This Week's Read List - 25 APR 2021-08 MAY 2021

This Week's Read List (TWRL) is a collection of articles, blog posts, and other content that I've discovered throughout the last week. The collection may seem eclectic at times, but my hope is that you'll find these articles just as helpful and interesting as I have.

Malware, Campaigns and TTPs

Researchers Uncover Stealthy Linux Malware That Went Undetected for 3 Years - RotaJakiro is the name given to the malware discovered by Qihoo 360 NETLAB that targets Linux hosts. The backdoor is named as such because of the rotate encryption scheme it uses. Initial analysis of a sample indicates that it may have some overlap with a botnet names Torii.

Chinese Hackers Attacking Military Organizations With New Backdoor - Naikon APT, a Chinese-attributed group, has been targeting military organizations in Southeast Asia. Their activities include leveraging backdoors names Nebulae, Rainy Day, and Aria-Body.

UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat - FireEye examines a new ransomware group taking advantage of a 0-day in the SonicWall VPN. This blog post takes a look at the different components of the attack, tools used, and also breaks down of the IoCs.

PortDoor: New Chinese APT Backdoor Attack Targets Russian Defense Sector - Cybereason's Nocturnus Team analyzes the PortDoor backdoor which has been used to target a Russian-based defense contractor. Cybereason attributes this activity to a group operating on behalf of Chinese state-sponsored interests.

Bash Uploader Security Update - CodeCov release IoCs tied to their recent breach.

Pingback: Backdoor At The End Of The ICMP Tunnel - TrustWave's Spiderlabs details a recent encounter with malware dubbed Pingback because of its use of ICMP tunneling. IoCs included.

Researchers Uncover Iranian State-Sponsored Ransomware Operation - Ransomware is not just for criminals, it's for state-sponsored actors too. According to Flashpoint, Iran's Islamic Revolutionary Guard (IRGC) was operating a ransomware operation by using an intermediary/front company.

Blue Team Techniques

Quickpost: Decrypting Cobalt Strike Traffic - Didier Stevens takes a look at Cobalt Strike Beacon and how to decrypt traffic by extracting the encryption key from memory.

Government & Cybersecurity

Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders - CISA, the FBI, and DHS release a joint statement about the tools, targets, techniques, and capabilities of the Russian Foreign Intelligence Service (SVR) to assist entities conducting their own investigations and securing their own networks.

DevOps

gcip - Write your Gitlab CI pipelines in Python - The Gitlab CI Python Library (gcip) is a Library to create dynamic pipelines for Gitlab CI.

Tools

The Evil Crow Is Ready To Cause Some RF Mayhem - Evil Crow is an sofware-defined radio, similar to the HackRF, but smaller and cheaper. Evil Crow can cover the 300 and 928 MHz (with some gaps) spectrum, and with it's dual antenna setup can both transmit and receive.

Adobe Releases Open Source Anomaly Detection Tool "OSAS" - OSAS aka the One Stop Anomaly Shop is an interesting piece of software designed to detect anomalies in datasets. The tool probably requires quite a bit of configuration to get work with your own security dataset, but could be an interesting tool explore that might provide some previously hidden insights.

isodump.py - Another tool from Didier Stevens to analyze ISO files.

Synapse - Synapse is a platform designed for intelligence analysis using an underlying graph-like database. Synapse is built to fuse together disparate data sets across different disciplines and provides the underlying structures to link them together, the algorithms to analyze the relationships, and the flexibility for analysts to extract valuable insights from the data.

OpenCTI - Another threat intelligence management platform to help assist in conducting analysis. The platform can be integrated with other tools such TheHive and MISP.

Introducing Mystikal - Mystikal is a macOS payload generator for Apfell or Leviathan to help gain initial access.

ScareCrow - ScareCrow is a payload creation framework for generating loaders for the use of side loading into a legitimate Windows process. It is also capable of "unhooking" an EDR.

ProcMon for Linux - The preview of ProcMon for Linux from the Sysinternals tool quite is here. Taking inspiration from ProcMon for Windows, Procmon for Linux provides a convenient and efficient way for Linux developers to trace the syscall activity on the system.

Educational Resources

Threat Intelligence in the Homelab - This blog post takes a look at some of the free resources that can be used when conducting analysis. In particular it looks at Pulsedive, ANY.RUN, Malshare, URLHaus, and urlscan.io.

Attack Detection Fundamentals 2021: Azure - Lab #1 F-Secure Labs continues its Attack Detection Fundamentals series with a 3-part series on Azure. Part 1, Part 2, and Part 3 walk through an end-to-end killchain in Azure.

using qemu-user emulation to reverse engineer binaries - This blog post takes a look at using qemu to assist in reversing binaries from different architectures than the computer you happen to be working on.

Miscellaneous

What is Smishing? The 101 guide - Ever wondered what Smishing was? Malwarebytes has a quick and easy read to help you learn the basics of smishing.