As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
If you’re a fan of Volatility, you’ll love CrowdStrike’s SuperMem - Atomic Matryoshka
AutoRun Malware: Why your computer is summoning dark lords after you plugged in that parking lot USB - Dr. Brian Carrier at Cyber Triage
Cyber Triage on Google Cloud: DFIR in the Cloud - Forensafe
- Ian Whiffin at DoubleBlak
iOS GeoFences - Christopher Peacock at Scythe
SCYTHE Presents: Threat Thursday – NetWire RAT - Kevin Pagano at Stark 4N6
Restore Log – Tracking iOS Update History - Joachim Metz at Open Source DFIR
Pearls and pitfalls of timeline analysis - Junhyeong Lee at Plainbit
[TIP#8] UserAssist - Recorded Future
How To Assess a Potential Phishing Email - Matt Graeber at Red Canary
Better know a data source: Process command line - John Dwyer at Security Intelligence
Detections That Can Help You Identify Ransomware - Security Onion
- Quick Malware Analysis: Remcos RAT pcap from 2021-01-06
- Quick Malware Analysis: AngryPoutine exercise pcap from 2021-09-10
- Quick Malware Analysis: Qakbot spambot pcap from 2021-10-01
- Quick Malware Analysis: Stolen Images Evidence and Sliver pcap from 2021-10-20
- Quick Malware Analysis: TA551/SHATHAK and Sliver pcap from 2021-10-20
- Bill Marczak, John Scott-Railton, Siena Anstis, Bahr Abdul Razzak, and Ron Deibert at ‘The Citizen Lab’
Breaking the News: New York Times Journalist Ben Hubbard Hacked with Pegasus after Reporting on Previous Hacking Attempts - The DFIR Report
IcedID to XingLocker Ransomware in 24 hours - TheHexNinja
- Williams Kosasi
THREAT INTELLIGENCE/HUNTING
- 360 Netlab
七年一剑,360 DNS威胁分析平台 - 360 核心安全技术博客
预警:警惕黑客借“提币潮”牟利 - Anomali
Anomali Cyber Watch: FIN12 Ramps-Up in Europe, Interactsh Being Used For Malicious Purposes, New Yanluowang Ransomware and More - Anton Chuvakin
Do You Trust Your SIEM? - Azure Sentinel
- Brad Duncan at Malware Traffic Analysis
- 2021-10-01 – TR Qakbot (Qbot) infection with spambot activity
- 2021-10-04 – MirrorBlast/Kixtart, ReflectiveGnome, and FlawedGrace infection
- 2021-10-05 – MirrorBlast/Kixtart infection
- 2021-10-06 – Stolen Images Evidence campaign pushes Gozi/ISFB/Ursnif
- 2021-10-12 – Stolen Images Evidence campaign pushes IcedID (Bokbot)
- 2021-10-13 – Malspam-based Dridex activity
- 2021-10-14 – Stolen Images Evidence campaign pushes BazarLoader
- 2021-10-22 – Files for an ISC diary (October 2021 Forensic Contest)
- 2021-10-20 – TA551 (Shathak) pushes Sliver-based malware
- 2021-10-20 – Files for an ISC diary (Stolen Images Evidence –> Sliver)
- BushidoToken
Ransomware Decryption Intelligence - CERT-AGID
Nuova campagna malspam AteraAgent a tema Dike - Check Point
18th October – Threat Intelligence Report - CISA
Alert (AA21-291A) BlackMatter Ransomware - Cisco’s Talos
- CrowdStrike
- Curated Intelligence
Initial Access Broker Landscape - Brianna Leddy at Darktrace
Recycling ransomware: The return of Ryuk - Didier Stevens
“Public” Private Cobalt Strike Keys - Elliptic
DarkSide bitcoins on the move following government cyberattack against REvil ransomware group - Erik Hjelmvik at Netresec
How the SolarWinds Hack (almost) went Undetected - Flashpoint
REvil Disappears Again: ‘Something Is Rotten in the State of Ransomware’ - Gemini Advisory
- Ashley Shen at Google Threat Analysis Group
