As always, thanks to those who give a little back for their support!
If you haven’t seen, I’ve also been writing my thoughts on some of the articles posted weekly at patreon.com/thisweekin4n6!
FORENSIC ANALYSIS
- Cado Security
Spinning YARN – A New Linux Malware Campaign Targets Docker, Apache Hadoop, Redis and Confluence - Django Faiola at ‘Appunti di Informatica Forense’
- Forensic Science International: Digital Investigation
Volume 48 - Invictus Incident Response
The mystery of the EnrichedOffice365AuditLogs solved - Nik Alleyne at ‘Security Nik’
**TOTAL RECALL 2024** – Memory Forensics Self-Paced Learning/Challenge/CTF - Lee Jun Hyeong at Plainbit
[TIP#9] ETL File analysis in live - Terryn at chocolatecoat4n6
Chaos to Clarity: Why Triage is Not Optional - The DFIR Report
Threat Brief: WordPress Plugin Exploit Leads to Godzilla Web Shell, Discovery & New CVE
THREAT INTELLIGENCE/HUNTING
- Agari
Social Media Attacks Focus on Financials, Executives in Q4 - Kyle Lefton & Larry Cashdollar at Akamai
NetKiller.Condi Botnet Exploits CVE-2024-0778 One Week After Disclosure - Anton Chuvakin
WhatDR or What Detection Domain Needs Its Own Tools? - AttackIQ
- Response to CISA Advisory (AA24-060B): Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
- Emulating the Sabotage-Focused Russian Adversary Sandworm
- Response to the Revised CISA Advisory (AA23-353A): #StopRansomware: ALPHV BlackCat
- Response to ScreenConnect’s Recent Zero-day Vulnerability Exploitation
- Patterson Cake at Black Hills Information Security
OSINT for Incident Response (Part 2) - BushidoToken
Tracking Adversaries: UAC-0050, Cracking The DaVinci Code - CERT-AGID
- Check Point
- Yehuda Gelb at Checkmarx Security
GitHub Repos used for Distributing Malware - Cisco’s Talos
- Cleafy
On-Device Fraud on the rise: exposing a recent Copybara fraud campaign - Andi Ahmeti at Permiso
Introducing CloudGrappler: A Powerful Open-Source Threat Detection Tool for Cloud Environments - Himanshu Anand and Juan Miguel Cejuela at Cloudflare
Navigating the maze of Magecart: a cautionary tale of a Magecart impacted website - Cyble
- Cyborg Security
- Cyfirma
Weekly Intelligence Report – 08 Mar 2024 - Roman Faithfull at Cyjax
Initial Access Brokers Explained - Delivr.to
WebAssembly Smuggling: It WASM’t me - Arda Büyükkaya at EclecticIQ
WikiLoader Delivery Spikes in February 2024 - Esentire
- Flare
Threat Spotlight: Data Extortion Ransomware Threats - g0njxa
Profiling Трафферы: KZ Team Reborn - Shane HuntleySenior DirectorThreat Analysis Group at Google Threat Analysis Group
TAG Bulletin: Q1 2024 - GreyNoise
- GuidePoint Security
BianLian GOs for PowerShell After TeamCity Exploitation - Huntress
- Darren Spruell at InQuest
Around We Go: Planet Stealer Emerges - Intel-Ops
Phobos Ransomware: Analysing associated infrastructure used by 8Base - Jacob Baines at VulnCheck
Does Confluence Dream of Shells? - KELA Cyber Threat Intelligence
I-Soon leak: KELA’s insights - Konrads Klints
Using CryptnetUrlCache to identify malware callbacks - Keith Wojcieszek, George Glass, and Dave Truman at Kroll
TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant - Ugur Koc and Bert-jan Pals at Kusto Insights
Kusto Insights – February Update - Anish Bogati at Logpoint
Inside DarkGate: Exploring the infection chain and capabilities - Microsoft Security Response Center
Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard - Mike Cunningham at MITRE-Engenuity
Insider Threat Knowledge Base 2.0: More Techniques, New Mitigations, and the Human Touch - MITRE-Engenuity – Medium
Tales Of Valhalla – March 2024 - Penetration Testing Lab
- Prodaft
How to Use Threat Intelligence Efficiently? - Proofpoint
- Jason Killam and Tess Mishoe at Red Canary
Better know a data source: Files - Alex Reid at Red Siege Information Security
Dumping LSASS Like it’s 2019 - ReliaQuest
- SANS Internet Storm Center
- Securelist
Spam and phishing in 2023 - Tal Langus at Security Intelligence
New Fakext malware targets Latin American banks - Sekoia
- Ryan Fetterman at Splunk
Add To Chrome? – Part 4: Threat Hunting in 3-Dimensions: M-ATH in the Chrome Web Store - Stephan Berger
Two in a row – You mitigated wrong (Kentico CMS RCE) - Sucuri
- Symantec Enterprise
Data Exfiltration: Increasing Number of Tools Leveraged by Ransomware Attackers - Team Cymru
Coper / Octo – A Conductor for Mobile Mayhem… With Eight Limbs? - Jambul Tologonov and John Fokker at Trellix
