Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/malware_traffic/statuses/110115124188571965">Brad (malware_traffic@infosec.exchange)'s status on Friday, 31-Mar-2023 09:54:36 JST</a><a href="https://infosec.exchange/@malware_traffic" title="malware_traffic@infosec.exchange"><img src="https://gnusocial.jp/avatar/110394-48-20230331005436.webp" width="48" height="48" alt="Brad" style="position: absolute; left: 0; top: 0;">Brad</a></section><article><p>Some info tweeted by my fellow Palo Alto Networks colleagues on the birdsite!</p><p>2023-03-30 (Thursday): Kudos to my Palo Alto Networks colleagues who found and reported a new ransomware calling itself "Cylance Ransomware"</p><p>These <a href="https://infosec.exchange/tags/CylanceRansomware" rel="tag">#CylanceRansomware</a> samples are available at Malware Bazaar. </p><p>Linux ELF: <a href="https://bazaar.abuse.ch/sample/d1ba6260e2c6bf82be1d6815e19a1128aa0880f162a0691f667061c8fe8f1b2c/" rel="nofollow noreferrer">https://bazaar.abuse.ch/sample/d1ba6260e2c6bf82be1d6815e19a1128aa0880f162a0691f667061c8fe8f1b2c/</a></p><p>Windows EXE: <a href="https://bazaar.abuse.ch/sample/7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f/" rel="nofollow noreferrer">https://bazaar.abuse.ch/sample/7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f/</a></p><p>I saw the following HTTP POST requests from my test of <a href="https://infosec.exchange/tags/CylanceRansomware" rel="tag">#CylanceRansomware</a> EXE for Windows:</p><p>- hxxp://139.99.233[.]175/r1.php<br>- hxxp://139.99.233[.]175/r2.php</p><p>The HTTP POST traffic sent a base64 string with info on victim &amp; encrypted files.</p><p>No traffic when I ran the <a href="https://infosec.exchange/tags/CylanceRansomware" rel="tag">#CylanceRansomware</a> ELF in Linux</p><p>And as some of you may know, Cylance is the name Blackberry uses for it's enterprise cybersecurity products.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/1361997#notice-2815444">In conversation</a><time datetime="2023-03-31T09:54:36+09:00" title="Friday, 31-Mar-2023 09:54:36 JST">Friday, 31-Mar-2023 09:54:36 JST</time> <span>from <span><a href="https://infosec.exchange/@malware_traffic/110115124188571965" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@malware_traffic/110115124188571965">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/842558">Untitled attachment</a></label><br><a href="https://media.infosec.exchange/infosecmedia/media_attachments/files/110/115/113/078/669/540/original/2cb19d0ac41a9df5.png" rel="external">https://media.infosec.exchange/infosecmedia/media_attachments/files/110/115/113/078/669/540/original/2cb19d0ac41a9df5.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/842559">Untitled attachment</a></label><br><a href="https://media.infosec.exchange/infosecmedia/media_attachments/files/110/115/114/525/380/555/original/6382a8f57e6b29a4.png" rel="external">https://media.infosec.exchange/infosecmedia/media_attachments/files/110/115/114/525/380/555/original/6382a8f57e6b29a4.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/842560">Untitled attachment</a></label><br><a href="https://media.infosec.exchange/infosecmedia/media_attachments/files/110/115/115/035/162/000/original/1308469922c6d116.png" rel="external">https://media.infosec.exchange/infosecmedia/media_attachments/files/110/115/115/035/162/000/original/1308469922c6d116.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/842561">Untitled attachment</a></label><br></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/842562">Untitled attachment</a></label><br></li><li><article><header><div>Domain not in remote thumbnail source whitelist: files.No</div><h5><a href="http://files.No/">files.no in parked</a></h5><div></div></header><div></div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Brad (malware_traffic@infosec.exchange)'s status on Friday, 31-Mar-2023 09:54:36 JST Brad
Some info tweeted by my fellow Palo Alto Networks colleagues on the birdsite!
2023-03-30 (Thursday): Kudos to my Palo Alto Networks colleagues who found and reported a new ransomware calling itself "Cylance Ransomware"
These #CylanceRansomware samples are available at Malware Bazaar.
Linux ELF: https://bazaar.abuse.ch/sample/d1ba6260e2c6bf82be1d6815e19a1128aa0880f162a0691f667061c8fe8f1b2c/
Windows EXE: https://bazaar.abuse.ch/sample/7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f/
I saw the following HTTP POST requests from my test of #CylanceRansomware EXE for Windows:
- hxxp://139.99.233[.]175/r1.php
- hxxp://139.99.233[.]175/r2.php
The HTTP POST traffic sent a base64 string with info on victim & encrypted files.
No traffic when I ran the #CylanceRansomware ELF in Linux
And as some of you may know, Cylance is the name Blackberry uses for it's enterprise cybersecurity products.
In conversationFriday, 31-Mar-2023 09:54:36 JST from infosec.exchangepermalink
Attachments

Public

Embed Notice

HTML Code

Corresponding Notice