Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, Thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Marco Neumann has started a blog, ‘Be-binary 4n6’, and documents his research into the Skype application
  • The first post shows the differences between the desktop and Metro-style Skype apps, as well as how Skype stores data differently across versions
    Skype Analysis – From the old one to the newest one – A First Overview
  • Marco also shares a process and script to allow an examiner to “tell if a picture in the folder media_messaging/media_cache_v3 was sent or received and also by whom” on the Win10 Skype app (v12.7+)
    Analysis of Skype – Windows 10 App Version 12.7 and higher

• Manuel Guerra at Glider examiners the Tinder Android app
  Tinder, cuando haces Match, no hay STOP.

• Magnet Forensics released a new whitepaper on cloud-based collection and analysis
  White Paper: Cloud-Based Data Collection & Analysis: A NW3C Best Practices Guide
  

THREAT INTELLIGENCE/HUNTING

• Some of the most interesting threat hunting news this week wasn’t in artfully finding a needle in a haystack but putting the pieces of a big campaign together to tell a story.
  • Krebs on Security zooms out to look at the “end” of GandCrab activity and the money, targeted nations, and URLs that seem to imply a relationship with REvil and Sodinokibi.
    Is ‘REvil’ the New GandCrab Ransomware?
  • John Fokker and Thomas Roccia at McAfee Labs share how they were able to help the Dutch National High-Tech Crime Unit take down the suspected person behind the Rubella (Office) Macro Builder.
    McAfee ATR Aids Police in Arrest of the Rubella and Dryad Office Macro Builder Suspect
  • Matt Bromiley, Noah Klapprodt, Nick Schroeder, and Jessica Rocchio with Delyan Vasilev and Alex Lanstein at Fire Eye Threat Research share an Iranian campaign which employs LinkedIn, social engineering, and new malware variants (VALUEVAULT, LONGWATCH, and PICKPOCKET).
    Hard Pass: Declining APT34’s Invite to Join Their Professional Network

• Adam at Hexacorn releases 1.6M sandbox reports and also explains their origin.
  Logs from 1.6M sandboxed samples – release

• Black Hills Information Security shares a YouTube video (55 minutes) on testing and tuning logs for detection.
  Attack Tactics 7: The logs you are looking for.

• Maarten Goet shares Microsoft Azure tips which allow less experienced analysts to perform hunting.
  Azure Sentinel: helping your SOC with investigation and hunting

• Matt at ‘Bit_of_Hex’ reminds investigators that malicious LNK files contain information about the attacker machine and how to pivot on analysis with that information.
  Deriving intelligence from LNK files

• Blake Strom, Tim Schulz, and Katie Nickels at MITRE ATT&CK write about using ATT&CK for adversary emulation, including where to start with Atomic Red Team.
  Getting Started with MITRE ATT&CK: Adversary Emulation and Red Teaming

• Katie Nickels was on Paul’s Security Weekly to talk about MITRE ATT&CK
  MITRE ATT&CK: Katie Nickels, MITRE  – Paul’s Security Weekly #612

• Paola Miranda at Security Intelligence discusses using threat intel to protect against DNS attacks.
  Threat Intelligence Is the SOC’s Road Map to DNS Security
  

UPCOMING WEBINARS/CONFERENCES

• Lee Reiber at Oxygen Forensics will be hosting a webinar on the Oxygen Forensic Jet Engine’s facial recognition capabilities on July 23rd, 2019 at 10 am EDT, 3 pm BST
  Register For Webinar: Oxygen Forensic Jet Engine With Facial Recognition
  

PRESENTATIONS/PODCASTS

• The Forensic Lunch has returned! Dave, Matthew and Alex discussed what they’re up to, as well as parsing tools, event logs, and Matt’s Mario-like moustache
  Forensic Lunch 7/19/19 with Alex Levinson

• On this week’s Digital Forensic Survival Podcast, Michael discusses the various Windows commands attackers will abuse
  DFSP # 178 – Attacker Recon Commands

