Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections. Especially considering she was at Hacker Summer Camp this past week!
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Alexis Brignoni at ‘Initialization Vectors’ has released a new script, ARTEMIS (Android Review Timeline Events Modular Integrated Solution) which “parses Android UsageStats XML files for automatic ingestion by APOLLO” and adds “pattern of life analysis in Android devices to APOLLO”. Alexis has also updated APOLLO to Python3, which is very important since Python 2.7 will not be maintained past 2020
ARTEMIS – Android support for APOLLO - Cellebrite shared a couple of case studies
- Brian Carrier at Cyber Triage has a great article on the importance of examining user activity in an incident response case. Brian covers a variety of different program execution and file access artefacts that should be examined, as well as how to perform these tasks in Cyber Triage. Often in the Windows Forensics Class IR folks tend to want to get straight to the program execution stuff and forget that knowing what files and folders an adversary accessed is equally important.
Intro to Incident Response Triage (Part 5): User Activity - Hats Off Security has an interesting post about identifying the action that caused a part of a URL to appear in an Index.dat file.
When is Index.dat not Evidence of Browsing - Marco Neumann at ‘Be-binary 4n6’ does some testing with WhatsApp on Android surrounding deleting messages, and sending/receiving pictures
WhatsApp – Images and Messages – An overview
THREAT INTELLIGENCE/HUNTING
- There was a lot of news and research unveiled in Las Vegas at Black Hat last week and Defcon which concludes just after the release of this post. Some notable research in the DFIR world:
Brian Donohue writes about the reverse shell attack discovered by Casey Smith from Red Canary and scoped by Ross Wolf at Endgame. Casey uses dbgsrv which can allow a remote connection with detection evasion, similar to process hollowing, and Ross looks at threat hunting the attack. This research was presented last week at the researchers’ Black Hat briefing.
Black Hat: Detecting the unknown and disclosing a new attack technique - Adam at Hexacorn discusses considerations when processing large corpora of files, malicious or not.
The quirks of Batch Processing - Didier Stevens looks at traffic when “downloading Mimikatz via DNS-over-HTTPS with an Excel sheet.” You can learn more details in the upcoming BruCON coming this October.
Downloading Executables Over DNS: Capture Files - Phil Roth, Hyrum Anderson, and Sven Cattell at Endgame release a new version of EMBER, with 1 million new samples through 2018.
Extending EMBER - A large team at Fire Eye Threat Research (Nalani Fraser, Fred Plan, Jacqueline O’Leary, Vincent Cannon, Raymond Leong, Dan Perez, and Chi-en Shen) unveil research related to China-based APT41. APT41 is financially motivated and has most recently targeted education, travel, and news industries. Details can be found in a full report (68 page PDF) linked to from the blog.
APT41: A Dual Espionage and Cyber Crime Operation - Omar Sardar and Dimiter Andonov at Fire Eye Threat Research complete this series which started with FLARE’s updates to Volatility and Rekall. These posts discuss compressed pages and undocumented structures and compliment the authors talk at Black Hat last week.
- Audra Simons and Dalwinderjeet Kular share research from a project done in collaboration with The University of Texas at San Antonio.
Identifying Insider Threat Through Analysis of Data-at-Rest - Recon Infosec have created a “consolidated place for incident response & threat hunting focused queries for osquery”
Check out @Recon_InfoSec’s Tweet! - Julie Brown at Red Canary looks at three phases of IR using Emotet as an example.
Exploring the phases of incident response: visibility, containment, & response - Eden Gal at Datorama (Salesforce) announces context-aware logging service Timbermill to assist with getting timeline and other relevant data out of verbose logging.
Timbermill — A better logging service - There were a few posts on the SANS Internet Storm Centre Handler Diaries
- SpecterOps shared two posts about Mordor this week:
- Roberto Rodriguez introduces Mordor, created with his brother Jose Rodriguez, which “provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption.”
Enter Mordor : Pre-recorded Security Events from Simulated Adversarial Techniques - Jonathan Johnson builds on the work of the Rodriguez brothers with AWS.
AWS knocked and The Gates of Mordor have answered
- Roberto Rodriguez introduces Mordor, created with his brother Jose Rodriguez, which “provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption.”
UPCOMING WEBINARS/CONFERENCES
- Simon Woolley at Cellebrite will be hosting a webinar on their CAS service on August 22, 2019 at 11:00 AM AEST
Webinar: Advance Your Most Challenging Cases With Cellebrite - Joseph Loomis at CyberSponse and Steve Sunday at AccessData will be hosting a webinar on August 22, 2019 at 2:00 P.M. ET
An AccessData Webinar: Accelerate Incident Response Through Automation
PRESENTATIONS/PODCASTS
- AccessData continued to share videos
- CQURE Academy shared their recent talk at Blackhat surrounding the release of their new tool, CQForensic.
