Skip to content

Commit

Permalink
Updated 2024-01-23-IOCs-from-UltraVNC-infection.txt
Browse files Browse the repository at this point in the history
  • Loading branch information
@brad-duncan
brad-duncan authored Jan 24, 2024
1 parent 2d19f98 commit 9335eca
Showing 1 changed file with 7 additions and 2 deletions.
9 changes: 7 additions & 2 deletions 2024-01-23-IOCs-from-UltraVNC-infection.txt
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,14 @@
2024-01-23 (TUESDAY): ULTRAVNC INFECTION

REFERENCE:
ORIGINAL REFERENCE:

- https://twitter.com/Tac_Mangusta/status/1749763630847987861

REFERENCES:

- https://www.linkedin.com/posts/unit42_ultravnc-timelythreatintel-indicatorsofcompromise-activity-7156060867678150657-ktbL
- https://twitter.com/Unit42_Intel/status/1750295249174372862

NOTES:

- On 2024-01-23, @Tac_Mangusta posted on X (Twitter) information about an Italian malspam campaign with a link to malware.
Expand Down Expand Up @@ -70,4 +75,4 @@ TRAFFIC FROM AN INFECTED WINDOWS HOST:
- port 443 - hxxps://www.dropbox[.]com/scl/fi/kcs0pwroc060awep6wrtr/Preventivo24.01.11.exe?rlkey=whqooo60ufh3ht7epj0nf6ii4&dl=1
- port 443 - ucf65c7f79fea35f25bf1c95597d.dl.dropboxusercontent[.]com - HTTPS traffic for EXE
- port 80 - hxxp://www.example[.]com/download/updates.txt <-- connectivity check, not inherently malicious
- 140.228.29[.]110 port 5500 - vnvariant2024.ddnsfree[.]com:5500 - VNC traffic
- 140.228.29[.]110 port 5500 - vnvariant2024.ddnsfree[.]com:5500 - VNC traffic

0 comments on commit 9335eca

Please sign in to comment.