This Week's Read List - 24-30 JAN 2021
This Week's Read List (TWRL) is a collection of articles, blog posts, and other content that I've discovered throughout the last week. The collection may seem eclectic at times, but my hope is that you'll find these articles just as helpful and interesting as I have.
SolarWinds
Malware Analysis Report (AR21-027A) - SUPERNOVA - CISA has released their report on the SUPERNOVA backdoor originally reported by FireEye as part of their reporting on the SolarWinds breach.
Deep into the SunBurst Attack - CheckPoint Research details their analysis of the second-phase of the SolarWinds breach, movement to the cloud.
Malware, Campaigns and TTPs
Tool-Less Extraction of IOCs from an Emotet Maldoc - A technical write-up on how to manually extract an Emotet payload from a malicious document.
Phishing Campaign Leverages WOFF Obfuscation and Telegram Channels for Communication - FireEye releases the details of a phishing campaign leveraging Web Open Font Format (WOFF) inside of CSS to execute some Javascript, and the use e-mail and Telegram channels to exfiltrate data.
Windows finger command abused to download MineBridge backdoor
- The `finger command has a long rich history. This is just another page in
the books.
Government & Cybersecurity
CISA Shares Specs for Threat-Hunting Solution - CISA is questioning whether or not industry can provide sufficient performance and security features to support a threat hunting system. The system must have redundancy, failover, load balancing, rate limiting, the option to scale to the cloud, a meet a specified minimum level of encryption.
Here's how law enforcement's Emotet malware module works - As part of the Emotet takedown, European law enforcement created a new Emotet module to uninstall Emotet from the infected devices. This module is an "update" to Emotet that points infected devices to law enforcement controlled servers. According to them, this allows the new Emotet module to collect all the information necessary to uninstall itself.
Tools
Introducing APT-Hunter : Threat Hunting Tool via Windows Event Log - APT-Hunter is a Python based tool designed to help defenders parse through Windows-related logs and identify suspicious behaviors. APT-Hunter claims to analyze Sysmon , Security , System , Powershell , Powershell Operational , Scheduled Task , WinRM , TerminalServices, and Windows Defender logs.
String Encoding and YARA... Oh My - A look at how InQuest extracted some strings from a malicious document flagged as Dridex and turned them into a Yara rule using a Python script Yara rule generator.
LogoKit Can Manipulate Phishing Pages in Real Time - The phishing kit LogoKit makes it easier for attackers to mimic real login pages by helping to incorporate company logos into the falsified pages.
ThreatConnect and ANY.RUN - Better Malware Analysis - ThreatConnect and ANY.RUN announce a partnership and the release of a Playbook App to allow ThreatConnect customers to submit items to ANY.RUN for automated analysis and retrieve the results.
PacketSifter as Network Parsing and Telemetry Tool - PacketSifter parses through PCAP and bins outputs for statistics and extracted information and objects into different files for analysis.