The BlackBerry research team reports on a financially motivated threat actor that is targeting banks and cryptocurrency trading entities. The malware seen in these attacks is the #AllaKore RAT (remote access trojan) that contains a suite of capabilities and the targets were organizations that had a large revenue.
Through the analysis, the team was able to identify some PowerShell scripts, the user-agent used by the malware, and the ability to capture input text and screen captures. You can find more technical analysis in this report that I haven't mentioned! Enjoy and Happy Hunting!
Ending the mini-series that covers the Cisco Talos Intelligence Group's Year In Review report, we will be diving into the MITRE ATT&CK Technique T1068, Exploitation for Privilege Escalation. This technique falls under the Tactic of Privilege Escalation (TA0004) and has no sub-techniques. This technique can be seen when adversaries "exploit software vulnerabilities in an attempt to elevate privileges" (https://attack.mitre.org/techniques/T1068/) and has been used by groups like #ScatteredSpider and seen in the #Stuxnet malware.
IN another example, the #REvil ransomware-as-a-service group used this technique when they targeted the Microsoft Windows Malware Protection Engine and abused it by side-loading a DLL that executed the ransomware. Of course, I can't leave you empty handed, so here is the Community Hunt Package that you can use to hunt for that activity!
As we continue down the "Year in Review" from Cisco Talos Intelligence Group we move to the MITRE ATT&CK Technique, which is second on their list of top 20 most common seen, T1078, Valid Accounts.
T1078 or Valid Accounts is used when "adversaries obtain and abuse credentials of existing accounts as a means of Initial Access, Persistence, Privilege Escalation, or Defense Evasion." Basically, the adversary is leveraging your own users against you! Of course, the more privileges the account has the better!
This technique also has 4 sub-techniques, which helps defenders get a little more specific with the technical details. These include the abuse of Default Accounts, Domain Accounts, Local Accounts, and Cloud accounts, all of which have their own little role to play in an adversaries attack!
The Cisco Talos Intelligence Group researchers discovered a new remote access trojan (#RAT) that they dubbed "SugarGh0st". The adversary was "targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korean".
In one of the attacks, the adversary used a shortcut file with a double extension, which is a technique adversaries use to abuse the default settings of Windows, which is to hide the extensions, so the user may not suspect anything. Some of the capabilities include video and screen capture as well as the ability to clear tracks by deleting event logs. Check out the rest of the technical details and the second infection chain in the article! Enjoy and Happy Hunting!
As planned (but a little later than I would have wanted) comes Part 2 of my posts related to the Palo Alto Networks Unit 42 article on #AgonizingSerpens. In my first installment, I covered the TTPs and behaviors of the APT that were presented by the team and in this post I am going to cover the TTPs and behaviors observed by the first wiper they discussed, the #MultiLayerWiper. Enjoy and Happy Hunting!
The NCC Group has created a series that I look forward to finishing, titled "Unveiling the Dark Side: A Deep Dive into Active Ransomware Families". The first installment covers the #BlackCat#ransomware (a.k.a. #ALPHV) and an incident that they observed that it was involved in that included new service and new accounts being created, and data being staged and believed to be exfiltrated. If you like technical reports like I do, this is one you don't want to miss! Enjoy and Happy Hunting!
With the recent activity reported by the CERT-UA researchers, we focus on the apt known as the #Sandworm Team, or (UAC-0165 as tracked by the Ukraine CERT). They recently targeted "at least 11 telecommunications providers" and conducted scans, installed backdoors, and cleared their tracks.
Normally I post something about a threat intel report but I have been reading the Microsoft Digital Defense Report for 2023 and there is just too much to post. That being said, I am going to share some of the numbers Microsoft presented and my thoughts on them. Let's start with ransomware:
📊 80-90% of all successful ransomware compromises originate from unmanaged devices.
📊 70% of organizations encountering human-operated ransomware had fewer than 500 employees.
📊 13% of human-operated ransomware attacks that moved into the ransom phase included some form of data exfiltration.
📈 Human-operated ransomware attacks are up more than 200%
The Kaspersky #Securelist researchers provide details on not one, not two, but THREE pieces of malware! They cover the #ASMCrypt (a crypto/loader), #Lumma (a stealer), and #Zanubis (an Android banking trojan) and provide insight on their TTPs and behaviors. Plus, you get the links to the reports they produced! Enjoy and Happy Hunting!
The ESET Research team discovered a sophisticated backdoor that contains multiple components and doesn't act like your normal malware with C2 communication. The backdoor consists of an Executor and Orchestrator. The Executor appears to act more like a middle man for the Orchestrator while the Orchestrator is responsible for actually running the commands from the C2 server. Enjoy this highly-technical article and Happy Hunting!
The Palo Alto Networks Unit 42 research team discovered some activity that they attributed to a very stealthy and rarely seen APT, #Gelsemium. They target a diverse group of industries but use tools like #CobaltStrike, #MetaSploit, and #ChinaChopper but also used the Potato Suite that was seen as JuicyPotato.exe (who can't appreciate that?!). This was a great weekend read and I hope you all enjoy it as much as I did! Happy Hunting!
