This article summarizes the malware families seen by Unit 42 and shared with the broader threat hunting community through our social channels.
We also included a number of posts about the cybercrime group TA577 - who have distributed multiple malware families but here favor Pikabot.
In other cases, we posted about newer malware such as JinxLoader.
By sharing timely threat intelligence via social media channels, we report on malware infections and other threat intelligence of note in an expedited manner.
In 2023, our 93 timely threat intelligence posts in total generated 1.6 million-plus impressions, showing the value of getting IoCs out to the community quickly.
Summarizing these threat intelligence posts provides an opportunity to spot trends that are less visible in single posts.
We've included a table in the Indicators of Compromise section that lists all the posts in full by date posted, name, links to social media channels and IoCs on GitHub.
The IoCs shared in the social posts are all considered malicious by Palo Alto Networks products.
To see our timely threat intelligence posts as we publish them, follow Unit 42 on X and LinkedIn.
In addition to the in-depth articles published on this site, Unit 42 also shares timely threat intelligence - IoCs, TTPs and other observations about active campaigns - through our social channels.
Unit 42 shared the first public post about JinxLoader.
Besides recapping all social media posts published from October to December, we've included a table at the end of this review that includes links to the original posts as well as to all of the IoCs on our GitHub.
These original posts include the images from the threat intelligence shared, which range from screen captures of malware and artifacts to the associated traffic filtered in Wireshark.
The second instance saw the cybercrime threat actor TA577 pushing a Pikabot infection with HTTPS Cobalt Strike traffic on 45.155.249[.]171:443 using ponturded[.
We observed multiple attempts to exploit the WS FTP Server Critical Vulnerability, where threat actors attempted to deliver a Meterpreter payload via the URL 103[.]163.187.12:8080/cz3eKnhcaD0Fik7Eexo66A. Figure 6 includes not only the infection chain but the command line used.
Timely Threat Intelligence: November IcedID. Our first timely threat intelligence post in November saw an IcedID infection from an.
In our post about it we note that JinxLoader is a relatively new malware service first posted to hackforums[.
Timely Threat Intelligence: December Loader EXE. We started off December by spotting an EXE Loader leading to unidentified malware with C2 using encoded/encrypted TCP traffic on 91.92.120[.]119:62520.
In the last of our threat intelligence shares for the year, we see that, once more, TA577 is spreading a Pikabot infection.
Much of our timely threat intelligence focuses on Windows malware, and we seek to post on malware families of current interest to the community.
This Cyber News was published on unit42.paloaltonetworks.com. Publication date: Fri, 29 Dec 2023 14:43:05 +0000