Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, Thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Eric Zimmerman has released an Event Log parsing utility, EvtxECmd
  Introducing EvtxECmd!! 

• Damian Pfammatter at Compass Security explains the various event log entries that are useful to track removable media
  Investigating Data Leakage via External Storage Devices 

• The papers from DFRWS EU were released
  Volume 28, Supplement 

• Mark Lohrum at ‘Free Android Forensics’ gives a Marvel-themed overview of Magnet’s recently released App Simulator
  Magnet Forensics App Simulator 

• H-11 Digital Forensics demonstrates how to identify and examine Apple Live Photos using Blacklight
  How to Confirm Apple Live Photos with BlackBag 

• Howard Oakley at ‘The Eclectic Light Company’ describes the quarantine xattribute on MacOS, which can be useful in DFIR investigations
  🎗 Quarantine: Documents 

• Jack Farley describes the components for building your own electronics lab
  Building your own JTAG, ISP, & Chip Off Lab 

• Maxim Suhanov has identified that in the latest beta of Win10, users can create drives with very large cluster sizes. According to Maxim, many tools will be unable to deal with this at this time
  NTFS: large clusters 

• Mike Williamson shares his research into location tracking via LG’s MPT database
  MPT – LG’s incognito version of KnowledgeC
  

THREAT INTELLIGENCE/HUNTING

• John Strand at Active Countermeasures posted a couple of times this week
  • He posted about what you may want to log using the ATT&CK framework and JPCert as resources for what you may want to be detecting.
    Log Analysis Part 1 – Enterprise Logging Approaches
  • John then posts about DeepBlueCLI and how to use the tool to parse Event Logs for password spraying, remote authentication attacks, and detecting Mimikatz.
    Log Analysis Part 2 – Detecting Host Attacks: Or, How I Found and Fell in Love with DeepBlueCLI 

• Adam at Hexacorn posted a few times this week:
  • Pulling on research from Mitja Kolsek about being able to run any executable from a cmd.exe shell, no matter what it’s named.
    cmd.exe running any file no matter what extension
  • Adam shares a tricky way to execute code in a remote process.
    WordWarper – new code injection trick
  • And a tricky way to use callback overwrites in tree-view controls.
    Treepoline – new code injection technique
  • If you can’t get enough of code injection tricks, Adam writes more about WordWarping, Hyphentension, AutoCourgette, Streamception, and Oleum.
    3 (4) new code injection tricks
  • Wrapping up the series, Adam mentions list-view control.
    Listplanting – yet another code injection trick
  • Adam also revisits a post from 2016, expanding on API cold calling.
    Returning the call – ‘moshi moshi’, the API way (a.k.a. API cold calling), Part 2
  • And more on code injection and lolbinsusing Notepad.
    Poisoning MUI files 

• Itay Cohen at Check Point Research uses Cutter and Radare2 to examine the Ocean Lotus backdoor.
  Deobfuscating APT32 Flow Graphs with Cutter and Radare2 

• Mor Levi at Cybereason looks at how to threat hunt using different techniques including IOCs, research reports, Google dork queries, Mitre ATT&CK, and intelligence from previous incidents.
  How to Generate a Hypothesis for a Threat Hunt 

• Shannon Vavra at CyberScoop looks at Russian hackers sending out emails purportedly from the US State Department and Excel attachments which eventually enable remote control of victim computers via TeamViewer.
  Embassies targeted in ongoing spearphishing campaign that weaponized Microsoft Excel files 

• Chen Erlich at Ensilo looks at threat hunting with YETI, helping answer the question “where have I seen this artifact before?”
  Threat Hunting using YETI and Elastic Stack 

• Mark Simos, Kristina Laidler Senior Director, and John Dellinger look at how the Microsoft SOC is set up, including division between threat intel, IR, and analysts.
  Lessons learned from the Microsoft SOC—Part 2: Organizing people 

• Brian Donohue at Red Canary looks at the number two attacker technique behind PowerShell, scripting attacks.
  Adversaries use scripting more than any ATT&CK technique except PowerShell 

• Richie Cyrus at SpecterOps releases Venator, a Python tool for hunting on macOS environments.
  Introducing Venator: A macOS tool for proactive detection 

• Matt Suiche at Comae Technologies looks beyond ETW events using EXTRAPULSAR PoC as an example of evading EDR detection.
  How to Solve the Blindspots of Event-Driven Detection

UPCOMING WEBINARS/CONFERENCES

• Jim Walter and Jamie French at Cylance will be presenting a webinar on fileless attacks on Tuesday April 30, 2019.
  Webinar: Fileless Attacks and How You Can Stop Them 

• The CFP for OSDFCon is open and closes May 31. The event will be held October 16th
  Check out @carrier4n6’s Tweet 

