
TG Soft
@VirITeXplorer
Followers
3K
Following
6K
Media
203
Statuses
2K
Italian Software House active in antimalware research and antivirus development since 1992. VirIT eXplorer is the name of our antivirus suite.
Italy
Joined March 2011
The Excel macro drops a PDF decoy and run a shellcode that download from s://92.243.66.]237:8464 a new shellcode that contains the #Sliver framework with c2 rtxcore.]ru. The decoy is similar to 19th sept campaign , but the threat actor fix the email address with the official one.
2
1
3
We have discovered a new campaign targeting Russia from unknown #APT .The file 23.09.2024.7z was uploaded on VT from Russia yesterday. This is similar to the 19th sept campaign Infection chain:.7z->MSC->CertUtil->CMD->PowerShell->Excel.@58_158_177_102
#apt on 19th september has been uploaded the MSC file 19_09_2024.msc from Russia with low detection. MSC->CertUtil->Powershell->Excel:.- Decoy pdf.- Shellcode x64-> #Sliver. Msc hash: 44c8565f05bc93f399c960dd44e66a9c. @58_158_177_102 @suyog41 @780thC
1
8
24
The PDF isn't a simple decoy, instead it asks some informations that must be send via email to.min-trud.gov@mail[.]ru. The email address mimics an offcial address but is a generic email service. In this way the cyber actor can steal reserved informations about some subjects.
0
1
4
The Powershell script creates an Excel macro on the fly, the macro extract the decoy pdf and execute the shellcode. As final stage the shellcode download from the IP s://213.183.54[.]123:8444 .the #Sliver framework with C2: techitzone[.]ru. Below the translated decoy.
1
1
5
#apt on 19th september has been uploaded the MSC file 19_09_2024.msc from Russia with low detection. MSC->CertUtil->Powershell->Excel:.- Decoy pdf.- Shellcode x64-> #Sliver. Msc hash: 44c8565f05bc93f399c960dd44e66a9c. @58_158_177_102 @suyog41 @780thC
1
15
33
Interesting #CobaltStrike from "apt-99" with C2:.pythongo[.]online. LNK -> Silverlight.exe (sideloading coreclr.dll) -> bin.dat -> CS. C:\Users\admin\Desktop\Project\cs4.5(apt-99)\cs4.5 2\external\beacon\Release\beacon.pdb. @58_158_177_102 @StrikeReadyLabs
1
17
43
@58_158_177_102 The file MSC download and run this MSI file:.
LDeviceDetectionHelper is another good one of triggering on another one in this cluster .6fae35.msi 34e915d93b541471a9f7e747303f456732cd48c52e91ef268e32119ea8c433c0
1
0
2
Possible #plugx .Hash: 00619a5312d6957248bac777c44c0e9dd871950c6785830695c51184217a1437.Pg 151 vv nghi le Quoc khanh 2.9.msc. https://kxmmcdmnb[.]online/eciwrnjnx.Probably geofenced. targeting Vietnam 🇻🇳. @58_158_177_102.
1
2
14
@58_158_177_102 @JAMESWT_MHT Another MSC file 83457462d1885acce9f4e46ad4053d050d3b0c7f3935b61f378e52f0eed5a68b. Same campaign. .
1
0
4
#Kimsuky MSC ef8947d291107256cb5883ac3bc163d0.MSC -> PEST.EXE (pest.exe.manifest) -> sim.sid -> sif.bat. 21ED2CAD9DC18E453DA40BC3BA5DD756. p://rem.zoom-meeting.kro.]kr/0829_pprb/d.php?na=view.p://rem.zoom-meeting.kro.]kr/0829_pprb/d.php?na=myapp. @58_158_177_102 @JAMESWT_MHT
3
7
26
TG Soft has been monitoring the abuse of MSC files by a Chinese APT that exploited a new diskless shellcode that download the Marte Beacon with Cobalt Strike. @58_158_177_102.@nao_sec.@AhnLab_SecuInfo.@elasticseclabs.@StrikeReadyLabs.@dez_.
0
12
38
#PlugX campaign from 07-30 to 08-01 via MSC files:.3e6772aca8bb8e71956349f1ea9fecda5d9b9cfa00f8cdbf846c169ab468a370.6784b646378c650a86ba4fdd4baaaf608e5ecdf171c71bb7720f83965cc8c96f.ca0dfda9a329f5729b3ca07c6578b3b6560e7cfaeff8d988d1fe8c9ca6896da5. @58_158_177_102 @nao_sec.
2
8
21
RT @780thC: A China-linked threat actor called APT17 has been observed targeting Italian companies and government entities using a variant….
0
31
0
#APT17 aka #DeputyDog strikes Italian government agencies and companies with sophisticated campaigns that use the #RAT9002 for cyber espionage operations. Read the full report on: @58_158_177_102 @sugimu_sec @JAMESWT_MHT.
0
15
31
RT @Europol: 🚨Largest ever operation against botnets hits dropper malware ecosystem. Operation Endgame, coordinated from Europol headquart….
0
280
0
#Italy Weekly malspam n.26 from 26 Jun to 2 Jul 2023.We have analyzed 51 campaigns, 15 in italian.🔥 #AgentTesla #FormBook #LokiBot #Rhadamanthys.New entry RAT spread via PEC.Total family 10. @58_158_177_102 @JAMESWT_MHT @sugimu_sec @rbreabin @zuinmichele .
0
2
4
#Italy Weekly malspam n.25 from 19 to 25 Jun 2023.We have analyzed 51 campaigns, 6 in italian.🔥 #AgentTesla #FormBook #SnakeLogger #Ave_Maria.#Ursnif hits Italy again with theme Pagamenti.Total family 8. @58_158_177_102 @sugimu_sec @JAMESWT_MHT @rbreabin.
0
4
8