INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Python Infostealer Targeting Gamers
Published: 2023-03-01
Last Updated: 2023-03-01 09:15:08 UTC
by Xavier Mertens (Version: 1)
They are a lot of “gamers” on the Internet. They generate a lot of business around games. Many of them can be downloaded for free, but they have online shops to buy options like extra lives, weapons, suits, packages, etc. Therefore, the business of gaming is very lucrative today[1].
I spotted a malicious Python script that acts as an info stealer focusing on gamers! Based on strings found in the code, the attribution goes to Russia (“????????? ??????” can be translated to "a new connection has been established”).
Today, most Python malicious scripts use Discord as a C2, but this one uses Telegram...
Read the full entry: https://isc.sans.edu/diary/Python+Infostealer+Targeting+Gamers/29596/
URL files and WebDAV used for IcedID (Bokbot) infection
Published: 2023-02-24
Last Updated: 2023-02-24 01:37:45 UTC
by Brad Duncan (Version: 1)
IcedID (also known as Bokbot) is an information stealer/backdoor malware that can lead to other activity like Cobalt Strike and Virtual Network Computing (VNC) traffic. IcedID is often distributed through email, and we've also seen it delivered by fake software sites from Google ad traffic.
For email-based distribution, we've seen OneNote files as an initial lure this month (here's one example). But these distribution patterns occasionally change. For example, on Tuesday 2023-02-21, we found a distribution pattern using .url files and WebDAV traffic for an IcedID infection.
Today's diary reviews an infection from Thursday 2023-02-23 generated by one of those .url files.
Read the full entry: https://isc.sans.edu/diary/URL+files+and+WebDAV+used+for+IcedID+Bokbot+infection/29578/