• The SECURE 2019 call for speakers is open for the conference in Warsaw, Poland October 22-23, 2019.
  SECURE 2019 – Call for Speakers
  

PRESENTATIONS/PODCASTS

• Adrian Crenshaw has uploaded the presentations from BSidesCharm 2019 

• Presentations from Blackhat Asia 2019 were uploaded to YouTube 

• Josh Douglas’s presentation from Blackhat USA on threat intelligence was uploaded
  Your Guide to An Integrated Threat Intelligence Strategy 

• Blackbag Technologies have uploaded a short video on where the “Last Executed” tab in Blacklight gets some of its data
  LastExecuted 

• On this week’s Digital Forensic Survival Podcast, Michael talks about the svchost process, which is commonly targeted by malicious actors
  DFSP # 166 – SVCHOST Abuse 

• Mark Scanlon shared the presentation that he gave with Taj Atwal and Nhien-An Le-Khac at DFRWS EU on MacOS Spotlight
  Check out @mrkscn’s Tweet 

• Richard Davis at 13Cubed has uploaded a video on building his DFIR home lab
  DFIR Home Labs 

• SANS uploaded Juan Andres Guerrero-Saade’s talk from the 2019 CTI Summit
  Unsolved Mysteries – Revisiting the APT Cold Case Files – SANS CTI Summit 2019 

• SANS also shared a presentation by Eric Zimmerman on some of his tools
  A Guide to Eric Zimmerman’s command line tools (EZ Tools) 

• SecIC shared Matt Brenton’s presentation on Threat Intel from their March briefing
  SecIC March 2019: “Threat Intelligence 101” – Matt Brenton / @chupath1ngee 

• The presentations from Troopers19 were released
  

MALWARE

• Alexander Adamov at ‘Malware Research Academy’ continued reversing LockerGaga
  • By discussing encryption algorithms (12mins).
    Reversing LockerGoga – Part2
  • Alexander continues with LockerGaga file decryption (14mins).
    Reversing LockerGoga – Part 3 

• Carbon Black shared a couple of threat intel notifications
  • Jared Myers writes about HopLight, linked to DPRK/Lazarus Group.
    CB TAU Threat Intelligence Notification: HopLight Campaign (Linked to North Korea) is Reusing Substantial Amount of Code
  • Swee Lai Lee looks at a password protected .zip file with a document launching WMI and related to Emotet.
    CB TAU Threat Intelligence Notification: Emotet Utilizing WMI to Launch PowerShell Encoded Code 

• Check Point Research looks at an Excel file allowing remote access via TeamViewer.
  FINTEAM: Trojanized TeamViewer Against Government Targets 

• Max Gannon at Cofense looks at remote access trojan disguised as a Fidelity Life claim for life insurance.
  When You Unsubscribe to these Emails, You ‘Subscribe’ to the Loda RAT 

• Eli Salem at Cybereason looks at a TA505 targeted phishing campaign delivering the ServHelper Backdoor via Excel.
  Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware 

• Fire Eye published a series on CARBANAK by Michael Bailey and James T. Bennett this week:
  • Starting with an introduction to the CARBANAK backdoor, the Fire Eye researchers look for vulnerabilities in the source code.
    CARBANAK Week Part One: A Rare Occurrence
  • CARBANAK analysis continues with looking at AV evasion.
    CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis
  • They revisit from of the analysis previously published in prior years.
    CARBANAK Week Part Three: Behind the CARBANAK Backdoor
  • And conclude the CARBANAK series looking at video recording capabilities of the victim desktop.
    CARBANAK Week Part Four: The CARBANAK Desktop Video Player 

• Kai Lu at Fortinet looks at vulnerabilities fixed in the recent Apple security updates.
  Detailed Analysis of macOS Vulnerability CVE-2019-8507 

• Miriam Cihodariu at Heimdal Security Blog examines Karkoff, .NET malware related to the DNSpionage malware campaign.
  New .NET-based Malware Karkoff Intelligently Adapts to Security Settings 

• Intezer looks at how financial services investigations can be aided by breaking malware down into pieces for classification.
  Genetic Malware Analysis Use Cases: Financial Services 

• Kaspersky shares more details about their still in progress investigation of ShadowHammer.
  ShadowHammer: New details 

• Andreas Pafitis at Lastline examines LockerGaga including the changes seen in different versions of the ransomware.
  LockerGoga: When Ransomware Strikes Back 

• LangTuBongDem looks at a Word document targeting Vietnam and delivering a malicious .hta file.
  Chiến dịch mới sử dụng Cobalt Strike tấn công vào Việt Nam 

