As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Irfan Shakeel at AT&T Cybersecurity
  Network traffic analysis using Wireshark
  
  
• Amina Zilic at Binalyze
  August 2021 Binalyze Product Updates
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  The Bayer Method
  
  
• Elcomsoft
  • How to Put an iOS Device with Broken Buttons in DFU Mode
  • Cloud Forensics: the New Reality
    
    
• Forensafe
  • Investigating Thunderbird Windows Application
  • Investigating RecentDocs MRU
    
    
• Inginformatico
  • Reto forense losprys II — writeup
  • Forensic challenge losprys II — writeup [ENG]
    
    
• James Lovato at CrowdStrike
  SuperMem: A Free CrowdStrike Incident Response Tool for Automating Memory Image Processing
  
  
• Mathias Stuhlmacher
  Awesome Event IDs
  
  
• N00b_H@ck3r
  Protected: Security Blue Team Labs: Phishing Analysis 2 (This will be unlocked once the challenge is retired)
  
  
• Oxygen Forensics
  Android App Downgrade
  
  
• Michael Zinn at Paraben Corporation
  Forensically Imaging Bitlocker
  
  
• Scott Koenig at ‘The Forensic Scooter’
  • iOS Location Services and System Services ON or OFF?
  • iPhone Device Speeds via Cache.sqlite > ZRTCLLOCATIONMO table
    
    
• Security Onion
  • Quick Malware Analysis: Qakbot and Cobalt Strike pcap from 2021-03-02
  • Quick Malware Analysis: SquirrelWaffle and Cobalt Strike pcap from 2021-09-20
  • Quick Malware Analysis: Resume Themed Malspam pcap from 2021-09-21
  • Quick Malware Analysis: SquirrelWaffle, Qakbot, and Cobalt Strike pcap from 2021-09-22
  • Quick Malware Analysis: Qakbot pcap from 2021-09-20
    
    
• Vikas Singh
  Create a Super Timeline with TACTICAL/IREC Triage Image
  

THREAT INTELLIGENCE/HUNTING

• Brad Duncan at Malware Traffic Analysis
  • 2021-09-20 – TA551 (Shathak) pushes BazarLoader
  • 2021-09-21 – Brazil – currículo (resume) themed malspam
  • 2021-09-20 – Squirrelwaffle Loader with Cobalt Strike
  • 2021-09-22 – Squirrelwaffle Loader with Qakbot and Cobalt Strike
  • 2021-09-21 – Squirrelwaffle Loader with Cobalt Strike
  • 2021-09-20 – Qakbot (Qbot) returns after 2 month absence
  • 2021-09-24 – Squirrelwaffle Loader with Qakbot and Cobalt Strike
  • 2021-09-23 – Squirrelwaffle Loader with Qakbot and Cobalt Strike
    
    
• Censys
  VMware CVE-2021-22005 Technical & Impact analysis
  
  
• Check Point Research
  20th September – Threat Intelligence Report
  
  
• Cisco’s Talos
  Threat Roundup for September 17 to September 24
  
  
• Max Gannon at Cofense
  Phishing as a Ransomware Precursor
  
  
• Countercraft
  Escaping Docker Privileged Containers for Mining Crypto Currencies
  
  
• Csaba Fitzl at ‘Theevilbit’
  Beyond the good ol’ LaunchAgents – 20 – Terminal Preferences
  
  
• Cybereason
  Threat Analysis Report: PrintNightmare and Magniber Ransomware
  
  
• Moshe Hayun at Deep Instinct
  LockBit 2.0 Ransomware Becomes LockFile Ransomware with a Never-Before-Seen Encryption Method
  
  
• Pasquale Stirparo at Dragos
  Cyber Threats to Global Electric Sector on the Rise
  
  
• Eclypsium
  Everyone Gets a Rootkit
  
  
• Neel Mehta at Google Threat Analysis Group
  Financially motivated actor breaks certificate parsing to avoid detection
  
  
• Drew Schmitt at GuidePoint Security
  A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike
  