• Trey Amick at Magnet Forensics examines USB connection history on MacOS
  AXIOM at Work: Mac USB Investigations

• Paraben Corporation have uploaded a few videos on mobile acquisition and Win10 artefacts
  • Android Chip Dump Spreadtrum
  • Imaging Android Smartphones Physically
  • Windows 10 Artifacts for Forensics
  • LG Advanced Mobile Forensics
  • MediaTek Chip Dump Forensic Bypass

• SANS shared Marika Chauvin and Toni Gidwani’s presentation from the 2019 CTI Summit
  How to Get Promoted: Developing Metrics to Show How Threat Intel Works – SANS CTI Summit 2019
  

MALWARE

• Tom Hegel AlienVault Labs identifies a recent campaign from “StrongPity” using supposedly legitimate software that is really spyware.
  Newly identified StrongPity operations

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shared some of their favorite tools this week
  • Commando VM: a full Windows-based penetration testing virtual machine distribution
  • Reverse engineering and penetration testing on Android apps: my own list of tools

• Edmund Brumaghin summarizes research from Cisco Talos about threat actor “SWEED” and the related infostealers and RATs seen since 2017.
  SWEED: Exposing years of Agent Tesla campaigns

• Cylance looks back at characteristics previously seen in Virlock ransomware.
  Threat Spotlight: Virlock Polymorphic Ransomware

• Chen Erlich at Ensilo found a Brazilian banking trojan digitally signed by Avast.
  The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable

• Jason Reaves and Joshua Platt at Flashpoint uncover a fraudulent Google AdSense campaign concentrated in Russia, Ukraine, and Kazakhstan.
  Newly Discovered Malware Framework Cashing in on Ad Fraud

• Kai Lu at Fortinet breaks down the IcedID banking trojan parent process and C2 communication.
  A Deep Dive Into IcedID Malware: Part II – Analysis of the Core IcedID Payload (Parent Process)

• G Data Security describes a backdoor written in PowerShell and delivered by a VBS email attachment.
  Server-side polymorphism & PowerShell backdoors

• Dr. Andreas Dewald at Insinuator.net shares how a pre-XML Word document kicked off an Emotet infection.
  Emotet at Heise, Emotet there, Emotet everywhere – Dissection of an Incident

• Paul Litvak at Intezer discusses a Linux backdoor with similarities to Gamaredon Group and shares technical details.
  EvilGnome: Rare Malware Spying on Linux Desktop Users

• Malwarebytes Labs had a few posts this week
  • Meet Extenbro, a new DNS-changer Trojan protecting adware
  • Threat Spotlight: Sodinokibi ransomware attempts to fill GandCrab void
  • No man’s land: How a Magecart group is running a web skimming operation from a war zone

• Marco Ramilli looks at challenges and statistics related to scraping TOR sites.
  Scraping the TOR for rare contents

• Arnold Osipov at Morphisec examines BitPaymer ransomware (encrypted extension depends on victim company name).
  BitPaymer Ransomware Leveraging New Custom Packer Framework Against Targets Across the U.S.

• There were a number of posts on the SANS Internet Storm Centre Handler Diaries
  • isodump.py and Malicious ISOFiles, (Mon, Jul 15th)
  • Commando VM: The Complete Mandiant Offensive VM, (Tue, Jul 16th)
  • Analyzis of DNS TXT Records, (Wed, Jul 17th)
  • Malicious PHP Script Back on Stage?, (Thu, Jul 18th)

• Securelist looks at a fileless trojan with a couple of RE Easter eggs hidden inside.
  Turla renews its arsenal with Topinambour

• Gabor Szappanos at Sophos News follows up on research initially from Anomali Labs about Equation Editor.
  A new Equation Editor exploit goes commercial, as maldoc attacks using it spike