Phishing campaign targets YouTube creators with cookie theft malware - Patrick Schläpfer at HP Wolf Security
MirrorBlast and TA505: Examining Similarities in Tactics, Techniques and Procedures - Caleb Stewart at Huntress
Threat Advisory: Hackers Are Exploiting a Vulnerability in Popular Billing Software to Deploy Ransomware - Dusty Miller at Hurricane Labs
GreyNoise: Alert Tuning for the SOC Analyst’s Soul - Pratinav Chandra at InfoSec Write-ups
Windows Threat Hunting : Processes of Interest - Dmitry Melikov at InQuest
Advanced Qbot Downloader - Karlo Licudine at AccidentalRebel
New Tool Preview: vATT&CK - Malwarebytes Labs
- Microsoft Security
- Amy L. Robertson, Alexia Crumpton, and Chris Ante at MITRE ATT&CK
Introducing ATT&CK v10: More Objects, Parity and Features - NCC Group Research
- Nik Alleyne at ‘Security Nik’
Pivoting / Relaying SSH communication through ncat, iptables, netsh, SSH and getting internet access via SSH “dynamic” application port forwarding - Brad Duncan at Palo Alto Networks
Case Study: From BazarLoader to Network Reconnaissance - Penetration Testing Lab
Lateral Movement – WebClient - Pete Cowman at Hatching
One-man tweak plus AtomSilo and STRRAT detections - Proofpoint
- RiskIQ
- V3ded
Utilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses - SANS Internet Storm Center
- Malicious PowerShell Using Client Certificate Authentication, (Mon, Oct 18th)
- Can you make the Great Chinese Firewall work for you?, (Tue, Oct 19th)
- “Stolen Images Evidence” campaign pushes Sliver-based malware, (Thu, Oct 21st)
- October 2021 Contest: Forensic Challenge, (Fri, Oct 22nd)
- YARA Release v4.1.3, (Sat, Oct 23rd)
- Reader Malware: ZIP/HTML Phish, (Sat, Oct 23rd)
- Phishing ZIP With Malformed Filename, (Sun, Oct 24th)
- Securelist
- Security Investigation
- Bradley Collis at Sophos
- Matt Hand and Emily Leidy at SpecterOps
Life is Pane: Persistence via Preview Handlers - Symantec Enterprise
- Taha Karim at Confiant
Profiling hackers using the Malvertising Attack Matrix by Confiant
UPCOMING WEBINARS/CONFERENCES
- Belkasoft
[webinar] Forensic Analysis Of LNK Files - Magnet Forensics
- Semantics 21
LASERi-X v2.2 Demonstration - Skyler Curtis and Richard Chitamitre at Cyborg Security
The callback is coming from inside the house!
PRESENTATIONS/PODCASTS
- Alexis Brignoni on the Forensic Focus podcast
Alexis Brignoni on Teaching and Learning Python: Why It’s Important and What’s Involved - Belkasoft
Qualcomm Acquisition—9th episode of BelkaTalk on DFIR - Black Hat
- Black Hills Information Security
Talkin’ About Infosec News – 10/19/2021 - Cellebrite
Ask the Expert: Live Q and A at the Cellebrite Envisioning Center - CIRCL Luxembourg
Virtual MISP Summit 0x06 - Cisco’s Talos
Beers with Talos, Ep. #110: The 10 most-exploited vulnerabilities this year (You won’t believe No. 6!) - Cloud Security Podcast by Google
EP39 From False Positives to Karl Popper: Rationalizing Cloud Threat Detection - Cybereason
Malicious Life Podcast: Operation GhostShell – An Iranian Espionage Campaign - Day Cyberwox
Wireshark Course for Cybersecurity Beginners - DFIR Science
- Digital Detectives
The SANS Institute and Cybersecurity Careers - Digital Forensic Survival Podcast
DFSP # 296 – Case Study Turla-Comrat - Jess Garcia
