-
Looks like
#TA505 is up early today, clean xls already served at de-cnd/en-cnd/es-cnd/fr-cnd.one-drive-ms.com/download.php. Their normal schedule of weaponizing at around 10:00 UTC will probably hold. https://twitter.com/abuse_ch/status/1224589159278563328 …
Prikaži ovu nit -
2020-02-06:
#TA505 Injector#Loader 'wsus.exe'
#TinyMet#Payload v0.2 'tinymet.exe' <Usage: tinymet.exe [transport] LHOST LPORT> h/t@malwrhunterteam
TinyMet as Precursor for TA505 Post-Exploitation Operation to #Clop#Ransomware MD5: b7fd25034019bc0b09242047d2c1d62a pic.twitter.com/YuhPSdLKas
-
Daily
#TA505 download domain: /shared-cnd.com, playing around with subdomains today. C2 /mainten-ferrum.com https://app.any.run/tasks/1296b713-8852-46a2-807d-a0f4461d5a24 …@AdamTheAnalyst@JAMESWT_MHT@James_inthe_box@VK_Intelpic.twitter.com/WrfOBbGoK3
Prikaži ovu nit -
New
#ta505 download url's ..? - hxxp://en-pld00238.cloud-store-cdn[.]com/download.php - hxxp://en-pld01904.cloud-store-cdn[.]com/download.php but the file seems to be known for quite some time. pic.twitter.com/ALprKVqAiv
-
The
#TA505 domain /live-cnd.com did have an A-record yesterday and several subdomains, but doesn't resolve today. Saving it for another day maybe? pic.twitter.com/jnGEZiJ542
-
Just so it's documented on twitter too, yesterdays
#TA505 download domain was en/de/fr/es.onedrive.live-msr.com and C2 was indeed /wpad-home.com as suspected. -
Your daily dose of
#TA505 goodness: cdn-de-0691.clouds-share[.]com, cdn-en-0334.clouds-share[.]com - secure-53[.]com smells like the C2 as well but unconfirmed until the kit goes live. -
2020-01-31:[INTEL]
Please remember: #TA505 is not necessarily#EvilCorp (linked to#Dridex operation).
While there might be some distribution member overlap, these groups are not the same and cannot be equated.
I'm not sure why TA505 is being again AKA'ed as EvilCorp here.https://twitter.com/MsftSecIntel/status/1222995250911703041 … -
This report is a year journey
to follow the trail of TA505.
Especially : TTP, Malwares, Relevance with Carbanak
http://bit.ly/FSI_TA505
(Only published in Korean
)
#TA505#APT#Intelligence#FSI#금융보안원pic.twitter.com/UHID9Bp61t
-
Another
#TA505 for today is: wpad-home[.]com | 185.176.222.44 Live soon I guess ! (cc@AdamTheAnalyst@ffforward) -
[INFO]
#TA505#phishing campaign uses#HTML redirectors to spread info#stealer. To read more visit: http://tinyurl.com/v86lnf6#CyberSecurity#security#ThreatIntelPrikaži ovu nit -
-
#TA505#APT Group Returns With New Techniques: Report https://www.bankinfosecurity.com/ta505-apt-group-returns-new-techniques-report-a-13678 …#TTP#cyberattack#Phishing#ransomware#cyberattack#cybersecurity#infosec -
Seems Microsofts commentary may be forcing
#TA505 to go back into doing spoof download pages instead of lazily doing attachment redirects to download.php pic.twitter.com/dnxvPsDQ2u
-
Seems todays
#TA505 on one-drive-ms[.]com still hasnt been deployed - still dropping G-Payroll-spreadsheet it seems https://app.any.run/tasks/9cae4d24-bdf0-4353-8306-b1e64c819b6b/ … -
#TA505 is back for another round, this time uses HTML Redirectors to deliver#malware |#espionagehttps://twitter.com/StopMalvertisin/status/1224407381855166467 … -
#Microsoft warns#TA505 changed tactic in an ongoing#malware campaign https://securityaffairs.co/wordpress/97150/breaking-news/ta505-changes-tactics.html …#securityaffairs#hacking#Evilcorp#cybercrime -
Confirmings today
#TA505#Get2Downloader. Downloads from s/cloud-store-cdn.com/download.php, C2 /microsoft-sback-server.com as I thought. https://app.any.run/tasks/fc62d095-ec5d-4762-bed0-11dca2d99aa5 …@AdamTheAnalyst@malwrhunterteam@JAMESWT_MHT@James_inthe_box@kafeine@VK_IntelPrikaži ovu nit -
Todays
#TA505#Get2Downloader C2: /microsoft-sback-server.com ? Resolves to same IP as last weeks C2 IP, but new registrar.@AdamTheAnalyst@kafeine@malwrhunterteam@James_inthe_box@JAMESWT_MHT@VK_Intel
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.