[BlackHat USA 2019] CQForensic: The efficient Forensic Toolkit - On this week’s Digital Forensic Survival Podcast, Michael talks about some Windows one-liners for downloading and executing a remote payload
DFSP # 181 – Remote Execution One-Liners - “Tarah Melton [at Magnet Forensics] provides an overview of how Magnet.AI can help you in your insider threat investigations.”
AXIOM at Work: Magnet.AI in Insider Threat Investigations - Richard Davis at 13Cubed has uploaded a video surrounding examining the NTFS Journal
NTFS Journal Forensics - Ryan Benson at dfir.blog posted the next section of his “Deciphering Browser Hieroglyphics” presentation, covering LevelDB and the Chrome FileSystem
Deciphering Browser Hieroglyphics: FileSystem (Part 3) - SANS shared Rachel Mullan and Jason Smart’s presentation from the 2019 CTI Summit
Untying the Anchor: Countering Unconscious Bias in Threat Intel Analysis – SANS CTI Summit 2019
MALWARE
- On the malware side, some notable news from Black Hat comes out of another cross company collaboration:
Dana Baril on the Microsoft Defender ATP Research Team collaborated with Eyal Itkin at Check Point on the Poisoned RDP vulnerability. Dana looks back on the collaboration as a case study including how ETW events helped with analysis and presented the material with Eyal at their Black Hat briefing.
A case study in industry collaboration: Poisoned RDP vulnerability disclosure and response - Hui Wang and Alex Turing at 360 Netlab examine the Emptiness botnet
Emptiness: A New Evolving Botnet - Greg Foss and Marina Liang at Carbon Black dub a cryptomining + cred stealing attack “Access Mining” and provide links to a full report (registration walled).
Carbon Black Threat Analysis Unit (TAU) Uncovers Significant Evolution of Popular Cryptomining Campaign Affecting More than 500,000 Computers - Aaron Riley at Cofense discusses a “Cookie Grabber” module new to TrickBot across Chrome, FF, and IE browsers.
TrickBot Adds ‘Cookie Grabber’ Information Stealing Module - Tom Fakterman from Cybereason dives deep into Sodinokibi ransomware seen spiking in April with analysis of loaders, payload, and ATT&CK breakdown.
Sodinokibi: The Crown Prince of Ransomware - Fortinet had two posts this week:
- Yueh-Ting Chen shares information about a trojan targeting Chinese-speaking uses which exploits the WinRAR and RTF file vulns.
Tricky Chinese-Targeted Trojan Bypasses Authentication - Xiaopeng Zhang reverses a new Ursnif sample.
New Ursnif Variant Spreading by Word Document
- Yueh-Ting Chen shares information about a trojan targeting Chinese-speaking uses which exploits the WinRAR and RTF file vulns.
- Ransom Bleed at G DATA Security Lab gives an example of Ryuk ransomware signed using a valid Thawte certificate; then again, anyone can buy a certificate which brings up the age old security vs convenience debate.
What’s all the buzz about? Looking at the “Ryuk” ransomware as an example. - Marco Ramilli looks at OilRig activity, with likely Iranian origins, over four different time periods spanning 2016 to 2019. While delivery remains constant with phishing, Marco shows how command and control evolves over time.
OilRig: the techniques evolution over time - Mark Mo tests out the new build of ConfuserEx which successfully protects (changes code) in a .NET application while still allowing the app to run.
Quick Introduction to ConfuserEX - McAfee Labs shared some research this week:
- Cedric Cochin and Leandro Costantino continue their series on case sensitivity in Windows paths.
The Twin Journey, Part 2: Evil Twins in a Case In-sensitive Land - Chanung Pak and Yukihiro Okutomi look at fake Japanese and Korean security apps in the Google Play store.
MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play
- Cedric Cochin and Leandro Costantino continue their series on case sensitivity in Windows paths.
- Arnold Osipov at Morphisec covers the GermanWiper ransomware (5 char random extension) that wipes files rather than encrypting them. The delivery mechanism uses LNK and HTA files to deliver the payload.
Threat Alert: GermanWiper - Rohit Chettiar at Rapid7 looks at credential stealing using PowerShell.
The Importance of Preventing and Detecting Malicious PowerShell Attacks - Rajdeepsinh Dodia and Priyanka Bhati at Zscaler ThreatLabZ cover the .NET RAT Saefko (SaefkoAgent.exe).
Saefko: A new multi-layered RAT - Jessica Bair at Cisco Blogs shows two examples of attacks seen while seen running the SOC at RSA Asia Pacific & Japan: malware delivered by JPG and a phishing attack.