[BLOG] SANS Threat Hunting Summit & Training 2021 – “Hunting mediante la detección de anomalías con Machine Learning y DAISY” – Wrap-Up & Community Resources Announced, by Jess Garcia - Florian Roth
Sigma Hall of Fame – EU ATT&CK User Workshop, October 2021 - InfoSec_Bret
Malware Analysis – MSHTML - Karsten Hahn at Malware Analysis For Hedgehogs
Reversing – Writing an EXE4J Configuration Extractor - Magnet Forensics
- Paraben Corporation
- Ryan Chapman
Much Ado About Ransomware - SANS
- Sumuri
SUMURI Podcast Episode 010 – TALINO Chassis Redesign and Other News
MALWARE
- 0xdf hacks stuff
- Ali Aqeel
Zloader Reversing - Blackberry
Threat Thursday: STRRat Malware - Erik Pistelli at Cerbero
- Idan Shechter & Omer Ventura at Check Point
Using Discord infrastructure for malicious intent - hasherezade’s 1001 nights
- Igor Skochinsky at Hex Rays
Igor’s tip of the week #61: Status bars - Jérôme Segura at Malwarebytes Labs
q-logger skimmer keeps Magecart attacks going - Muthamil Mudhalvan
Some Common API’s In Malware - Gustavo Palazolo at Netskope
DBatLoader: Abusing Discord to Deliver Warzone RAT - Nikhil Rathor at 0xthreatintel
Static Analysis of Bluelight Malware - Didier Stevens at NVISO Labs
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1 - Jessica Ellis at PhishLabs
Multi-Stage Vishing Attacks Skyrocket - Oleg Kupreev at Securelist
Trickbot module descriptions - SentinelOne
- Squibydoo.blog
Solarmarker: by any other name - Abdelrhman Sharshar, Jay Yaneza, and Sherif Magdy at Trend Micro
PurpleFox Adds New Backdoor That Uses WebSockets - Vicente Díaz at VirusTotal
VirusTotal Multisandbox += Microsoft Sysinternals - Yoroi
Spectre v4.0: the speed of malware threats after the pandemics - Stuti Chaturvedi and Amandeep Kumar at ZScaler
New MultiloginBot Phishing Campaign
MISCELLANEOUS
- Jessica Hyde at Magnet Forensics
- Cassie Doemel at AboutDFIR
AboutDFIR Content Update 10/23/21 - Marco Fontani at Amped
How Can I Export a Processed Video in Amped Replay? - Anastasios Pingios
Offensive Security Private Companies Inventory - Any.Run
Ransomware: Explanation and Examples - Yulia Samoteykina at Atola
RAID 10 configuration autodetection and imaging - Amina Zilic at Binalyze
The Ninth Step to Forensic Readiness: Incident response documents and reporting - Carlos Canto at Velocidex
And The Winners Are… - CrowdStrike
Many Paths, One Goal: Forging a Career in Cybersecurity - Forensic Focus
- Luke Wilson at Countercraft
Defend Forward, Part Three: Taking It Operational - ph0llux
Zff - Richard Frawley at ADF
Search Profiles - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — October 10 to October 16 - Ulf Frisk
Modifying the Acorn CLE-215+ FPGA into a PCILeech DMA attack device
SOFTWARE UPDATES
- Andrew Rathbun
KAPE-EZToolsAncillaryUpdater 2.0 - ANSSI DFIR-ORC
v10.1.0-rc7 - Cellebrite
Now Available: Cellebrite UFED, Cellebrite Responder, Cellebrite Physical Analyzer and Cellebrite UFED Cloud v7.49 - Costas K
MFTBrowser.exe (x64) - DeTTECT
v1.4.4 - Didier Stevens
New Tool: cs-decrypt-metadata.py - Eric Zimmerman
ChangeLog - Kroll
Kape 1.1.0.0 - Magnet Forensics
- Malwoverview
Malwoverview 4.4.2 - Passware
Passware Kit 2021 v4 Now Available - YARA
v4.1.3
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 