  
• Herjavec Group
  Herjavec Group BlackMatter Ransomware Profile
  
  
• Huntress
  The Top Four CVEs Attackers Exploit
  
  
• Intrusion Truth
  Hello Lionel Richie
  
  
• Malwarebytes Labs
  MSHTML attack targets Russian state rocket centre and interior ministry
  
  
• Michael Koczwara
  Monitoring Threat Actors C2 Infrastructure with Shodan
  
  
• Microsoft Security
  • A guide to combatting human-operated ransomware: Part 1
  • Catching the big fish: Analyzing a large-scale phishing-as-a-service operation
    
    
• Michael Gough at NCC Group Research
  Detecting and Hunting for the PetitPotam NTLM Relay Attack
  
  
• Carol Hildebrand at Netscout
  The Long Tail of Attacker Innovation
  
  
• Pete Cowman at Hatching
  SquirrelWaffle and Other Detection Updates
  
  
• ReaQta
  Remote code execution vulnerability CVE-2021-40444 could become the next prolific cyber crime tool. Here’s how to stay ahead of such exploits.
  
  
• Recorded Future
  • China-Linked Group TAG-28 Targets India’s “The Times Group” and UIDAI (Aadhaar) Government Agency With Winnti Malware
  • The Cozy Relationship Between Russian State and Criminal Actors
    
    
• Red Canary
  Intelligence Insights: September 2021
  
  
• RiskIQ
  “Bom” Skimmer is Magecart Group 7’s Latest Model
  
  
• SANS Internet Storm Center
  • Video: Simple Analysis Of A CVE-2021-40444 .docx Document, (Sun, Sep 19th)
  • An XML-Obfuscated Office Document (CVE-2021-40444), (Wed, Sep 22nd)
  • Excel Recipe: Some VBA Code with a Touch of Excel4 Macro, (Thu, Sep 23rd)
  • Keep an Eye on Your Users Mobile Devices (Simple Inventory), (Fri, Sep 24th)
  • Strings Analysis: VBA & Excel4 Maldoc, (Sat, Sep 25th)
  • Video: Strings Analysis: VBA & Excel4 Maldoc, (Sat, Sep 25th)
    
    
• Alexander Rodchenko at Securelist
  Detection evasion in CLR and tips on how to detect such attacks
  
  
• Security Investigation
  • Cooking Malicious Morse Code with CyberChef
  • Important Windows processes for Threat Hunting
  • Threat Hunting with Windows Event IDs 4625 & 4624
    
    
• Sky Blueteam
  Scanning VirusTotal’s firehose
  
  
• Sophos
  • Cring ransomware group exploits ancient ColdFusion server
  • IOC hunting: Expanding reach with Sophos Central XDR API
  • Phishing and malware actors abuse Google Forms for credentials, data exfiltration
    
    
• Trend Micro
  • Cryptominer z0Miner Uses Newly Discovered Vulnerability CVE-2021-26084 to Its Advantage
  • Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads
  • Examining the Cring Ransomware Techniques
    

UPCOMING EVENTS

• Emmy Gamble at Cellebrite
  Cellebrite Digital Collector: Collecting Data from Live Macs
  
  
• Cybereason
  Webinar: Inside the REvil Ransomware – Pick Your Path
  

PRESENTATIONS/PODCASTS

• Belkasoft
  Preserving Evidence
  
  
• Black Hat
  • Noname Security Executive Spotlight Interview
  • Self-Learning AI: Minimize Cyber Disruption
    
    
• Black Hills Information Security
  • BHIS | The Quest for the Kill Chain Killer Continues – Kent & Jordan – 1-Hour
  • BHIS – Talkin’ Bout [infosec] News 2021-09-20
  • Webcast: The Quest for the Kill Chain Killer Continues
  • Talkin’ About Infosec News – 9/23/2021
    
    
• Breaking Badness
  97. The Skies Are All Kinds of Blue
  
  
• Cellebrite
  • Processing data methods in Cellebrite Inspector
  • Take control of your investigation with Filtering and Sorting in Cellebrite Inspector
    