• Malwarebytes Labs published a few times this week
  • Wendy Zamora looks at an increase in attacks on corporations led by trojans like Emotete, and introduces their Q1 report (21 page PDF).
    Labs Cybercrime Tactics and Techniques report finds businesses hit with 235 percent more threats in Q1
  • Christopher Boyd reviews the IC3 online crime report highlighting BEC including payroll diversion, and tech support fraud.
    A look inside the FBI’s 2018 IC3 online crime report
  • Jérôme Segura looks at the Magecart skimmer uploaded to GitHub in the last week of April 2019.
    GitHub hosted Magecart skimmer used against hundreds of e-commerce sites 

• Marco Ramilli examines leaked APT34 source code and potential targets.
  APT34: webmask project 

• Paul Ducklin at Naked Security looks at an open source Windows PoC backdoor dubbed ExtraPulsar (based of the NSA DOUBLEPULSAR).
  ExtraPulsar backdoor based on leaked NSA code – what you need to know 

• On Objective-See’s Blog, Patrick Wardle looks at Mac adware that may be related to Pirrit.
  Mac Adware, à la Python 

• Mark Lim at Palo Alto Networks follows up on the BabyShark spear phishing campaign which involves possible nuclear security espionage on the Korean peninsula.
  BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat 

• ReaQta examines the AVE_MARIA phishing campaign where a Word document exploits Microsoft Equation Editor (eqnedt32.exe) to initiate RDP connections.
  Ave_Maria Malware: there’s more than meets the eye 

• Didier Stevens examined a number of files on the SANS Internet Storm Centre Handler Diaries
  • He examines a rar file that could contain an ACE exploit
    .rar Files and ACE Exploit CVE-2018-20250, (Mon, Apr 22nd)
  • Didier also demonstrates how to analyze “a malicious Word document found in-the-wild that was hard to analyze”
    Malicious VBA Office Document Without Source Code, (Tue, Apr 23rd)
  • Lastly, Didier uses his tool “format-bytes.py to dissect the exploit [from a previous diary] using a long string of format specifier”
    Quick Tip for Dissecting CVE-2017-11882 Exploits, (Sat, Apr 27th) 

• Following on discussions at the recent SAS conference, Securelist shares more information about ShadowHammer.
  Operation ShadowHammer: a high-profile supply chain attack 

• Symantec looks at an EternalBlue exploit named Beapy, part of a cryptojacking campaign.
  Beapy: Cryptojacking Worm Hits Enterprises in China 

• There were a couple of posts on Cisco’s Talos blog this week
  • Nick Biasini and Edmund Brumaghin with Andrew Williams share that JasperLoader, distributed primarily in Europe via spam campaigns.
    JasperLoader Emerges, Targets Italy with Gootkit Banking Trojan
  • Warren Mercer and Paul Rascagneres share a DNSpionage campaign and possible links to Karkoff malware and the Oilrig leak.
    DNSpionage brings out the Karkoff 

• TrendMicro posted on a couple topics this week
  • Mohamad Mokbel looks at code injection techniques in compiler runtime libraries.
    Analyzing C/C++ Runtime Library Code Tampering in Software Supply Chain Attacks
  • Llallum Victoria with Henry Alarcon Jr., John Rey Cañon, and Jay Nebre look at malicious MSI packages.
    Analysis: Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript, VBScript, and PowerShell Scripts
  • Santosh Subramanya and Raghvendra Mishra examine the recent RCE vulnerabilty published by Nightwatch Cybersecurity earlier this month.
    Uncovering CVE-2019-0232: A Remote Code Execution Vulnerability in Apache Tomcat
  • Marco Dela Vega, Jeanne Jocson, and Mark Manahan with Jakub Urbanec look at recent changes to Emotet including use of a proxy command and control.
    Emotet Adds New Evasion Technique and Uses Connected Devices as Proxy C&C Servers
  • Augusto II Remillano examines a vulnerability targeting the Widget Connector macro in Atlassian Confluence Server.
    AESDDoS Botnet Malware Exploits CVE-2019-3396 to Perform Remote Code Execution, DDoS Attacks, and Cryptocurrency Mining 

• There were a couple of posts on the Yoroi blog this week
  • They share information about Excel documents delivering the Ursnif data stealer.
    Ondata di Attacco Ursnif “FATTURA/DOC”
  • They also cover Pteranodon from the Gamaredon APT targeting Eastern Europe.
    The Russian Shadow in Eastern Europe: Ukrainian MOD Campaign.
    