The Dark Side of Innovation: Cybercriminals and Their Adoption of GenAI - Trend Micro
- Reegun Jayapaul at Trustwave SpiderLabs
Resurgence of BlackCat Ransomware - Andre Rall at Uptycs
EC2-Instance-Connect Lateral Movement Strategy for Data Exfiltration - Joseliyo Sánchez at VirusTotal
COM Objects Hijacking - Merav Bar and Gili Tikochinski at Wiz
Authentication bypass vulnerabilities in TeamCity: everything you need to know - Himanshu Sharma, Arkaprava Tripathi and Meghraj Nandanwar at ZScaler
Android and Windows RATs Distributed Via Online Meeting Lures
UPCOMING EVENTS
- Black Hills Information Security
- Cellebrite
Maximizing Data Collection with SaaS Innovations - Stairwell
PRESENTATIONS/PODCASTS
- A Conference for Defense
- Black Hat
- Breaking Badness
Breaking Badness Cybersecurity Podcast – 181. Say My CNAME, Say My CNAME - Chainalysis
2024 Chainalysis Crypto Crime Report Preview – Ep. 97 - Cyber from the Frontlines
E5 Intrusion Analysis | The DFIR Report - CYBERWOX
Splunk Processing Language For Cybersecurity Investigations – TryHackMe Exploring SPL - Digital Forensic Survival Podcast
DFSP # 420 – Failing, Stopping and Crashing - Hardly Adequate
- InfoSec_Bret
Challenge – Malicious Chrome Extension - Insane Forensics
Volt Typhoon: When Firewalls Fail and What To Do About Them - Intel471
Cybercrime Exposed Podcast Crypto Heist - Jai Minton
This SVCHOST MALWARE recruits you into a botnet – BlackNET RAT deep dive malware analysis - John Hammond
- MSAB
Importing the E01 Format in XRY - MyDFIR
- Off By One Security
Scripting with IDA pro – IDA Pro and Hex-Rays Giveaway! - Paraben Corporation
- SANS
FOR589: Cybercrime Intelligence Overview - Semantics 21
S21 LASERi-X v2.5 highlights - SentinelOne
PinnacleOne ExecBrief | Malicious Insider Threat to Strategic Enterprises - The X-Terminator (X-Ways Clips Channel)
MALWARE
- ASEC
- Nathaniel Raymond at Cofense
Car Insurance Emails Drives for NetSupport RAT Infection - CTF导航
- Amr Ashraf at Cyber 5W
Setup a Pro Malware Analysis VM - Cybereason
Unboxing Snake – Python Infostealer Lurking Through Messaging Services - DD
Breaking down Atomic MacOS Stealer (AMOS) - Digital Daniela
Basic Dynamic Malware Analysis Through API Calls - Dr Josh Stroschein – The Cyber Yeti
Customizing FakeNet-NG for Malicious Document Analysis! How to modify the web root - Cara Lin at Fortinet
New Banking Trojan “CHAVECLOAK” Targets Brazil - Aseel Kayal at Mandiant
Delving into Dalvik: A Look Into DEX Files - OALABS Research
GitHub Bug Used to Infect Game Hackers With Lua Malware - PetiKVX
- Andreas Klopsch and Matt Wixey at Sophos
It’ll be back: Attackers still abusing Terminator tool and variants - Tony Lambert
Dissecting a Java Pikabot Dropper - VMRay
i-Soon or Later: Exposing the sandbox secrets of cyber espionage - Jason Reaves and Joshua Platt at Walmart
Unknown Nim Loader using PSBypassCLM - Anh Ho, Facundo Muñoz, and Marc-Etienne M.Léveillé at WeLiveSecurity
Evasive Panda leverages Monlam Festival to target Tibetans
MISCELLANEOUS
- Any.Run
How We Built Threat Intelligence Lookup - Atola Technologies
RAID Reassembly and Image Acquisition - BI Zone
We launched BI.ZONE Cyber Polygon Platform for individual training - Bishop Fox
Further Adventures in Fortinet Decryption - Blumira
Getting Started with Sysmon: Configuration and Best Practices - Decrypting a Defense
ShotSpotter’s Bad Month, Messaging Discovery, Significant Locations, Emerging Surveillance Technologies & More - Digital Forensics Myanmar
What Forensic Vendors Don’t Like To Tell Their Customers - Security Onion
1-month End Of Life (EOL) reminder for Security Onion 2.3 - Forensic Focus
- HackTheBox
Our top 5 DFIR labs for beginner analysts (to get good fast) - InfoSec Write-ups
Mastering Wireshark: A Beginner’s Guide for Networks Analysis - SANS
- Sleuth Kit Labs
Formation of the Open Source Digital Forensics Developer’s Council - SOC Fortress
Monitor Your SIEM Stack with InfluxDB
SOFTWARE UPDATES
- Digital Sleuth
winfor-salt v2024.3.7 - Eric Zimmerman
ChangeLog - ExifTool
ExifTool 12.78 – “Geolocation” - FalconForce
v1.3.0 – SO-CON edition - MISP
MISP 2.4.186 released with analyst data feature including analyst notes, opinions and relationships. - OpenCTI
6.0.5 - Oxygen Forensics
Oxygen Analytic Center v.1 Updates - Passmark Software
OSForensics – V11.0 build 1006 4th March 2024 - Regipy
4.1.1 - Rizin Organization
cutter v2.3.4 - Ulf Frisk
MemProcFS Version 5.9 - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!