abuse.ch

Some (Chinese? ) proxy pac changer. The variable "HiJackList" made my day Malware sample (MD5): b7dbc5ccb3ac5dec80b4344a5f2dc060 Proxy PAC (Auto config) URL: hXXp://47.96.84.138:17450/520.pac Proxies: 47.96.84.138:14578 (ALISOFT ) 159.138.42.77:65535 (Huawei )pic.twitter.com/SgsrDLcEdm

Malspam targeting German internet users, pretending to come from the Police of Brandenburg hXXp://it7e.polizei-brandenburg.com/liste/liste/zentrale-bussgeldstelle-und-ordnungswidrig/ VT: https://www.virustotal.com/gui/url/94ae2ad14ff63c6184db175f7e31936bf6e3a20f25f7f86d8b973abd8ce3ada4/detection … /cc @PolizeiBB @PolizeiBB_E @certbundpic.twitter.com/vfKxYpL6Su

How to use URLhaus as a DNS Response Policy Zone (RPZ): https://abuse.ch/blog/using-urlhaus-as-response-policy-zone-rpz/ …pic.twitter.com/wmtoedeTo5

Top Gozi ISFB / Ursnif infected countries based on sinkhole datapic.twitter.com/HRb5xx1AdU

I've started to push active TrickBot C&Cs into Feodo Tracker. If you are already consuming feeds from Feodo Tracker, no action is required from your side. https://feodotracker.abuse.ch/browse/ pic.twitter.com/0aUJN6V42k

EUROPOL dismantles cybercriminal network associated with GozNym / Nymain malware: https://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation …pic.twitter.com/vm9cxICeMO

Fake emails pretending to come from the government of Canada are distributing AgentTesla: Sending IP address: 37.49.224.232 Payload MD5 (GOC_PSC-0015.PDF.exe): 20f8319e72ede616c568e59fc4b7f39e SMTP data exfiltration via: mail.parmanand[.]in /cc @cybercentre_capic.twitter.com/JXS8zM2FRI

I've just published some additional statistics on URLhaus that compares the different blacklist providers. 90% Spamhaus DBL 59% SURBL 2% Google Safe Browsing https://urlhaus.abuse.ch/statistics/#blacklists … /cc @spamhaus @Google @googlechromepic.twitter.com/FhkLKl8VDg

APNIC is apparently discussing validating "abuse-mailbox" and other IRT emails addresse. I hope that this will solve the Chinanet abuse problems once and for all. Proposal 125: https://www.apnic.net/community/policy/proposals/prop-125 … URLhaus statistics: https://urlhaus.abuse.ch/statistics/  /cc @apnicpic.twitter.com/tnTKCcjWMw

Another Gozi ISFB campaign targeting the US: https://urlhaus.abuse.ch/host/txgskarleyx.info/ …pic.twitter.com/4UVRDmDrQi

Amadey distributed via XLS, beaconing to rayshash[.]com which is hosted on a fastflux botnet Malicious XLS: https://www.virustotal.com/en/file/dd2b4e71cda845cdbef1b05a840b19acd23aadacf1d401551d1dc6e7c2a982bb/analysis/1556685501/ … Payload domain: https://www.virustotal.com/#/url-analysis/u-68e886b79255134b601ce3ebdaa863570ab4e8a44993cbb5f1d71328dbf46e44-1556702959 … Amadey botnet C2: https://www.virustotal.com/#/url/7830daa3bb35de878ffcefe99db9d705e3daed12ecfc96e25c204e372ee58d80/detection …pic.twitter.com/aPbdcFiOlV

Looks like someone was sending a large amount of (spoofed) packets from the IP address 1.3.3.7. Not sure what the purpose of this is?! Does anyone know from which ASN these packets where originating from? https://isc.sans.edu/ipinfo.html?ip=1.3.3.7 …pic.twitter.com/D9KKyt0g9E

I wish that all big online platforms would have such a reactive anti abuse team as @Dropbox has: https://urlhaus.abuse.ch/url/179597/  /cc @googlecloud @Azurepic.twitter.com/a1iZWIycP2

If you try to response to a abuse ticket from @webdotcom .... pic.twitter.com/HVhuFDHXUT

I've put together some recommendations on how to mitigate Emotet: https://feodotracker.abuse.ch/mitigate/  In addition, I've released @clamav signatures that are getting updated every minute, helping you to combat the sheer amount of Emotet spam: https://urlhaus.abuse.ch/api/#clamav pic.twitter.com/b7ZP3o0Gjg

Every time someone finds an open directory containing malwarepic.twitter.com/hHwz2Pe7wM