Lee Whitfield has opened the nominations for the Forensic 4cast awards for another week; get your last minute nominations in now!
Forensic 4:cast Awards – Update

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Didier Stevens
  Discovering A Forensic Artifact
  
  
• Digital Forensics Myanmar
  • How the Federal Government Buys Our Cell Phone Location Data By  BENNETT CYPHERS  (Myanmar Translation)
  • Solid State Drive (SSD) Structure & Forensics (Blog Post Collection PDF)
    
    
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  One Country, Two Systems
  
  
• Forensafe
  Investigating Windows Management Instrumentation (WMI)
  
  
• Joshua Hickman at ‘The Binary Hick’
  New msgstore – Who ‘Dis?  A Look At An Updated WhatsApp On Android
  
  
• Kibaffo33
  Even more MEGA
  
  
• Mike at ØSecurity
  VSS Carving – Pt. 2, Halfway There
  
  
• Oxygen Forensics
  New feature: Data Extraction via iOS Agent
  
  
• Chad Tilbury at SANS
  Power Up Memory Forensics with Memory Baseliner
  
  
• We are OSINTCurio.us
  Saving Facebook
  

THREAT INTELLIGENCE/HUNTING

• abuse.ch
  Introducing YARAify
  
  
• Anomali
  • Malware Intelligence Dashboards
  • Anomali Cyber Watch: Symbiote Linux Backdoor is Hard to Detect, Aoqin Dragon Comes through Fake Removable Devices, China-Sponsored Groups Proxy through Compromised Routers, and More
    
    
• Antiy CERT
  Dark Elephant’: A Decade of Cyber ​​Attacks
  
  
• AttackIQ
  Attack Graph Emulating the Conti Ransomware Team’s Behaviors
  
  
• David Álvarez and Jan Neduchal at Avast Threat Labs
  Linux Threat Hunting: ‘Syslogk’ a kernel rootkit found under development in the wild
  
  
• Avertium
  An In-Depth Look at the Data Extortion Group, Karakurt
  
  
• Matt Ehrnschwender at Binary Defense
  Detecting Follina Exploits Using a Remote Answer File 
  
  
• Blackberry
  • Threat Thursday: Unique Delivery Method for Snake Keylogger
  • BlackBerry Prevents LokiLocker
    
    
• Blumira
  • RSAC, DBIR 2022 Trends: Rise in Ransomware, Partner Attacks & Cyber Insurance
  • RSAC 22: 5 Most Dangerous New Attack Techniques
  • RSAC 2022: How XDR Simplifies Detection and Response
    
    
• Brad Duncan at Malware Traffic Analysis
  • 2022-06-13 – TA578 thread-hijacked emails push Bumblebee or IcedID
  • 2022-06-13 – TA578 thread-hijacked email –>  Bumblebee –> Cobalt Strike
  • 2022-06-16 – Files for an ISC diary (Matanbuchus with Cobalt Strike)
  • 2022-06-17 – Matanbuchus with Cobalt Strike
    
    
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 11 – 17 giugno 2022
  
  
• Check Point Research
  • 13th June – Threat Intelligence Report
  • Iranian Spear-Phishing Operation Targets Former Israeli and US High-Ranking Officials
    
    
• Cisco’s Talos
  • Threat Source newsletter (June 16, 2022) — Three top takeaways from Cisco Live
  • Threat Roundup for June 10 to June 17
    
    
• Cofense
  Monkeypox Phishing: Outbreak Becomes Latest Lure
  
  
• Csaba Fitzl at ‘Theevilbit’
  AMFI Launch Constraints – First Quick Look
  
  
• Anthony M. Freed at Cybereason
  Defending Against the Five Stages of a Ransomware Attack
  
  
• Cyberknow
  Update 15. 2022 Russia-Ukraine war — Cyber group tracker. June 13.
  
