We are excited to announce the launch of our most recent platform: YARAify 🥳 Blog post: 👉 abuse.ch/blog/introduci… YARAify platform: 👉 yaraify.abuse.ch Top features: - Live hunt over a large file set - Deploy & share your YARA rules in a structured way - Extensive API

Will there be another #cutwail Tuesday tomorrow? - If so, this might be the next domain: - investprides[.]com History: 2022-06-14: moneyinconsalt[.]com 2022-06-07: consaltins[.]com 2022-05-31: moneyinvestator[.]com 2022-05-25: inmanagment[.]com 2022-05-17: managmentoria[.]com

The latest #cutwail campaigs were using payload domains registered on 30 June. In this registration batch, I found three different domains. Two of them were already used in the last two weeks. Therefore I'd guess the next one is: - dokpio[.]com

Global postal services are often used as bait for #malware, but recently local postal companies have also been popping up in such campaigns. Here, a HTML Smuggling campaign delivering #AsyncRAT uses the Israel Post service as lure 1/6

#IcedID seems to register their payload download domains in triples. This timeline shows confirmed and potential domains from May until end of July. Looks like they're ramping up their campaigns since then.

Fake Windows update. Domain registered 3 days ago. - microsoft-security-updates[.]com Downloads password protected ZIP file "Windows.zip" (8d93256c7383542996d533cfa1de4696) containing the executable "Windows Update.exe". Unfortunately don't know the password.

Once again #GootLoader has changed, so that our decoder no longer works. See below for a brief analysis of how to decode GootLoader 👇 1/7

To simplify and automate this process, we customized our script. You can find it in our GitHub repository: github.com/hpthreatresear… 7/7

We published an article about the Magniber ransomware. The malware runs mostly fileless and consistently only uses direct system calls. I find it quite interesting that a ransomware targeting home users has implemented such techniques to bypass detection. threatresearch.ext.hp.com/magniber-ranso…

ℹ️ Following the great research by stoerchl, here's a live #Magniber ransomware infection Magnigate: goscale[.]uno Magniber download: sopush[.]email In this case the payload was an MSI: SYSTEM.Antivirus.Hotfix.a6a905ec1f8a.msi virustotal.com/gui/file/34d40…

CaliDog Security's certstream is a great service to monitor new certificates. Unfortunately the service is offline since yesterday. If you decide to run your own certstream-server have a look my pull request as Google took one of the used URLs offline. github.com/CaliDog/certst…

See what the vulnerability looks like in action below, and find out more details on the campaign itself in our threat blog: threatresearch.ext.hp.com/magniber-ranso… 2/2

⚠️We’ve spotted a new #phishing campaign using QR codes to steal bank card details. This Chinese-language campaign tries to force victims to move to mobile devices to steal sensitive data. Find out more in our latest blog: ow.ly/yOIp50MaBJL

After noticing an uptick in campaigns using malvertising to deliver malware to unsuspecting victims, HP researchers summarize current malvertising campaigns used to spread Vidar Stealer, IcedID, Rhadamanthys Stealer and BatLoader. threatresearch.ext.hp.com/adverts-mimick…

TICKETS, SAVE THE DATE: we will have two batches of ticket sales for #BSidesZH opening soon - Wednesday, July 12th 15:00 (UTC+2/CEST) - Thursday, August 3rd 16:00 (UTC+2/CEST) Price as usual, 10CHF #PleaseRT #InfoSec #DFIR #ThreatIntel Cc Security BSides bsideszh.ch/registration/

📢📢📢 Accepted Talks and Speakers' Bios published 📢📢📢 Thanks to all who applied to our #CfP and to our reviewers, the list of accepted talks is now on our website. Detailed agenda will follow bsideszh.ch/talks-bios/ REMEMBER: Tickets sale starts tomorrow 3pm Zurich time 🥳