    
• Chewing the FAT
  Episode 5
  
  
• Cisco’s Talos
  Talos Takes Ep. #69: Our armadillo in shining armor
  
  
• DEFCON
  DEF CON 29 ICS Village
  
  
• Detection: Challenging Paradigms
  S2 – Episode 3: Jared, Jonathan, and Luke
  
  
• DFIR Science
  • Amazon AWS EC2 Forensic Memory Acquisition – LiME
  • Are you multi-threaded? #dfir #shorts
    
    
• Didier Stevens
  Simple Analysis Of A CVE-2021-40444 .docx Document
  
  
• Digital Forensic Survival Podcast
  • DFSP # 291 – Lateral MM Fast Triage 3
  • DFSP # 292 – Top Cloud Threats with Blumira
    
    
• Esentire
  Ep. 4: Evidence & Building a Case
  
  
• Gerald Auger at Simply Cyber
  • Find YOUR Cybersecurity Job (Go Beyond Googling For It)
  • I Want to Be a SOC Analyst, What Do I Do?
    
    
• LetsDefend
  Demo of Endpoint Analysis with Incident Responder Module
  
  
• LimaCharlie
  Running Detection & Response Rules Against Historical Telemetry
  
  
• Magnet Forensics
  • Magnet REVIEW | Collaborate on Evidence Review from Anywhere
  • Introducing the New Agent Status Dashboard
  • Examining Vehicle Data with AXIOM
  • New in AXIOM Cyber 5.5: Deploy One Agent to Multiple Endpoints
  • New in Magnet AXIOM 5.5: Support for Vehicle Data and Third-Party Map Servers
    
    
• NTCore
  Emotet MS Office Malware 150-Seconds Analysis
  
  
• Paraben Corporation
  • Sent with Siri Metadata iOS
  • Adding AD Image Format Data in E3
    
    
• Brad Stowers at ADF
  Learn Digital Forensics Online | ADF Best Practices Webinars of 2021
  
  
• SANS
  • SANS Threat Analysis Rundown | September 2021
  • Help Wanted: Cracking the Code of Cybersecurity Job Postings
  • Intro to Social Engineering
  • What Keeps You Up At Night?
  • Introducing the Newly Updated SANS Training ICS515: ICS Visibility, Detection, and Response
  • SANS Cybersecurity Leadership Summit 2021
    
    
• Security Weekly
  Velociraptor – Digging Deeper – Mike Cohen, Wes Lambert – PSW #711
  
  
• Uriel Kosayev
  Malware Analysis – Unpacking ASPack Manually
  

MALWARE

• Ali Aqeel
  dissecting binaries from unknown threat actor
  
  
• Anh Ho at Avast Threat Labs
  BluStealer: from SpyEx to ThunderFox
  
  
• Blackberry
  Threat Thursday: BlackMatter RaaS – Darker Than DarkSide?
  
  
• Cerbero
  Video: Emotet MS Office Malware 150-Seconds Analysis
  
  
• CERT-AGID
  Campagna Ursnif veicolata tramite falsa mail BRT
  
  
• Cisco’s Talos
  • TinyTurla – Turla deploys new malware to keep a secret backdoor on victim machines
  • Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs
    
    
• DiabloHorn
  CSAW 2021, binary ninja & a haystack
  
  
• Eli Salem
  The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”
  
  
• HashDB
  Check out @herrcore’s tweet
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #58: Keyboard modifiers
  
  
• John Hammond
  Snip3 Crypter/RAT Loader – DcRat MALWARE ANALYSIS
  
  
• Jared Stroud and Tom Hegel at Lacework
  HCRootkit / Sutersu Linux Rootkit Analysis
  
  
• Mahmoud Morsy
  Phishing Attacks 25_9_2021
  
  
• Thomas Reed at Malwarebytes Labs
  New Mac malware masquerades as iTerm2, Remote Desktop and other apps
  
  
• Anuradha M at McAfee Labs
  Malicious PowerPoint Documents on the Rise
  
  
• Nadav Lorber at Morphisec
  New Jupyter Evasive Delivery through MSI Installer
  
  
• Ghanashyam Satpathy and Gustavo Palazolo Eiras at Netskope
  BazarLoader: Using LoLBins through Office Documents to Deliver Payloads
  