  
• EclecticIQ
  The Analyst Prompt #11: Exploitation of Atlassian and Microsoft’s Major Vulnerability
  
  
• Melissa Alvarez at Elastic
  Detect domain generation algorithm (DGA) activity with new Kibana integration
  
  
• Esentire
  Emotet Malware Detected Through a Phishing Campaign
  
  
• Google Workspace Updates
  VirusTotal integration with the security investigation tool provides deeper insight into Chrome events
  
  
• Group-IB
  Thousands of IDs exposed in yet another data breach in Brazil
  
  
• Ankit Sinha at Hacking Articles
  Caldera: Red Team Emulation (Part 1)
  
  
• Henri Hambartsumyan at Falcon Force
  FalconFriday — Detecting UnPACing and shadowed credentials— 0xFF1E
  
  
• Dray Agha at Huntress
  Triangulation
  
  
• InfoSec Write-ups
  • Learning More About YAML Deserialization
  • Phishing Domain Detection using Neural Networks
    
    
• Intel471
  Cybercriminals preying on travel surge with a host of different scams
  
  
• Elena Koldobsky at Kela
  How the Cybercrime Landscape has been Changed following the Russia-Ukraine War
  
  
• Malwarebytes Labs
  • Karakurt extortion group: Threat profile
  • ALPHV squeezes victim with dedicated leak site for employees and customers
    
    
• Microsoft Security
  The many lives of BlackCat ransomware
  
  
• Bintang Nafsul Mutmainnah at MII Cyber Security
  Sysmon Threat Hunting
  
  
• Nasreddine Bencherchali
  Persistence With “Fiddler Classic” Extensions
  
  
• Stuart Kututac at NCC Group
  Understanding the Impact of Ransomware on Patient Outcomes – Do We Know Enough?
  
  
• Florian Roth at Nextron Systems
  Follina CVE-2022-30190 Detection with THOR and Aurora
  
  
• Palo Alto Networks
  • Palo Alto Networks and Coordinated Enforcement for Malware
  • Containers, Assemble: What Cloud Threat Actors Don’t Want You to Know
    
    
• Jason Kao at Praetorian
  Chaining MFA-Enabled IAM Users with IAM Roles for Potential Privilege Escalation in AWS
  
  
• Akshat Pradhan at Qualys
  New Qualys Research Report: Inside a Redline InfoStealer Campaign
  
  
• Rapid7
  • Defending Against Tomorrow’s Threats: Insights From RSAC 2022
  • New Report Shows What Data Is Most at Risk to (and Prized by) Ransomware Attackers
    
    
• Recorded Future
  Latin American Governments Targeted By Ransomware
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, April 2022 (ENG)
  
  
• Justin Palk at Red Siege Information Security
  Creating a Simple Windows Domain for Offensive Testing: Part 3
  
  
• Salvation DATA
  6 Types of Database Attacks Hackers Use to Obtain Unauthorized Access
  
  
• SANS Internet Storm Center
  • Quickie: Follina, RTF & Explorer Preview Pane, (Sun, Jun 12th)
  • Translating Saitama’s DNS tunneling messages, (Mon, Jun 13th)
  • Microsoft June 2022 Patch Tuesday, (Tue, Jun 14th)
  • Houdini is Back Delivered Through a JavaScript Dropper, (Thu, Jun 16th)
  • Terraforming Honeypots. Installing DShield Sensors in the Cloud, (Wed, Jun 15th)
  • Malspam pushes Matanbuchus malware, leads to Cobalt Strike, (Fri, Jun 17th)
  • Decoding Obfuscated BASE64 Statistically, (Sat, Jun 18th)
  • Critical vulnerability in Splunk Enterprise?s deployment server functionality, (Fri, Jun 17th)
  • Video: Decoding Obfuscated BASE64 Statistically, (Sun, Jun 19th)
  • Wireshark 3.6.6 Released, (Sun, Jun 19th)
    
    
• Security Investigation
  • Lyceum APT group new .NET-based DNS backdoor – Detection & Response
  • QBot returns with new TTPS – Detection & Response
  • Hunting for new GALLIUM APT Group in Network
  • FormBook Malware on The Rise – Detection & Response
  • Malspam with new Matanbuchus Loader – Detection & Response
    
    
• Giorgos Karantzas and Constantinos Patsakis at SentinelOne
  Research Paper | Emulating Phineas Phisher Attacks in Modern EDR Environments
  
