Notices by Brad (malware_traffic@infosec.exchange)

From social media posts I wrote for my employer at https://www.linkedin.com/posts/unit42_kongtuke-boinc-activity-7284986403476717568-InKv/ and https://x.com/Unit42_Intel/status/1879220778173870556

2025-01-13 (Monday): Legitimate websites infected with #KongTuke script present "verify you are human" pages that ask victims to paste PowerShell script into a Run window. Lately, this has led to infections abusing the #BOINC platform. More info at: https://bit.ly/3DU2H2R

A #pcap from an example of the infection traffic and the associated files/artifacts are available at https://www.malware-traffic-analysis.net/2025/01/13/index.html

Another #Ivanti CVE announced today (2024-02-08): https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways-282024

Some info tweeted by my fellow Palo Alto Networks colleagues on the birdsite!

2023-03-30 (Thursday): Kudos to my Palo Alto Networks colleagues who found and reported a new ransomware calling itself "Cylance Ransomware"

These #CylanceRansomware samples are available at Malware Bazaar.

Linux ELF: https://bazaar.abuse.ch/sample/d1ba6260e2c6bf82be1d6815e19a1128aa0880f162a0691f667061c8fe8f1b2c/

Windows EXE: https://bazaar.abuse.ch/sample/7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f/

I saw the following HTTP POST requests from my test of #CylanceRansomware EXE for Windows:

- hxxp://139.99.233[.]175/r1.php
- hxxp://139.99.233[.]175/r2.php

The HTTP POST traffic sent a base64 string with info on victim & encrypted files.

No traffic when I ran the #CylanceRansomware ELF in Linux

And as some of you may know, Cylance is the name Blackberry uses for it's enterprise cybersecurity products.