  
• Secureworks
  REvil Ransomware Reemerges After Shutdown; Universal Decryptor Released
  
  
• Nir Somech at Security Intelligence
  New ZE Loader Targets Online Banking Users
  
  
• SentinelOne
  • Defeating macOS Malware Anti-Analysis Tricks with Radare2
  • Peeking into CVE-2021-40444 | MS Office Zero-Day Vulnerability Exploited in the Wild
    
    
• Syed Hasan
  Reversing with IDA: Cross-references
  
  
• Telsy
  REMCOS and Agent Tesla loaded into memory with Rezer0 loader
  
  
• Tahseen Bin Taj and Matthieu Faou at WeLiveSecurity
  FamousSparrow: A suspicious hotel guest
  
  
• Yoroi
  Hunting the LockBit Gang’s Exfiltration Infrastructures
  

MISCELLANEOUS

• Cassie Doemel at AboutDFIR
  AboutDFIR Content Update 9/25/2021
  
  
• Any.Run
  How to Protect Banks from Cyberattacks
  
  
• Doug Metz at Baker Street Forensics
  Forensic Imaging Station – Steampunk Edition
  
  
• Errata Security
  That Alfa-Trump Sussman indictment
  
  
• Forensic Focus
  • New in Binalyze AIR v1.8.0: Multi-organization support
  • Android App Downgrade in Oxygen Forensic Detective
  • Grayshift Co-Founders David Miles, Chief Executive Officer & Braden Thomas, Chief Product Officer
  • Grayshift Accelerates Forensic Access And Extends GrayKey To LG Mobile Devices And MediaTek Chipsets
  • Register For Webinar: Photo Analysis And Tampering Detection With Amped Authenticate
  • Register For Webinar: Binalyze AIR-DRONE Integration
  • AIR From Binalyze
    
    
• Jesse Spangenberger at ‘Cyber Fenix DFIR & Technology’
  • BHIS Wild West Hackin Fest Toolshed: iLEAPP
  • Disabling Windows Defender Antivirus
    
    
• Joe at Stranded on Pylos
  Critical Commentary Considering the Zero Day
  
  
• Marco Fontani at Amped
  How Can I Redact (Blur or Pixelate) a Video With Amped Replay?
  
  
• NVISO Labs
  Building an ICS Firing Range – Part 2 (Defcon 29 ICS Village)
  
  
• Junhyeong Lee at Plainbit
  [TIP#6] NLBrute with Event Logs
  
  
• Derya Yavuz at Praetorian
  Incident Response Best Practices: Building an Evidence Wiki
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — September 19 to September 25
  
  
• SANS
  • Introducing the New Version of SANS ICS515 – ICS Visibility, Detection, and Response
  • What You Need to Know about CVE-2021-30860 aka FORCEDENTRY
  • Why a Strong Security Culture?
  • The ABCs of Cybersecurity
    
    
• Secureworks
  Integrating Your Cyber Insurance Into Your Incident Response Efforts
  
  
• Alya Gomaa at Stratosphere IPS
  Create and Test Your Own TAXII Server
  
  
• Lesley Carhart
  Ask Lesley: How Much Should SOC Work Suck?
  
  
• Pieces0310
  Better late than never~ Oxygen Forensic Detective supports APK Downgrade Extraction now~ – Pieces0310
  

SOFTWARE UPDATES

• Belkasoft
  What’s new in Belkasoft X v.1.10
  
  
• Costas K
  MFTBrowser.exe (x64)
  
  
• Didier Stevens
  Update: re-search.py Version 0.0.18
  
  
• Eric Zimmerman
  ChangeLog
  
  
• ExifTool
  ExifTool 12.31
  
  
• Griffeye
  Release of Analyze 21.2
  
  
• Harel Segev
  INDXRipper
  
  
• Magnet Forensics
  New in AXIOM Cyber 5.5: Deploy One Agent to Multiple Endpoints
  
  
• Mihari
  v3.9.0
  
  
• radare2
  5.4.2
  
  
• Xways
  X-Ways Forensics 20.4 Beta 1
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!