  
• Sophos
  • Telerik UI exploitation leads to cryptominer, Cobalt Strike infections
  • Sophos uncovers how APT groups carried out highly targeted attack
  • Confluence exploits used to drop ransomware on vulnerable servers
    
    
• Matt Hand at SpecterOps
  Hang Fire: Challenging our Mental Model of Initial Access
  
  
• Ben Martin at Sucuri
  WooCommerce Credit Card Skimmer Uses Telegram Bot to Exfiltrate Stolen Data
  
  
• Claudio Di Giuseppe at Telsy
  The Turla malware
  
  
• Varonis
  • Rogue Shortcuts: LNK’ing to Badness
  • Anatomy of a Ransomware Attack
    
    
• Steven Adair and Thomas Lancaster at Volexity
  DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach
  
  
• Rene Holt at WeLiveSecurity
  How Emotet is changing tactics in response to Microsoft’s tightening of Office macro security
  
  
• ZScaler
  • Technical Analysis of PureCrypter: A Fully-Functional Loader Distributing Remote Access Trojans and Information Stealers
  • Resurgence of Voicemail-themed Phishing Attacks Targeting Key Industry Verticals in US
    

UPCOMING EVENTS

• Black Hills Information Security
  AASLR: Antisyphon Address Space Layout Randomization
  
  
• Heather Mahalik and Ryan Parthemore at Cellebrite
  Fundamentals Matter: Cellebrite Review Fundamentals – Tips from the Pros
  
  
• Magnet Forensics
  • Tesla Forensics – The Wheels Are There So the Computers Don’t Drag On the Ground
  • Forensic Readiness: A Panacea to Successful Incident Response
    

PRESENTATIONS/PODCASTS

• Acelab
  A Video on the PC-3000 Software Version 7.1.x Main New Features
  
  
• Adrian Crenshaw
  BSides Cleveland
  
  
• Archan Choudhury at BlackPerl
  Threat Hunting Course Free- Day 9, Hunt on Cloud, AWS
  
  
• ArcPoint Forensics
  UNALLOCATED SPACE S1: EP08 Jamie Levy
  
  
• Belkasoft
  Tutorial: Belkasoft X for Tableau TX1 device acquisition
  
  
• Black Hills Information Security
  • Phishing with Microsoft 365 and Microsoft Device Codes | Steve Borosh
  • Configuring SSH Tunnels and VPNs | Ralph May
  • BHIS – Talkin’ Bout [infosec] News 2022-06-13
    
    
• BlueMonkey 4n6
  Magnet Virtual Summit Capture The Flag 2022 – Android. Featuring an intro to ALEAPP
  
  
• Brakeing Down Security Podcast
  jon-dimaggio-part2-threat intel-hacking back-analyzing malware
  
  
• Breaking Badness
  124. Patch Me If You Can
  
  
• Cloud Security Podcast by Google
  EP69 Cloud Threats and How to Observe Them
  
  
• Cybereason
  • Malicious Life Podcast: Hackers vs. Spies – The Stratfor Leaks Part 1
  • Malicious Life Podcast: Hackers vs. Spies – The Stratfor Leaks Part 2
    
    
• Day Cyberwox
  Exploiting AWS – Defender’s Perspective (Flaws2.Cloud)
  
  
• DFIR.Training
  June 14, ,2022 Updates!
  
  
• DFIRScience
  • Linux LVM Ext4 Support in Windows with Arsenal Image Mounter
  • Fast password cracking – Hashcat wordlists from RAM
    
    
• Didier Stevens
  Decoding Obfuscated BASE64 Statistically
  
  
• Digital Forensic Survival Podcast
  DFSP # 330 – Certifications
  
  
• Gerald Auger at Simply Cyber
  🔴 Active Ransomware Incident Response Day in the Life
  
  
• Hacker Valley Blue
  Threat Intelligence: Fiction, Fluff, or Foundational?
  
  
• InfoSec_Bret
  SA – SOC166-116 – Javascript Code Detected in Requested URL
  
  
• John Hammond
  • Automating DOMAIN USERS (AD #02)
  • POWERSHELL: Random Users & Weak Passwords (Active Directory #03)
    
    
• Justin Tolman at AccessData
  CISA Cybersecurity Incident Response Playbooks – Episode 7 – Coordination
  
  
• Magnet Forensics
  • Digital Forensics’s role in e-Discovery
  • Vehicle Forensics: The Road to Success!
    
