloads a JavaScript file. This file creates and downloads several components, including a configuration file, an encoded Remcos binary, a legitimate AutoIt loader, and a malicious AutoIt script. The AutoIt script employs evasion techniques, establishes persistence, decrypts the Remcos binary, and executes shellcode. The shellcode injects Remcos into a legitimate process (RegSvcs.exe) using various API calls. The Remcos RAT, once active, can steal information and execute remote commands based on C2 instructions. The campaign demonstrates the evolving tactics of cybercriminals, emphasizing the need for caution when handling emails from unknown sources.Pulse ID: 67ebfc9f824c09e5b3ce991b Pulse Link: <a href="https://otx.alienvault.com/pulse/67ebfc9f824c09e5b3ce991b" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://otx.alienvault.com/pulse/67ebfc9f824c09e5b3ce991b</a> Pulse Author: AlienVault Created: 2025-04-01 14:47:59Be advised, this data is unverified and should be considered preliminary. Always do further verification.<a href="https://social.raytec.co/tags/Autoit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Autoit</a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://social.raytec.co/tags/Email" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Email</a> <a href="https://social.raytec.co/tags/HTML" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HTML</a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ICS</a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://social.raytec.co/tags/Java" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Java</a> <a href="https://social.raytec.co/tags/JavaScript" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#JavaScript</a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Malware</a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OTX</a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenThreatExchange</a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RAT</a> <a href="https://social.raytec.co/tags/RCE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RCE</a> <a href="https://social.raytec.co/tags/Remcos" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Remcos</a> <a href="https://social.raytec.co/tags/RemcosRAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RemcosRAT</a> <a href="https://social.raytec.co/tags/ShellCode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ShellCode</a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#bot</a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AlienVault</a>

OTX BotOperation HollowQuill: Russian R&D Networks Targeted via Decoy PDFsOperation HollowQuill targets Russian research and defense networks, particularly the Baltic State Technical University, using weaponized decoy documents disguised as research invitations. The attack chain involves a malicious RAR file containing a .NET dropper, which deploys a Golang-based shellcode loader and a legitimate OneDrive application. The final payload is a Cobalt Strike beacon. The campaign focuses on academic institutions, military and defense industries, aerospace and missile technology, and government-oriented research entities within the Russian Federation. The threat actor employs sophisticated techniques, including anti-analysis measures, APC injection, and infrastructure rotation across multiple ASNs.Pulse ID: 67ea888fa30c32d310f46b3c Pulse Link: <a href="https://otx.alienvault.com/pulse/67ea888fa30c32d310f46b3c" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://otx.alienvault.com/pulse/67ea888fa30c32d310f46b3c</a> Pulse Author: AlienVault Created: 2025-03-31 12:20:31Be advised, this data is unverified and should be considered preliminary. Always do further verification.<a href="https://social.raytec.co/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CobaltStrike</a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://social.raytec.co/tags/EDR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDR</a> <a href="https://social.raytec.co/tags/Golang" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Golang</a> <a href="https://social.raytec.co/tags/Government" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Government</a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://social.raytec.co/tags/Military" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Military</a> <a href="https://social.raytec.co/tags/NET" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NET</a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OTX</a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenThreatExchange</a> <a href="https://social.raytec.co/tags/PDF" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PDF</a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RAT</a> <a href="https://social.raytec.co/tags/Russia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Russia</a> <a href="https://social.raytec.co/tags/ShellCode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ShellCode</a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#bot</a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AlienVault</a>

OTX BotCoffeeLoader: A Brew of Stealthy TechniquesCoffeeLoader is a sophisticated malware family discovered in September 2024, designed to download and execute second-stage payloads while evading detection. It employs numerous techniques to bypass security solutions, including a GPU-utilizing packer, call stack spoofing, sleep obfuscation, and Windows fibers. The malware uses HTTPS for command-and-control communications with certificate pinning to prevent man-in-the-middle attacks. It supports various commands for injecting and running shellcode, executables, and DLLs. CoffeeLoader shares similarities with SmokeLoader, which has been observed distributing it. The loader implements advanced features beneficial for evading detection by antivirus, EDRs, and malware sandboxes, making it a formidable threat in the crowded market of malware loaders.Pulse ID: 67e5309946530b6bf94aabf8 Pulse Link: <a href="https://otx.alienvault.com/pulse/67e5309946530b6bf94aabf8" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://otx.alienvault.com/pulse/67e5309946530b6bf94aabf8</a> Pulse Author: AlienVault Created: 2025-03-27 11:03:53Be advised, this data is unverified and should be considered preliminary. Always do further verification.<a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://social.raytec.co/tags/EDR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDR</a> <a href="https://social.raytec.co/tags/HTTP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HTTP</a> <a href="https://social.raytec.co/tags/HTTPS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HTTPS</a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Malware</a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OTX</a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenThreatExchange</a> <a href="https://social.raytec.co/tags/ShellCode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ShellCode</a> <a href="https://social.raytec.co/tags/Windows" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Windows</a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#bot</a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AlienVault</a>