When you request a .jpg and get ransomware - Ofir Ozer from IBM writes at Security Intelligence about fileless TrickBot infections.
The Curious Case of a Fileless TrickBot Infection - Albert Zsigovits at Sophos summarizes the Baldr info stealer report from Sophos Labs (72 page PDF).
Baldr vs The World: A SophosLabs report - TrendMicro had two posts this week:
- Noel Anthony Llimos and Michael Jhon Ofiaza cover the Word to JS TrickBot delivery infection vector.
Latest Trickbot Campaign Delivered via Highly Obfuscated JS File - Miguel Ang, Erika Mendoza, and Jay Yaneza discuss LokiBot registry persistence pointing to a VBS script.
LokiBot Gains New Persistence Mechanism, Uses Steganography to Hide Its Tracks
- Noel Anthony Llimos and Michael Jhon Ofiaza cover the Word to JS TrickBot delivery infection vector.
- Martijn Grooten at Virus Bulletin notes the existence of the Lord exploit kit. The Lord EK, which uses the ngrok service, appears to still be in development.
Virus Bulletin researcher discovers new Lord exploit kit - Rohan Viegas at VMRay shares a quick (4 min) video on setup and config for VMRay and MISP Connector.
How to Automate IOC Generation with MISP & VMRay - WeLiveSecurity covers the French spambot/infostealer Varenyky.
Varenyky: Spambot à la Française - ZLAB-YOROI correlates Unit 42 intel with activity possibly related to the Gorgon Group, which delivers the RevengeRAT.
The Evolution of Aggah: From Roma225 to the RG Campaign
MISCELLANEOUS
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ shares the CTF details for the 2019 Unofficial DEFCON DFIR CTF, which was put together by the Champlain College’s Digital Forensic Association
2019 Unofficial Defcon DFIR CTF - There were a couple of posts on the ADF blog this week
- Richard Frawley demonstrates how to backup an Android device with DEI Pro
Create a Forensic Backup of an Android Device with Digital Evidence Investigator PRO - and Brett Peters announced that ADF has partnered with Rosoka for text analytics and translation
ADF Solutions Adds New Digital Forensic Analysis Capabilities with Rosoka
- Richard Frawley demonstrates how to backup an Android device with DEI Pro
- Brett Shavers at DFIR.Training reviews Belkasoft Evidence Centre
I took Belkasoft Evidence Center for a spin around the block - Or Begam at Cellebrite describes how to use Python in UFED PA
Customize and automate your data analysis with Python code - Chris Sanders comments on the difference between Condensed and Spaced learning and how InfoSec could benefit from more Spaced learning
Learning to Forget: Infosec’s Unfortunate Departure from Spaced Learning - Michelle Oh at HancomGMD has a post on Forensic Focus demonstrating how to acquire a mobile device using their Md-Next product
How To Acquire Mobile Data With MD-NEXT From HancomGMD - Forensic Focus also continued their ‘What’s Happening In Forensics’ series
- Hacker Hurricane released an updated Windows Registry cheat sheet that can be used for monitoring for malicious activity
The Windows Registry Auditing Cheat Sheet update! Aug 2019, v2.5 - MantaRay Forensics released their Q3 hashset update
- Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — August 4 to August 10
SOFTWARE UPDATES
- Winpmem v3.3 RC2 was released
Release 3.3 RC2 - CDQR 5.1.0 was released
CDQR 5.1.0 - Cellebrite released UFED Physical Analyzer v7.22
Access new data sources and file formats with UFED Physical Analyzer 7.22 - Cyan Forensics announced the release of Cyan Examiner 2.0
Cyan Examiner 2.0 is Here - Didier Stevens updated his pdf-parser script
Update: pdf-parser.py Version 0.7.3 - NetAnalysis v2.10 and HstEx v4.10 were released
NetAnalysis® v2.10 and HstEx® v4.10 Released - Elcomsoft updated their Cloud Explorer tool to v2.20
Elcomsoft Cloud Explorer 2.20 Fixes Google Photos Support, Downloads More Historical Data - Eric Zimmerman updated PECmd, Registry Explorer and MFT Explorer. Eric also updated KAPE to 0.8.6.1
ChangeLog - ExifTool 11.61 was released with new tags and bug fixes
ExifTool 11.61 - MOBILedit Forensic Express 7.0 was released
MOBILedit Forensic Express 7.0 Released! - Sandfly Security released v2.1 of their Sandfly product
Sandfly 2.1 Released - USB Detective was updated to version 1.5.2
Version 1.5.2 (08/07/2019) - X-Ways Forensics 19.9 Preview 2 is now available.
X-Ways Forensics 19.9 Preview 2
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 