This Week's Read List - 31 JAN 2021-06 FEB 2021
This Week's Read List (TWRL) is a collection of articles, blog posts, and other content that I've discovered throughout the last week. The collection may seem eclectic at times, but my hope is that you'll find these articles just as helpful and interesting as I have.
Malware, Campaigns and TTPs
Cybersecurity Researchers Identifies an Updated Variant of 'Pro-Ocean' Malware - New variant of "Pro-Ocean" malware used by the cyber criminal group Rocke Group is identified. The malware targets cloud infrastructure using crypto-jacking strikes.
[PDF] Phanton Malware: Conceal Malicious Actions from Malware Detection Techniques by Imitating User Activity - An interesting white paper about how malware can hide from traditional malware detection techniques by imitating user behavior.
A tale of EDR bypass methods - A good summary/collection of EDR bypass techniques. The post also provides a great list of links to resources for further reading.
New Linux malware steals SSH credentials from supercomputers - Kobalos is a trojanized version of OpenSSH is targeting high performance computers on academic and research networks. The malware has a few interesting features including multiple connection options, and has the ability to perform credential theft.
New Method to Perform XS-Leak Side Channel Attacks Disclosed - XS-leak is a side channel attack that abuses redirect hops to trigger a cross site leak condition
CinaRAT Resurfaces With New Evasive Tactics and Techniques - An excellent walkthrough of the first, second, and thris stages of CinaRAT. Includes a list IoCs.
Tools
Malchive - A new repository of malware analysis tools released by MITRE.
Serial Studio: Easily Visualize and Log Serial Data - Serial Studio is an interesting tool if you are working with serial data and need to visualize what is happening.
What2Log - An interesting site that has a lot of good resources and tools about what to log, how to log it, and how to collect it.
Hunting in the Sysmon Call Trace - A great writeup on using Sysmon to hunt. The post provides a sample Sysmon config that was used, as well as some practical example walk throughs.
Simple Trend and Anomaly Detection with SQL - A interesting write up from Imperva on leveraging SQL to perform trend analysis and anomaly detection - always something useful to know and be able to do.
ScareCrow - ScareCrow is a payload creation framework for generating loaders for the use of side loading into a legitimate Windows process.
ProcDOT - ProcDOT is a visual tool for conducting malware analysis using additional data sources like PCAP, Sysmon and other logs to generate a graph.
OpenBullet - OpenBullet is a webtesting suite that allows to perform requests towards a target webapp and offers a lot of tools to work with the results. With its plugin architecture OpenBullet has a lot of extensibility.
DevOps
Docker Security - A small write up highlighting some of the steps necessary to secure a Docker container.
Miscellaneous
13,000 Regular Expressions Make An Editor’s Life Easier - An interesting application of regular expressions by The Guardian.
Tamper-evident Logs - An interesting take on how to cryptographically ensure that logs are not tampered with.