h o ʍ l e t t→ <a href="https://mamot.fr/tags/Speedrunners" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Speedrunners</a> are <a href="https://mamot.fr/tags/vulnerability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#vulnerability</a> researchers, they just don't know it yet <a href="https://zetier.com/speedrunners-are-vulnerability-researchers/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://zetier.com/speedrunners-are-vulnerability-researchers/</a>“Super Mario World runners will place items in extremely precise locations so that the X,Y coordinates form <a href="https://mamot.fr/tags/shellcode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#shellcode</a> they can jump to with a dangling reference. Legend of <a href="https://mamot.fr/tags/Zelda" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Zelda</a>: Ocarina of Time players will do heap grooming and write a <a href="https://mamot.fr/tags/function" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#function</a> pointer […] so the game “wrong warps” directly to the <a href="https://mamot.fr/tags/end" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#end</a> <a href="https://mamot.fr/tags/credit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#credit</a> sequence… with nothing more than a <a href="https://mamot.fr/tags/game" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#game</a> <a href="https://mamot.fr/tags/controller" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#controller</a> and a steady <a href="https://mamot.fr/tags/hand" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hand</a>”<a href="https://mamot.fr/tags/Mario" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Mario</a>

OTX BotSouth Korean Organizations Targeted by Cobalt Strike 'Cat' Delivered by a Rust BeaconAn exposed web server containing tools for an intrusion campaign targeting South Korean organizations was identified. The server hosted a Rust-compiled Windows executable delivering Cobalt Strike Cat, along with SQLMap, Web-SurvivalScan, and dirsearch. The threat actor used these tools to identify and exploit vulnerable web applications, targeting government and commercial entities. The campaign utilized a Rust-compiled loader with a modified version of Cobalt Strike, providing insight into the actor's malware delivery and post-exploitation techniques. Analysis revealed reconnaissance tools, SQL injection exploitation, and malware delivery components, with logs confirming beacon activity from compromised hosts. The attackers used MinGW- and Rust-compiled loaders to deploy Cobalt Strike Cat and Marte shellcode.Pulse ID: 67d9dea6c8851b91e47b9b5e Pulse Link: <a href="https://otx.alienvault.com/pulse/67d9dea6c8851b91e47b9b5e" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://otx.alienvault.com/pulse/67d9dea6c8851b91e47b9b5e</a> Pulse Author: AlienVault Created: 2025-03-18 20:59:18Be advised, this data is unverified and should be considered preliminary. Always do further verification.<a href="https://social.raytec.co/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CobaltStrike</a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://social.raytec.co/tags/Government" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Government</a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://social.raytec.co/tags/Korea" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Korea</a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Malware</a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OTX</a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenThreatExchange</a> <a href="https://social.raytec.co/tags/Rust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Rust</a> <a href="https://social.raytec.co/tags/SQL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SQL</a> <a href="https://social.raytec.co/tags/ShellCode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ShellCode</a> <a href="https://social.raytec.co/tags/SouthKorea" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SouthKorea</a> <a href="https://social.raytec.co/tags/Windows" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Windows</a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#bot</a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AlienVault</a>

Alexandre BorgesThe nineth article (38 pages) of the Malware Analysis Series (MAS) is available on:<a href="https://exploitreversing.com/2025/01/08/malware-analysis-series-mas-article-09/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://exploitreversing.com/2025/01/08/malware-analysis-series-mas-article-09/</a>I would like to thank Ilfak Guilfanov @ilfak and <a href="https://infosec.exchange/@HexRaysSA" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@HexRaysSA</a> (on X) for their constant and uninterrupted support, which have helped me write these articles.Even though I haven't been on this subject for years, I promised I would write a series of ten articles, and the last one will be released next week (JAN/15).Have a great day.<a href="https://infosec.exchange/tags/windows" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#windows</a> <a href="https://infosec.exchange/tags/shellcode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#shellcode</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/reverseengineering" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#reverseengineering</a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#reversing</a> <a href="https://infosec.exchange/tags/idapro" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#idapro</a> <a href="https://infosec.exchange/tags/malwareanalysis" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malwareanalysis</a>

postmodernIs there an example of shellcode or other malware needing to use Floating Point assembly instructions?<a href="https://infosec.exchange/tags/shellcode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#shellcode</a> <a href="https://infosec.exchange/tags/asm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#asm</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a>

Recent searches

Search options

Administered by:

Server stats:

#shellcode