Information stealers (infostealers) continue to be the tool of choice fueling an ever growing cybercriminal economy. Harvested credentials are a hot commodity, from account takeover and financial fraud, to underground markets, and hand offs to… Tracking DigitStealer: How Operator Patterns Exposed C2 Infrastructure
There are plenty of options when it comes to automating Python scripts. You can use cronjobs if your using *nix, scheduled tasks on Windows, and native libraries like schedule and apschedule. Tracking newly registered domains… Serverless Domain Hunting: Track Newly Registered Domains With Ease
Bifrose or Bifrost is a backdoor initially targeting Windows systems with a long history. First identified in the early 2000’s, it is believed a hacking group (likely BlackTech), purchased the source code or gained access… A Quick Look at ELF Bifrose (Part 1)
Summary BlackTech has built a reputation relying on (much to the delight of defenders) tech-themed domains and predictable registration patterns. Recent reporting linking malicious domains to the actor suggests these patterns may be fading, at… So Long (Go)Daddy | Tracking BlackTech Infrastructure
21 August 2022 Recently, Avast tweeted a GitHub link of indicators of compromise (IOC) linked to the Manjusaka Framework. Cisco Talos released a blog earlier this month covering the framework in great detail, so I… Analyzing Manjusaka Infrastructure
02 June 2022
The Kimsuky APT Group has routinely utilized the AppleSeed Backdoor to target various entities within South Korea, mainly for the purposes of espionage.
While phishing still remains the primary vector of delivering the backdoor, over the past year, Kimsuky has gone to great lengths to disguise its attacks, utilizing numerous types of decoy files, packers, and encoding schemes.
Overview of AppleSeed Dropper
26 May 2022 While the actual blog post has been difficult to access for some, Positive Technologies released research on the Space Pirates APT group that has been spotted intruding on government, IT, and critical… Analyzing the Royal Road to Space Pirates
15 May 2022 RTF SHA256: ac64adbfa128fd5f31bd922957942a1b80c56ee119791a29b939be04e1d7e2ba Filename: PO#JEL180409TH IR & JEL180409TH IRB.doc VirusTotal Score: 30/59 as of 12 May 2022 What’s An RTF? First released some 35 years ago, the Rich Text Format (RTF) file… Analysis of an Obfuscated RTF File
Background Adversaries frequently utilize scheduled tasks, a legitimate Windows operating system utility to establish/maintain persistence and even execute code in a victim network. Scheduled tasks allow for persistence on a victim network between reboots as… Detecting COM Object Tasks Used by DarkHotel
Although not utilized in attacks for initial access, web shells remain a go-to for all sorts of attackers, from cyber criminals to APT’s when it comes to post-exploitation. The server-side component of a web shell… A Tale of Two Shells