MISCELLANEOUS

• AccessData announced an API for their products
  AccessData Rolls Out New API That Supports Automation of Digital Investigations 

• Richard Frawley at ADF demonstrates performing targeted scans and captures in DEI
  Collecting Files by Targeted Folders to Speed a Forensic Investigation 

• “A new forum for Autopsy and The Sleuth Kit was setup”
  Check out @sleuthkit’s Tweet 

• Brett Shavers wants us to be more positive!
  Game of Thrones, DFIR Style 

• The guys at Cyber Forensicator shared their picks for the Forensic 4Cast Awards. Thanks for the nomination! You can nominate your picks here.
  2019 Forensic 4cast Awards: Cyber Forensicator’s Nominations 

• Brian Carrier at Cyber Triage describes various methods of artefact collection on live systems
  How to Speed Up Incident Response: Collect Artifacts Faster 

• The submissions for the DFRWS 2018 Challenge were uploaded to Github
  dfrws2018-challenge 

• DME Forensics announced a partnership with Cellebrite to integrate into Cellebrite’s Digital Intelligence platform
  Video Evidence to Digital Intelligence with DME Forensics and Cellebrite 

• Rob Graham at ‘Errata Security’ shares his thoughts on the programming languages infosec professionals should look into learning
  Programming languages infosec professionals should learn 

• Griffeye explain some of the changes to v19.0 of their Analyze DI Core product
  Upcoming changes in Analyze DI Core 

• H-11 Digital Forensics repost an article from Forensic Mag by Gillware’s Cindy Murphy on the role of digital forensics in IP theft
  The Critical Role of Digital Forensics in IP Theft Litigation 

• Jean-Philippe shares a repository to “archive associations between Apple Team Identifiers, Bundle Identifiers and domain names”
  Check out @Jipe_’s Tweet 

• Kenneth Hartman has updated his “forensicate.cloud/ws1 workshop with step-by-step videos”
  Check out @KennethGHartman’s Tweet 

• Tarah Melton at Magnet Forensics shared her picks for the Forensic 4Cast Awards
  Who We’re Nominating for This Year’s Forensic 4:cast Awards: Part 3 

• Matthew Green describes the “practical new features implemented in a recent refactor of Invoke-LiveResponse”
  Live Response Script Builder 

• Ryan Benson at dfir.blog walks through answering the ‘Basic – Desktop’ questions from the MUS 2019 CTF using Plaso, Timesketch, and Collab
  Solving Magnet Forensics CTF with Plaso, Timesketch, and Colab 

• Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
  Weekly News Roundup — April 21 to 27 

• Seth Enoka adds a Windows 7 machine to his personal forensics lab network
  Create a Personal Forensics Lab Part 5: The Windows 7 Workstations 

• Sumuri show their contributions to the “The Future is Female: Girls in STEM” program
  Girl Power and Forensics! 

• The Elcomsoft Tool Evaluation team added some more tools to their testing and shared their results
  Elcomsoft Tool Evaluation Blog 3 

• Yulia Samoteykina at Atola describes the multi-pass imaging functionality of the Atola products. The demonstration is of the TaskForce, however this works on the Insight as well.
  Multi-pass imaging of damaged drives
  

SOFTWARE UPDATES

• AceLab released a number of updates to their products
  The new versions of PC-3000 Express/UDMA-E/Portable Ver. 6.6.29, Data Extractor Ver. 5.9.15, Data Extractor RAID Edition Ver. 5.9.15, PC-3000 SSD Ver. 2.7.8, PC-3000 SAS Ver. 6.6.29 are available now! 

• AChoir Version 3.4 was released
  AChoir Version 3.4 

• Autopsy 4.11.0 was released with a variety of new features and bug fixes
  Autopsy 4.11.0 

• Binalyze IREC version 1.8.0 was released with a number of new features and bug fixes
  Version 1.8.0 

• Blacklight 2019 R1 was released and Ashley Hernandez describes some of the new features
  Top 3 Features To Try In Blacklight 2019 R1 

• CDQR 5.0.0 was released
  CDQR 5.0.0 

• Didier Stevens updated a few of his Python script
  • Update: python-per-line.py Version 0.0.6
  • Update: format-bytes.py Version 0.0.8
  • Update: jpegdump.py Version 0.0.7 

• DVR Examiner version 2.6.1 was released 

• Elcomsoft updated their Elcomsoft System Recovery to version 6.0, and Oleg Afonin has a post demonstrating its use
  Elcomsoft System Recovery 6.0 Extracts Hibernation Files and Data to Break Full Disk Encryption Passwords 

• Eric Zimmerman updated KAPE to v0.8.3.1 

• ExifTool 11.38 was released with new tags and bug fixes
  ExifTool 11.38 

• GetData released Forensic Explorer v4.6.8.8464 with some bug fixes and additional improvements
  23 Apr 2019 – v4.6.8.8464 

• Griffeye released Analyze 18.6
  Release of Analyze 18.6 –Small change, big impact 

• “A new version of MISP (2.4.106) has been released with a host of improvements, including new features such as a feed cache search, CLI tools to manage your MISP instance along with improved diagnostics.”
  MISP 2.4.106 released (aka Too many improvements) 

• Paraben released E3 2.2 Bronze Edition with new features and bug fixes
  E3 2.2 Bronze Edition is now available! 

• TZWorks released their April 2019 build, updating a number of tools
  Apr 2019 build (package)
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!