Handler on Duty: Xavier Mertens
Threat Level: green
Podcast Detail
DHS Suggests Checking DNS; Azure Domain Abuse; Twitter Tech Support Scam
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://chrt.fm/track/2748D7/https://traffic.libsyn.com/securitypodcast/6342.mp3
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Network Monitoring and Threat Detection In-Depth | Baltimore | Mar 3rd - Mar 8th 2025 |
Interested in Internet Storm Center stickers? Check here if there are still some available for today.
DHS Emergency Directive Regarding DNS Tampering
https://cyber.dhs.gov/ed/19-01/
Abuse of Trusted Microsoft Azure Domains
https://github.com/MicrosoftDocs/OfficeDocs-Enterprise/issues/233
Tech Support Scammers Unmasked
https://www.fidusinfosec.com/turning-the-tables-on-virgin-media-twitter-scammers/
https://cyber.dhs.gov/ed/19-01/
Abuse of Trusted Microsoft Azure Domains
https://github.com/MicrosoftDocs/OfficeDocs-Enterprise/issues/233
Tech Support Scammers Unmasked
https://www.fidusinfosec.com/turning-the-tables-on-virgin-media-twitter-scammers/
Discussion
New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Network Monitoring and Threat Detection In-Depth | Baltimore | Mar 3rd - Mar 8th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
Network Monitoring and Threat Detection In-Depth | Baltimore | Jun 2nd - Jun 7th 2025 |
107.161.23.204 ,192.161.187.200,209.141.38.71, 199.59.242.151.
198.133.158.0/23 -> where the email for the domain (googleg.com) goes which distributed malicious files: ec40ccaad63f8855d8de31a42b7c67ac.exe according to multiple analyzers on virustotal from month ago.
Sample of file names: hcjgfcyz.exe, idkhgdza.exe, xtntzbtk.exe, qqpvgube.exe. although the last file name was from month ago, the first file is NEW file used in this communication.
Analysis: .exe files that will create new exe file (random.exe) under Temp\, create new folder under windows under system32 (random-name) which will use it later to move the exe file in Temp to this place under “random-name”, then create service (using sc.exe utility) for “random-name.exe” with name “WIFI Support” that will auto-start to pretend as internet WIFI connection support service and you can know the following that could happen using this service specially with C2 server domain (107.161.23.204) and other communicated identities: 43.231.4.7, 5.9.32.166, 144.76.199.43, 144.76.199.2, 85.25.119.25, 46.4.52.109, 176.111.49.43, 216.58.215.68 on different ports (80, 425, 481, 443).
So, Kindly check the following additional indicators as you can find more indicators according to file you was infected with it.
URLs:
http://www.googleg.com
http://www.googloe.com
IPs:
43.231.4.7
5.9.32.166
144.76.199.43
144.76.199.2
85.25.119.25
46.4.52.109
176.111.49.43
216.58.215.68
107.161.23.204
192.161.187.200
209.141.38.71
199.59.242.151
Domains:
mail.b-io.co
googleg.com
googloe.com
mail.h-email.net
mail.hope-mail.com
Hashes:
92fddf9680451d18f660aafba7539d0ce1c4545ce83b5965284594b98cb0989d
2233343df3089f59a7553daf6de80648665d636327f79afc84bd91481aa3710d
7cf061675910e5c55127db45adfadd079e64a86ac7662892526cdbb91b53fb8a
9fda4a79fee8033f66e63dfe41c24ff7675232997bb8afa57261d2d354777b48
4cab79eaad6d89bb7de672fc794fb0f40b130d4fa849b3cef6f5c121c37e96be
Reference:
- https://www.virustotal.com/#/file/92fddf9680451d18f660aafba7539d0ce1c4545ce83b5965284594b98cb0989d/detection
- https://www.virustotal.com/#/file/2233343df3089f59a7553daf6de80648665d636327f79afc84bd91481aa3710d/detection
-----------------
Author: MoNour