Adobe printer driver sideloads tbb.dll, tbb.dll loads app-2.3.dll which gets stego from blood.wav, uses zxing.presentation.dll and Xceed.Wpf.AvalonDock.Themes.Aero.dll

MSI:
www.virustotal.com/gui/file/f5c...

Components all with 0 VT detections. DLLs are legitimate ones that were modified.

New Octowave Loader sample is leading to Amatera Stealer deployment over the past week.

0 VT detections on any component of the malware loader.
Proofpoint rules detect the outbound C2 traffic.
My Yara rule detects the installer.

Their latest version 52 fixes the issue, but you need to have 50 installed to install 52, this is not a standalone installer, just an update, and the old versions are still the default download on their website.

eu.community.samsung.com/t5/samsung-s...

Now in open Beta, simply upload an executable and the DLL it insecurely loads, fill in some extra fields and generate a rule

With a code editor and validation, this should make submitting to the project much easier!

Link: www.jaiminton.com/tools/hijack...
Direct: hijacklibs-assistant.streamlit.app

HijackLibs.net details hundreds of publicly disclosed DLL Hijacking opportunities. With over 700 stars on GitHub and a growing list, @wietzebeukema.nl does an amazing job maintaining it.

Despite this contributing can be time consuming. That's why I've created HijackLibs Helper!👇

The version offered on their website via the download button is currently not even the latest, so even if it was patched (it isn't, the vulnerable class has not changed at all) anyone downloading the software is getting an outdated version! No updates here:

security.samsungtv.com/securityUpda...

I've confirmed Samsung's MagicINFO 21.1050 is VULNERABLE to the publicly reported POC in the blog below.

ssd-disclosure.com/ssd-advisory...

The media is reporting this as CVE-2024-7399, but if it is then the patch is incomplete. There is currently NO PATCH AVAILABLE!

The DLLs and everything, currently undetected once again:
DLL1: www.virustotal.com/gui/file/888...
DLL2: www.virustotal.com/gui/file/ea3...
DLL3: www.virustotal.com/gui/file/0c6...
Malicious WAV Stego: www.virustotal.com/gui/file/93c...

It keeps going, new sample: www.virustotal.com/gui/file/d70...
At the time of scanning 1 vendor detected it, still only 3 at the moment. Deploying LummaC2 unsurprisingly.
This time a binary signed by 'ONE UP LTD' from the Nuclear Coffee VideoGet application used to load into memory.👇

MSI: www.virustotal.com/gui/file/625...

DLL1: www.virustotal.com/gui/file/dd9...

DLL2: www.virustotal.com/gui/file/ccf...

DLL3: www.virustotal.com/gui/file/3d7...

DLL4: www.virustotal.com/gui/file/d0f...

Likely from a fake Cloudflare challenge. Has 4 malicious DLLs, a Progress.pak supporting file, and shellcode inside of Presentations\Application.wav

Deploys LummaC2 into memory which is now using both Telegram channel and Steam Community names for C2 fallback.

👇

Another notable Octowave Loader sample with installer MSI showing low VT hits, and malicious DLL's being completely undetected. Sideloads into the legitimate Audacity.

Installs itself as 'Directory Converter' in the user LocalAppData 'Programs' directory.

👇

Termite had access to Genea for 2 weeks through their Citrix environment before exfiltrating 900gb+ of patient records to Digital Ocean.

This is an org that helps couples have a family.

🤬😡

www.genea.com.au/pages/import...

www.genea.com.au/sfsites/c/cm...

This threat actor has started using @github.com to host the PowerShell downloaders making it fairly trivial to find accounts hosting a copy of Vidar Stealer. Some have low, and some have high VT hits.

www.virustotal.com/gui/file/f9d...

www.virustotal.com/gui/file/847...

👀 The domain saaadnesss[.]shop registered a month ago used to track infected victims in a Fake Captcha /ClickFix/Clearfake campaign is now already being seen as one of the top 1 million domains as a result of being served from compromised websites.

urlscan.io/search/#saaa...

How do you submit a pull request to a malware author?🤔

Celestial Stealer is checking for my name or online handle and it won't execute if it's found, but my RE machine is using the name Barry so this check will fail.

Who do I reach out to about this? 😅

www.trellix.com/blogs/resear...