Last chance to enter your votes for the 2019 Forensic 4Cast Awards, held at the SANS DFIR Summit in Austin, Texas.
Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ converts VMware disks with an SFS dynamic extended partition marker using TestDisk.
How to convert a Windows SFS (Dynamic Disks) partition to regular partition for forensic analysis - Bryan Ambrose at Data Digitally shares a short summary regarding last access times from Harlan Carvey’s Investigating Windows System book
Enable “Last Access” Time Updates - Dr. Neal Krawetz at ‘The Hacker Factor Blog’ finds a video appended to a JPEG file which has been seen with Microsoft’s “Living Image”, Apple’s “Live Photo”, and Google “motion Photos”.
Video Thumbnails - Gary at Salt Forensics provides some guidance when identifying password spraying attacks in the security event log.
4625 Events – Know your enemy - Almost a year after it was identified by the forensics community, Microsoft confirms regback is no longer a thing for 1803 onwards. So it’s not really news, just confirmation
The system registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn posted a number of times
- Adam covers tracking down weird tasks in the Tasks folder.
taskhost.exe $(Arg0) & its other arguments - And a malformed IDA Plugin lolbin test.
…and the most 1337 #lolbin is… - A slight command line difference between the 32 and 64-bit versions of IDA/Hex-Rays.
Batch decompilation with IDA / Hex-Rays Decompiler - More on reusing signed binaries.
Bring your own lolbas? - The madness of threat hunting on company names.
Sign your name across my heart; vendor… use one name only…
- Adam covers tracking down weird tasks in the Tasks folder.
- Check Point Research shares a campaign using the Facebook page for “Khalifa Haftar” to spread malware targeting Libya.
Operation Tripoli - Cylance examines multiple Ratsnif trojans deployed by OceanLotus (APT32).
Threat Spotlight: Ratsnif – New Network Vermin from OceanLotus - Mike at ‘CyberSec & Ramen’ found a PowerShell script on pastebin bearing similarities to Metasploit reverse shell scripts.
PowerShell Reverse Meterpreter Script Analysis - Nader Shalabi at nosecurecode updates Sysmon View with process hierarchy and network packet capture parsing ability.
Sysmon in a Box - Dwight Hohnstein at SpecterOps examines the priorities around asynchronous procedure calls.
The Curious Case of QueueUserAPC - Threat Recon presents a look back at threat actors seen in May 2019.
Monthly Threat Actor Group Intelligence Report, May 2019 - Hara Hiroaki and Loseway Lu with Kawabata Kohei at TrendMicro look at a recent TA505 campaign delivering what they call the Gelup loader. Additional details about the FlowerPippi backdoor, C&C, and more can be found in the technical brief or appendix PDFs linked to in the article.
Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi
UPCOMING WEBINARS/CONFERENCES
- Dave Kennedy at Binary Defense is hosting a threat hunting webinar on Thursday July 18th.
Proactive Analysis Through Threat Hunting Exercises
PRESENTATIONS/PODCASTS
- On this week’s Digital Forensic Survival Podcast, Michael talks about IR in container deployments
DFSP # 176 – Cloud Incident Response - Matt Green shared his presentation on endpoint hunting, titled “Endpoint Hunting in an AntiEDR World”
Endpoint Hunting in an AntiEDR World - Richard Davis at 13Cubed shows the new Windows Terminal available in the Windows App Store. Richard shows that there’s a new Console host process that manages the terminal however there’s no Volatility profile available to examine a memory dump. It would be interesting to dump the process specifically and run strings over it to see what’s stored.
First Look at Windows Terminal - I recorded my ‘This Month In 4n6’ podcast for the month of June
This Month In 4n6 – June – 2019
MALWARE
- There were a few writeups about Sodinokibi this week. While both samples blogged about this week were first submitted to VT mid-June 2019, one of the samples had a compilation timestamp of November 2018.
- Cylance shares a Sodinokibi ransomware sample seen frequently delivered through MSSPs and spam campaigns.
Threat Spotlight: Sodinokibi Ransomware - Orkhan Mamedov, Artur Pakulov, and Fedor Sinitsyn at Securelist share a Sodinokibi sample particularly targeting Taiwan, Hong Kong, and South Korea.
Sodin ransomware exploits Windows vulnerability and processor architecture
- Cylance shares a Sodinokibi ransomware sample seen frequently delivered through MSSPs and spam campaigns.
- Brian Laskowski looks at two Lokibot samples, one using the command line to run an msi and the other using certutil to download a payload from bit.ly.
Lokibot, a trickster bot indeed - Holger Unterbrink and Edmund Brumaghin at Cisco Talos share detection evasion techniques seen in the HawkEye Reborn keylogger.
RATs and stealers rush through “Heaven’s Gate” with new loader - Vlad Ogranovich at Cybereason looks at the rise in exploit kits including the FalloutEK installing AZORult.
Watch Where You Browse – The Fallout Exploit Kit Stays Active - Dario Durando at FortiGuard performs static and dynamic analysis on an Android dropper targeting Turkish banking apps.
BianLian: A New Wave Emerges - There were a couple of posts on the G Data Security blog this week
- Ransom Bleed examines the Silentbruter trojan and C2 structure.
A further look at the”Silentbruter” malware – Internal folder structures revealed - Hauke Gierow also shares that to date halfway through 2019, over 33,000 variants of the Emotet banking trojan have been observed.