The Intel 471 team provides their findings of the #BumbleBee loader as it makes its comeback after a two month break. Taking the place of the #BazarLoader (the source code was leaked when the #Conti leak occurred). The BumbleBee loader has been associated with distributing ransomware and is currently being used by multiple threat actors. My favorite part of this article though (and not surprising) is all the MITRE ATT&CK mappings that provide all the #ThreatHunters a place to start looking, so thank you for that team! I hope you all enjoy and Happy Hunting!
Follow the Check Point Software Technologies Ltd research team as they take a deep dive into the #phishing campaign they observed that targeted over 40 companies in Colombia. What started with a phishing email led to the #Remcos RAT which provides the adversaries with full control over the infected computer. Enjoy and Happy Hunting!
Researchers from Kaspersky's #SecureList team takes a deep-dive into an "Evil Telegram" doppelgänger that is targeting Chinese users. At first the app looks benign and non-malicious until they started digging into the code. They found some functions that were designed to gather information of the contacts and access to the phone of the victim but also contains a function to gather messages and upload them to a command and control server that the adversary runs! Enjoy and Happy Hunting!
Among the stealers that Cisco Talos Intelligence Group has observed, the #SapphireStealer is a new one that appears to focus on browser credential theft with its straightforward techniques. It is capable of gathering host information, screenshots, cached browser credentials, and files stored on the system. It then creates its own directory and stores credentials in a passwords.txt file and screenshots then zips all the data up and exfiltrates it using Simple Mail Transfer Protocol (SMTP). PLUS, as an added bonus, the research team observed some operational security (OPSEC) failures by the adversary which led to some personal accounts that could be associated with the threat actor! Enjoy and Happy Hunting!
Good day everyone! The Microsoft Threat Intelligence team has discovered activity from a group known as #FlaxTyphoon. They are a nation-state group from China that targeted organizations in Taiwan. While the group leverages tools that are commonly used, like #ChinaChopper, #MetaSploit, and #Mimikatz, they also rely on abusing #LOLBINS, or Living-off-the-land binaries and scripts (tools that exist and come with the native operating system). Some of their TTPs include using registry key modification for persistence, using #powershell, #certutil, or #bitsadmin to download tools, and accessing #LSASS process memory and Security Account Manager registry hive for credential access. This is a great article that not only provides high-level details but it provides a starting point for any organization to start threat hunting by using the technical details provided! Enjoy your weekend and #HappyHunting!
Good day all! If you have been looking for technical and behavioral artifacts regarding CVE-2023-2868, look no further! Mandiant (now part of Google Cloud) takes a deep-dive into #UNC4841, a Chinese-nexus threat group, activity that shows how the group is growing in maturity and sophistication. There is a lot to learn about TTPs from this article and I hope you enjoy it as much as I did! Happy Hunting everyone!
Follow the Trend Micro researchers as they dissect the Big Head Ransomware variants. What I look for in these types of reports are the behaviors that are uncovered through the analysis and how I can apply these artifacts to a hunt in my environment. For example, one artifact they discovered how the malware was designed to delete the backups on the compromised machine. Recognizing and learning these behaviors is crucial to conducting a successful threat hunt! Enjoy and Happy Hunting!
The next installment of the SentinelOne and #VXUnderground blog series features Millie Nym as they demonstrate their unique reverse engineering techniques as they analyze a sample of ArechClient2. Enjoy and Happy Hunting!
As usual, for this #miniCTF, I am going to leave out a piece of information and it is your job to find it! DM me with the answer or leave a comment!
Hint: Check the links in the article!
Notable MITRE ATT&CK TTPs:
TA0005 - Defense Evasion
T1055.? - Process Injection: [fill in this blank]
T1562 - Impair Defenses: Disable or Modify Tools
T1112 - Modify Registry
TA0009 - Collection
T1005 - Data from Local System
#HappyMonday everyone! I am back from a weeklong "vacation" with an article from the SentinelOne blog but the research was conducted by Pol Thill. There was a challenge thrown down by #VXUnderground and SentinelOne looking for research that was conducted but not previously published, which I think is a really interesting concept and needs to happen more often!
Anyways, here is Pol's research on Neo_Net, the Kingpin of Spanish eCrime! Enjoy and Happy Hunting!
Link in the comments!
Notable MITRE ATT&CK TTPs and Behaviors:
Mobile Matrix:
TA0035 - Collection
T1636.004 - Protected User Data: SMS Messages
TA0037 - Command and Control
T1437.001 - Application Layer Protocol: Web Protocols
T1481.003 - Web Service: One-Way Communication
Happy Tuesday everyone! #APT37 is the topic of today's #readoftheday, specifically ThreatMon takes a deep-dive into the #RokRat malware, which is a remote access trojan (RAT). Enjoy and Happy Hunting!
Link to article in the comments!
AS usual I am going to leave one of the MITRE ATT&CK blank. I would like to see if any of you that see this can help FILL in that blank! If so, leave your thoughts in the comments OR send me a DM!
Notable MITRE ATT&CK TTPs:
TA0007 - Discovery
T1087 - Account Discovery
T1083 - File and Directory Discovery
T1018 - Remote System Discovery
T1082 - System Information Discovery
TA0009 - Collection
T[What technique covers the threat actor capturing information under the TEMP folder?] - Good luck!
TA0011 - Command And Control
T1071.001 - Application Layer Protocol: Web Protocols
TA0002 - Execution
T1059.003 - Command and Scripting Interpreter: Windows Command Shell