    
• Nextron Systems
  Aurora Lite Follina Response Sets Demo
  
  
• NTCore
  Blitz 19 Seconds Excel Malware Analysis
  
  
• Paraben Corporation
  • Activating Your E3 Trial
  • Capturing Data through LinkedIn Compliance Archives
  • Analysis of the Windows 10 Timeline
  • Capture Instagram social media data in compliance archives
    
    
• Recon InfoSec
  • Analyzing Timestomping with Velociraptor
  • Live Incident Response with Velociraptor
    
    
• Richard Davis at 13Cubed
  Anatomy of an NTFS FILE Record – Windows File System Forensics
  
  
• SANS Institute
  • ICS Fireside Chat-   Making Use of All Those SBOMS
  • ICS Fireside Chat- NERC CIP
  • ICS Fireside Chat- Mitigating OT Security Risks Using Threat-Informed Failure Scenarios
  • ICS Fireside Chat- Defining Security Functions to Gain Visibility from PLCs
  • ICS Fireside Chat- Sharon Brizinov
  • Prevent, Detect, Respond An Intro to Google Workspace Security and Incident Response
    
    
• The Defender’s Advantage Podcast
  Threat Trends: Tracking Threat Actor Usage of Cryptocurrencies with Chainalysis
  
  
• The DFIR Report
  SANS Ransomware Summit 2022, Can You Detect This?
  

MALWARE

• Stiv Kupchik at Akamai
  Panchan?s Mining Rig: New Golang Peer-to-Peer Botnet Says ?Hi!?
  
  
• ASEC
  • ASEC Weekly Malware Statistics (May 30th, 2022 – June 5th, 2022)
  • CHM Malware Types with Anti-Sandbox Technique and Targeting Companies
  • Follina Vulnerability (CVE-2022-30190) Attack Using ‘Antimicrobial Film Request’ File
  • Malicious HWP Files with BAT Scripts Being Distributed Actively (North Korea/National Defense/Broadcasting)
  • ASEC Weekly Malware Statistics (June 6th, 2022 – June 12th, 2022)
    
    
• Confiant
  • How SeaFlower 藏海花 installs backdoors in iOS/Android web3 wallets to steal your seed phrase
  • How One “Crypto Drainer” Template Facilitates Tens Of Millions Of Dollars In Theft
    
    
• Cyble
  • Hydra Android Malware Distributed Via Play Store
  • Cerber2021 Ransomware Back in Action
    
    
• Doug Burks at Security Onion
  • Quick Malware Analysis: Emotet Epoch 5 infection with spambot traffic pcap from 2022-04-04
  • Quick Malware Analysis: TA578 Contact Forms Campaign Bumblebee Infection with Cobalt Strike pcap from 2022-06-09
  • Quick Malware Analysis: TA578 Thread-hijacked email, Bumblebee, and Cobalt Strike pcap from 2022-06-14
  • Quick Malware Analysis: Malware infection from Brazil malspam pcap from 2022-04-19
  • Quick Malware Analysis: Matanbuchus with Cobalt Strike pcap from 2022-06-16
    
    
• Dor Nizar, Malcolm Heath, Sander Vinberg, and David Warburton at F5
  F5 Labs Investigates MaliBot
  
  
• Joie Salvio and Roy Tay at Fortinet
  New IceXLoader 3.0 – Developers Warm Up to Nim
  
  
• Hex Rays
  • What is QScripts?
  • Igor’s tip of the week #94: Variable-sized structures
    
    
• Lina Lau at Inversecos
  Guide to Reversing and Exploiting iOS binaries Part 2: ARM64 ROP Chains
  
  
• Marco Ramilli
  Running Shellcode Through Windows Callbacks
  
  
• OALABS Research
  • Malware Downloader Triage Notes
  • Diceloader Triage Notes
    
    
• Palo Alto Networks
  GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool
  
  
• Pete Cowman at Hatching
  New Family Additions
  
  
• petikvx
  • Walrus Ransomware
  • Kawaiianime Ransomware
  • Eternity Stealer Ransomware
  • HelloXD Ransomware
  • Wsir Ransomware
  • PAY2DECRYPT Ransomware
  • ZZZlocker Ransomware
  • Janelle Ransomware
    