• Symantec examines the rise in targeted ransomware attacks including GoGalocker, MegaCortex, Robbinhood, Ryuk, and SamSam variants.
  Targeted Ransomware: Proliferating Menace Threatens Organizations

• TrendMicro had a few posts
  • SLUB Gets Rid of GitHub, Intensifies Slack Use
  • Spam Campaign Targets Colombian Entities with Custom-made ‘Proyecto RAT,’ Uses Email Service YOPmail for C&C
  • Old Tools for New Money: URL Spreading Shellbot and XMRig Using 17-year old XHide

• Zuzana Hromcová at WeLiveSecurity tracks Ke3chang group activity including the Ketrican, Okrum, and RoyalDNS backdoors.
  Okrum: Ke3chang group targets diplomatic missions

• Luigi Martire, Antonio Pirozzi, and Luca Mella at Cybaze-Yoroi Z-LAB look at the Hawkeye keylogger delivered as an ISO file.
  Anti-Debugging Techniques from a Complex Visual Basic Packer
  

MISCELLANEOUS

• Rich Frawley “demonstrates ADF’s image classification capabilities.”
  ADF Digital Forensic Image Recognition and Classification

• There were a few posts on Forensic Focus this week
  • Joakim Kävrestad has written an article on examining data relating to the Windows Firewall
    Finding And Interpreting Windows Firewall Rules
  • MD5 announced the release of VFC5.
    MD5 Are Excited To Announce The Launch Of VFC5 On The 15th July 2019
  • They shared part of Stuart Wilson’s thesis on Steganography, VR, and digital forensics
    Unreal Steganography: Using A VR Application As A Steganography Carrier
  • They have opened a dedicated Jobs board
    New Forensic Focus Job Board

• They also continued their ‘What’s Happening In Forensics’ series
  • What’s Happening In Forensics Jul 12, 2019
  • What’s Happening In Forensics Jul 16, 2019
  • What’s Happening In Forensics Jul 17, 2019

• Koen Van Impe demonstrates the utility of his Python module for generating reports from MISP data
  Generating MISP data statistical reports

• Mission Darkness demonstrate how to use their Blocker Locker faraday bag system
  Blocker Locker System

• A good Android mobile reverse engineering example.
  Solving Flaggy Bird (Google CTF 2019)

• Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
  Weekly News Roundup — July 14 to July 20

• Dr Graeme Horsman and Dr Amber Collings at Teesside University have started a blog to share their insights on ” academic, research, teaching and student activities across our Teesside University Forensic Team (TUFT)”
  Welcome!
  

SOFTWARE UPDATES

• Arsenal have released an update to their Backstage parser
  Check out @ArsenalRecon’s Tweet

• Adam at Hexacorn updated his Dexray script to v2.15 to add support for Windows Defender files
  DeXRAY 2.15 update

• Plaso 20190708 was released with various bug fixes and refactoring
  Plaso 20190708 released

• Amped released Authenticate update 13901
  Amped Authenticate Update 13901: Introducing Projects and Report, PRNU with Multiple Reference Cameras, Improved Social Media Identification, and More

• Cellebrite updated UFED and UFED PA to v7.21.
  Supporting new Samsung devices, data sources, and encrypted drones

• Didier Stevens updated his format-bytes script to v0.0.9
  Update: format-bytes.py Version 0.0.9

• Eric Zimmerman updated PECmd
  ChangeLog

• ExifTool 11.57 was released with new tags and bug fixes
  ExifTool 11.57

• Foxton Forensics released a database viewer for SQLite
  SQLite viewer software

• Maxim Suhanov released v1.1.0-beta17 of his dfir_ntfs file system parser
  1.0.0-beta18

• “A new version of MISP (2.4.111) has been released with an improved proposal sync, minor improvements and bugs fixed.”
  MISP 2.4.111 released (aka improved proposal sync)

• Velocidex Velociraptor v0.3.1 was released
  Release 0.3.1

• An update to the X-Ways viewer component has been released
  Viewer Component

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!