Apr 18 2021 This Week's Read List - 04-17 APR 2021

Malware, Campaigns and TTPs

Sophos Uncovered Connection Between Mount Locker and Astro Locker Team - Sophos has published a report linking Mount Locker and Astro Locker Team ransomware groups together after following a link in a ransom note to a chat support site sharing similarities to the others site and tied to together by a TOR Onion site address.

(Are you) afreight of the dark? Watch out for Vyveva, new Lazarus backdoor - ESET researchers have discovered a previously undocumented Lazarus backdoor, which they have dubbed Vyveva, being used to attack a freight logistics company in South Africa. The backdoor consists of multiple components and communicates with its C&C server via the Tor network. A technical analysis and IoCs of the malware are included in this article.

Iran’s APT34 Returns with an Updated Arsenal - Check Point Research discovered evidence of a new campaign by the Iranian threat group APT34 (aka OilRig), against what appears to be a Lebanese target, employing a new backdoor variant we dubbed SideTwist. CPR provides an analysis of the attack chain, capabilities and IoCs in this post.

Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware - TrendMicro updates their findings tied to the Iron Tiger threat actors and their SysUpdate malware. The new findings include a change in its infections routine, possible connections to other threat actors based on TTPs, and also the use of rootkits which has not been previously observed. IoCs are included in this article.

HTML Lego: Hidden Phishing at Free JavaScript Site - This post looks at an interesting technique leveraged during a phishing campaign where an e-mail attachment disguised as an Excel spreadsheet, was actually an HTML file with embedded Javascript. The Javascript used portions of the HTML to reassemble a webpage that appears to be Office365 and a sign out notification.

Investigating a unique “form” of email delivery for IcedID malware - Microsoft details its analysis of malicious activity surrounding contact forms being abused to deliver malicious links using emails containing fake legal threats. These emails contain a link to download IcedID.

Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild - This post details a zero-day exploit believed to be used by the BITTER APT group that takes advantage of CVE-2021-28310, an out-of-bounds write vulnerbaility in Microsoft's Desktop Windows Manager (dwmcore.dll).

Emotet Command and Control Case Study - Palo Alto's Unit 42 provides an in depth analysis of Emotet's encryption algorithms and command and control data exfiltration techniques.

A Technical Analysis of the Mirai Botnet Phenomenon:Mirai Botnet Attack and Infection Methodologies - Heimdal Security takes a look at the history of Mirai and the multiple facets surrounding one of the arguably most famous botnets.

Did Someone at the Commerce Dept. Find a SolarWinds Backdoor in Aug. 2020? - An interesting article from Brian Krebs about events tied to the SolarWinds breach that occurred months before it was disclosed and uncovered by FireEye.

Blue Team Techniques

Detecting Exposed Cobalt Strike DNS Redirectors - F-Secure Labs details a detection technique for identifying Cobalt Strike DNS redirectors.

Detecting the Next SolarWinds-Style Cyber Attack - Although written from the perspective of somewhat using Cymulate, this article has some great principles and examples of how to build detections using some standard formats.

Five Clear Steps to Enhance SecOps with MITRE ATT&CK - The 5-Step process outlined here is a great way to start incorporating Threat Emulation in your defensive plans.

Government & Cybersecurity

Using Aviary to Analyze Post-Compromise Threat Activity in M365 Environments - CISA details how to use Aviary, a dashboard to help visualize and analyze the outputs of it Sparrow tool.

Justice Department Announces Court-Authorized Effort to Disrupt Exploitation of Microsoft Exchange Server Vulnerabilities - The FBI releases details regarding the actions it took against webshells that were deployed as part of the campaigns to attack vulnerable Microsoft Exchange servers.

MAR-10330097-1.v1: DearCry Ransomware - CISA's Malware Analysis Report on DearCry ransomware.

MAR-10331466-1.v1: China Chopper Webshell - Another CISA Malware Analysis Report on China Chopper.

MAR-10327841-1.v1 – SUNSHUTTLE - CISA's Malware Analysis Report on SUNSHUTTLE.

CISA and CNMF Analysis of SolarWinds-related Malware - CISA and the Cyber National Mission Force (CNMF) release their analysis of SolarWinds-related malware.

NSA-CISA-FBI Joint Advisory on Russian SVRTargeting U.S. and Allied Networks - The NSA, CISA, and the FBI have released multiple advisories, malware reports, and other documentation related to the Russian aggression against the US and other Allied nations.

Tools

List Of Open Source Security Tools - A list of open source security tools covering: security monitoring/intrusion dection/prevent; threat intelligence; incident response; vulnerability assessment; firewalls; antivirus/endpoint protection; and email security.

HTTPX – A Tool to Fingerprint a Web Server - Httpx is a fast and multi-purpose HTTP toolkit that allows the user to run multiple probers using the retryablehttp library, it is designed to be reliable and fast with increased threads. Other than finding the HTTP server httpx has many silent features like finding a status code, discovering vhost’s, extracting domains from CSP, and many more.

Zircolite - Zircolite is a standalone tool written in Python 3 allowing to use SIGMA rules on Windows EVTX logs. It can be used directly on an endpoint (pseudo live-forensics) or in your forensic/detection workstation.

gau (GetAllUrls) Review – A Tool For Discovering URL’s - Getallurls (gau) fetches known URLs from AlienVault’s, the Wayback Machine, and Common Crawl for any given domain.

GreyNoise Community API - GreyNoise has launched a community API to query IPs within the GreyNoise database.

IntelMQ - IntelMQ is a solution for IT security teams for collecting and processing security feeds using a message queuing protocol. It's a community driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs/CSIRTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs.

efiSeek for Ghidra - efiSeek is a Ghidra plugin that automates the process of researching EFI files and helps discover and analysis well-known protocols, SMI handlers etc.

Educational Resources

From PowerShell to Payload: An Analysis of Weaponized Malware - Huntress security researcher, John Hammond, breaks down a Metasploit PowerShell stager

Attack Detection Fundamentals 2021: Windows - Lab #1 - F-Secure Labs presents a three part series on the fundaments of attack detection. Part 1 focuses on building an initial access payload to evade some of the most common endpoint protection mechanisms using an HTA file. Part 2 focuses on defense evasion techniques to unhook EDR-monitored API functions and ETW to prevent detection by security tools. During the third installment, Part 3 the focus is on API hooking. Part 4 wraps up with stealing browser cookies and extracting Chromes master password.

Attack Detection Fundamentals 2021: macOS - Lab #1 - The second install ment of F-Secure's Attack Detetion fundamentals focuses on macOS. Part 1 focuses on Initial access via Office macros. Part 2 focuses on persistence using LaunchAgents. And Part 3 focuses on bypassing security and privacy controls.

Using Kaitai Struct to Parse Cobalt Strike Beacon Configs - Ever wondered how a Cobalt Strike Beacon Config was structured? Justin Warner breaks down the entire structure with a detailed explanation, and demonstrates the value of using Kaitai Struct to assist in parsing the config.

Microsoft releases a cyberattack simulator - Shall we play a game? - CyberBattleSim is Python-based simulator from Microsoft that allows security researchers and data scientists to create simulated network environments and see how they fare against AI-controlled cyber agents.

Red Team Tooling: Writing Custom Shellcode - Praetorian walks through using Matryoshka to generate shellcode to run a second-stage payloaded embedded in a Microsoft Office document.

Free Python Books - A GitHub list of free books about Python.

Learn X in Y Minutes - Looking to learn a new programming language or dev tool? Why not checkout this site to see if they have a lesson on what you are interested it? Although I've yet to find a specified "Y" value of time, there are a lot of "X"es to choose from.