    
• S2W Lab
  Raccoon Stealer is Back with a New Version
  
  
• Thomas Roccia at SecurityBreak
  [Reverse Engineering Tips] — IDA Pro Shortcut Cheat Sheet
  
  
• Sonatype
  • npm package disables Windows Defender before dropping trojan
  • This Week in Malware: killing Windows Defender with an npm package
    
    
• Joseph C Chen and Jaromir Horejsi at Trend Micro
  Websites Hosting Fake Cracks Spread Updated CopperStealer Malware
  

MISCELLANEOUS

• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 6/18/22
  
  
• Gina Scaldaferri at Cellebrite
  Cellebrite Training Capstone Certification: Your Path To Digital Expert
  
  
• Max Julian Hofmann at CrowdStrike
  Capture the Flag: CrowdStrike Intelligence Adversary Quest 2022
  
  
• Digital Forensic Forest
  Cyber Security Interview Questions
  
  
• Joe St Sauver at DomainTools
  Efficiently Accessing a Moderately-Large Sorted and Uniquely-Keyed CSV File in Python3 with MTBL
  
  
• Lesley Carhart at Dragos
  How Incident Response (IR) Tabletop Exercises Strengthen OT Security Posture
  
  
• EclecticIQ
  5 Questions to ask About Your EDR – Integration
  
  
• Forensic Focus
  • Preparing for an Advanced Cyber Battlefield: The Digital Forensics for National Security Symposium
  • Global Incident Response: DFRWS-EU Keynote, 2022
  • Granular Reporting in Oxygen Forensic Detective
  • Enterprise Forensics: Traditions vs Reality in Modern DFIR
  • University College Dublin Launches MSc in Cybersecurity
    
    
• Group-IB
  “We find many things that others do not even see”
  
  
• Magnet Forensics
  Announcing the Winners of the 2022 Magnet Forensics CTF
  
  
• Poncho
  CyberChef CheatSheet
  
  
• Dave Bogle at Red Canary
  Everything’s a file: Securing the Linux VFS
  
  
• Salvation DATA
  What is Facial Recognition in Video Forensics?
  
  
• SANS
  • Another Major Update to SEC540: Cloud Security and DevSecOps Automation
  • Instructor Spotlight: Josh Johnson
  • Selling the SANS #SecAwareSummit to Your Boss
  • FOR589: Dark Web Threat Hunting & Blockchain Forensics – NEW SANS DFIR Course
    
    
• John Patzakis at X1
  Industry Experts: Proportionality Principles Apply to ESI Preservation and Collection
  

SOFTWARE UPDATES

• Apache
  Release 2.4.1 – 06/14/2022
  
  
• Brian Maloney
  OneDriveExplorer v2022.06.17
  
  
• Csaba Barta
  Memory Baseliner
  
  
• Didier Stevens
  • Update: oledump.py Version 0.0.68
  • Update: python-per-line.py Version 0.0.8
  • New Tool: dns-query-async.py
  • Update: base64dump.py Version 0.0.22
  • New Tool: sortcanon.py
    
    
• Eric Zimmerman
  ChangeLog
  
  
• Erik Hjelmvik at Netresec
  CapLoader 1.9.4 Released
  
  
• Harel Segev
  Prefetch Hash Cracker
  
  
• Jarosław Oparka
  EvtxHussar v1.4
  
  
• Yogesh Khatri
  mac_apt 20220614
  
  
• Metaspike
  Forensic Email Collector (FEC) Changelog – 3.75.1.12
  
  
• Ninoseki
  Mihari v4.7.1
  
  
• Smart Projects
  IsoBuster 5.0 beta released
  
  
• Christopher Maddalena at SpecterOps
  Introducing Ghostwriter v3.0
  
  
• threathunters-io
  Laurel
  
  
• Ulf Frisk
  MemProcFS Version 4.9
  
  
• Xways
  X-Ways Forensics 20.6 Preview 6
  
  
• Yamato Security
  Hayabusa v1.3.2 🦅
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!