Emotet now has over 30.000 variants and counting
- Ransom Bleed examines the Silentbruter trojan and C2 structure.
- Alex Turing and Yegenshen at 360 Netlab name the Lua-based backdoor “Godlua”.
An Analysis of Godlua Backdoor - Csaba Fitzl guest posts at Objective-See’s Blog looks at how to find macOS apps vulnerable to priv escalation. Fitzl also covers how to monitor macOS apps including the FireEye Monitor.app and Objective-See’s ProcInfo library.
Getting Root with Benign AppStore Apps - Josh Grunzweig at Palo Alto Networks dives into GoLang malware, aggregating over half a million samples across different OSes, most of which were pentest related.
The Gopher in the Room: Analysis of GoLang Malware in the Wild - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Didier Stevens shows how optional streams like user forms can contain payloads then follows up with a post on a hidden user form in the wild. Didier continues with this post on the contents of the maldoc
Maldoc: Payloads in User Forms, (Mon, Jul 1st) - Xavier Mertens looks at obfuscated pastebin code using mshta to eventually deliver a RAT.
Malicious Script With Multiple Payloads, (Tue, Jul 2nd) - Rob VandenBrink shares a great IR script that will look for a known hash across a domain and kill it.
Using Powershell in Basic Incident Response – A Domain Wide “Kill-Switch”, (Tue, Jul 2nd) - Didier Stevens also posts a teaser on deciphering machine code.
Machine Code?, (Thu, Jul 4th)
- Didier Stevens shows how optional streams like user forms can contain payloads then follows up with a post on a hidden user form in the wild. Didier continues with this post on the contents of the maldoc
- Jessie Huang at TrendMicro shares malicious Android adware seen in the Google Play and 3rd party app stores connecting out to server anncute[.]com.
Adware Campaign Identified From 182 Game and Camera Apps on Google Play and Third-Party Stores Like 9Apps - Fernando Mercês at TrendMicro shows how to use GDB to look at Linux ELF malware.
A Quick and Efficient Method For Locating the main() function of Linux ELF Malware Variants - VMRay recaps the SANS webinar Rohan Viegas hosted with Tamas Boczan and Jake Williams on banking trojans like Trickbot and Ursnif.
SANS Webcast Recap: Hitting the Silent Alarm on Banking Trojans - Antonio Farina, Antonio Pirozzi, and Luca Mella at Cybaze-Yoroi describe LooCipher ransomware (.lcphr extension) which uses TOR.
LooCipher: The New Infernal Ransomware
MISCELLANEOUS
- Robert M. Lee shares a tribute to Mike Assante and the huge impact Mike left; please take a moment to read.
Goodbye Mike Assante, Thank you For Literally Everything - Brett Shavers shares some updates on the happenings at DFIR.Training
Upcoming additions to DFIR Training, news from the DFIR Training Patreon page, and a few other things - Cyan Forensics introduce Cyan Core which “is designed to build Contraband Filters from national and international sized datasets, which can be incrementally updated with new material.”
Cyan Core Launches on G – Cloud 11 - There were a few posts on Forensic Focus this week
- Nikola Novak shares a case study on using Oxygen Forensic Detective to examine a mobile device
Case Study: Extracting Messenger Data With Oxygen Forensic Detective - Nuix describe how the UK’s National Crime Agency has implemented a “centralised evidence processing lab on a completely virtualised infrastructure”
Case Study: National Crime Agency Chooses Nuix To Fight Cybercrime - Jade James reviews the latest release of Belkasoft Evidence Centre
Review: Belkasoft Evidence Center From Belkasoft - They shared the presentation and transcript from Blackbag’s insider threat webinar
Webinar: Finding Insider Threats – Digging Deeper - As well as the presentation by Rich Frawley at ADF on the recently released Mobile Device Investigator product
Webinar: Mobile Device Investigator For Android & iOS
- Nikola Novak shares a case study on using Oxygen Forensic Detective to examine a mobile device
- They also continued their ‘What’s Happening In Forensics’ series
- Johann Hofmann at Griffeye shares some more details about the new Griffeye Intelligence Database
GID – A Big Step for Intelligence Sharing and Collaboration - Jesse Spangenberger at Cyber Fēnix Tech gives an overview of the Tsurugi Forensic Distros
DFIR OS Tsurugi - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — June 30 to July 7 - Andrew Case at Volatility Labs gives an update on some of the good work that the Volatility Foundation has been doing
Helping to Build the Next Generation of Memory Forensics Researchers and Practitioners
SOFTWARE UPDATES
- Atola Technologies have released an update to their Insight Forensic product, v2019.4
Atola Insight Forensic 2019.4 release with NVMe support - Belkasoft Evidence Centre v.9.6 was released
What’s new in BEC v.9.6 - DVR Examiner 2.7 was released.
Download DVR Examiner 2.7 - KAPE v0.8.5.1 was released
0.8.5.1 2019-07-01 - Eric Zimmerman updated Get-ZimmermanTools, Timeline Explorer, and MFTECmd
ChangeLog - ExifTool 11.54 was released with new tags and bug fixes
ExifTool 11.54 - GetData updated Forensic Explorer to v4.8.2.8668
06 July 2019 – 4.8.2.8668 - Griffeye released Analyze 19.1
Release of Analyze 19.1 - Sandfly Security’s latest update to v2.0 now allows you to write your own Sandflies
Sandfly 2.0 Released – Write Your Own Sandflies
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 