As always, thanks to those who give a little back for their support!
If you haven’t seen, I’ve also been writing my thoughts on some of the articles posted weekly at patreon.com/thisweekin4n6!
FORENSIC ANALYSIS
- David Spreadborough at Amped
Open-Box Acquisition Using the Internal Hard Disk Drive - Kushalveer Singh Bachchas at AT&T Cybersecurity
Digital dumpster diving: Exploring the intricacies of recycle bin forensics - blueteam0ps
det-eng-samples - Elcomsoft
Open-Sourcing Raspberry Pi Software for Firewall Functionality: Secure Sideloading of Extraction Agent - Forensafe
Investigating Default Web Browser on Windows - Kevin Pagano at Stark 4N6
NahamCon CTF 2023 – Forensics - Paritosh at InfoSec Write-ups
- Salvation DATA
How Database Forensics works on New Cybercrime Platforms? - Marcus Hallberg at Spotify Engineering
Analyzing Volatile Memory on a Google Kubernetes Engine Node - Terryn Valikodath at chocolatecoat4n6
Get Good at Documentation - Thomas Millar at TrustedSec
Incident Response: Bring Out the Body File
THREAT INTELLIGENCE/HUNTING
- Adam Goss
Python Threat Hunting Tools: Part 8 — Parsing JSON - Anomali
Anomali Cyber Watch: Cadet Blizzard – New GRU APT, ChamelDoH Hard-to-Detect Linux RAT, Stealthy DoubleFinger Targets Cryptocurrency - Jeremy Fuchs at Avanan
- Martin Zugec at Bitdefender
Unpacking RDStealer: An Exfiltration Malware Targeting RDP Workloads - Brad Duncan at Malware Traffic Analysis
- 2023-06-17 – 30 days of Formbook: Day 13, Thursday 2023-06-17 – “MR04”
- 2023-06-18 – 30 days of Formbook: Day 14, Thursday 2023-06-18 – “JY05”
- 2023-06-19 – 30 days of Formbook: Day 15, Thursday 2023-06-19 – “CE18”
- 2023-06-20 – 30 days of Formbook: Day 16, Tuesday 2023-06-20 – “F1W6”
- 2023-06-21 – 30 days of Formbook: Day 17, Wednesday 2023-06-21 – ModiLoader for XLoader “NVP4”
- 2023-06-22 – 30 days of Formbook: Day 18, Thursday 2023-06-22 – “K2L0”
- Files for an ISC diary (obama271 Qakbot)
- CERT Ukraine
- CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 17 – 23 giugno 2023 - Check Point
- ‘Sign in to continue’ and suffer : Attackers abusing legitimate services for credential theft
- 19th June – Threat Intelligence Report
- Phishing Tools for Purchase: A Closer Look at Facebook Scamming Groups
- Stealthy USB: New versions of Chinese espionage malware propagating through USB devices found by Check Point Research
- Beyond the Horizon: Traveling the World on Camaro Dragon’s USB Flash Drives
- Cisco’s Talos
Threat Roundup for June 16 to June 23 - Cofense
- Cyberwarzone
- Cyble
- darkQuasar
AIMOD2 - Flashpoint
Unmasking Anonymous Sudan: Timeline of DDoS Attacks, Affiliations, and Motivations - Matteo at Forensics Matters
urldna.io search function - Intel471
- Invictus Incident Response
AWS CloudTrail cheat sheet - Keisuke Shikano at JPCERT/CC
TSUBAME Report Overflow (Jan-Mar 2023) - Jumpsec Labs
- KELA
Your Malware Has Been Generated: How Cybercriminals Exploit the Power of Generative AI and What Can Organizations Do About It? - Raúl Redondo at Lares Labs
The Phantom Menace: Exposing hidden risks through ACLs in Active Directory (Part 1) - Rabindra Dev Bhatta at Logpoint
BianLian Ransomware’s Shapeshift to Encryption-less Extortion - Matt Suiche at Magnet Forensics
CL0P: Hunting a New Kind of Ransomware - Bill Cozens at Malwarebytes Labs
5 facts to know about the Royal ransomware gang - Marco Ramilli
2023 Breaches and Incidents: Personal Notes - Microsoft Security
IoT devices and Linux-based systems targeted by OpenSSH trojan campaign - Takashi Koide at NTT Security Japan
Detecting Phishing Sites Using ChatGPT - Palo Alto Networks
- Phylum
Phylum Discovers Sophisticated Ongoing Attack on NPM - Proofpoint
Cybercrime Targeting Italy - Mohammad Amr Khan at Pulsedive
Akira Ransomware - Recorded Future
- Red Alert
Monthly Threat Actor Group Intelligence Report, April 2023 (ENG) - Caroline Fenstermacher at ReliaQuest
Goot to Loot—How a Gootloader Infection Led to Credential Access - root@V3dedBlog:~#
Red Team Tactics: Writing Windows Kernel Drivers for Advanced Persistence (Part 2) - Miles Arkwright and James Tytler at S-RM Insights
Cyber Intelligence Briefing: 23 June 2023 - SANS Internet Storm Center
- Malware Delivered Through .inf File, (Mon, Jun 19th)
- Malicious Code Can Be Anywhere, (Tue, Jun 20th)
- Analyzing a YouTube Sponsorship Phishing Mail and Malware Targeting Content Creators, (Wed, Jun 21st)
- Qakbot (Qbot) activity, obama271 distribution tag, (Thu, Jun 22nd)
- Word Document with an Online Attached Template, (Fri, Jun 23rd)
- Email Spam with Attachment Modiloader, (Sat, Jun 24th)
- Security Intelligence
- Securonix
Securonix Threat Labs Security Advisory: Detecting New MULTI#STORM Attack Campaign Involving Python-based Loader Masquerading as OneDrive Utilities to Drop Multiple RAT Payloads With Security Analytics - SentinelOne
Terminator EDR Killer (Spyboy) | Detecting and Preventing a Windows BYOVD Attack - Simone Kraus
- Puja Mahendru at Sophos
The State of Ransomware in Manufacturing and Production 2023 - Symantec Enterprise
Graphican: Flea Uses New Backdoor in Attacks Targeting Foreign Ministries - System Weakness
- Windows RDP Event Logs: Part-2
- Incident Detection and Response
- Using Responder to Capture Credentials
- Dissecting the Phish: Intro to Phishing Investigations — Useful Online Resources
- enhancing my knowledge for fileless malware alerts. here’s how
- Investigating a Fake KDDI Smishing Campaign that abuses Duck DNS
- The Sleuth Sheet
- Threatmon
Technical Analysis of RDPCredentialStealer: Uncovering Malware Targeting RDP Credentials with API Hooking - Todyl
Threat Advisory: XWorm, Part 2 – Breaking Down the .NET Loader and v4.0 - Trellix
Trellix Detects China-Affiliated APT Groups Behind Most Nation-State Threat Activity - Trend Micro
- Radoslaw Zdonczyk and Mariusz Siedlecki at Trustwave SpiderLabs
Honeypot Recon: MSSQL Server – Database Threat Overview ’22/’23 - VirusTotal
UPCOMING EVENTS
- Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2023-06-26 - Magnet Forensics
PRESENTATIONS/PODCASTS
- Ali Hadi
- Black Hills Information Security
- Breaking Badness
158. Zero Days of Our Lives - Cellebrite
- Cisco’s Talos
Video: How Talos’ open-source tools can assist anyone looking to improve their security resilience - cloudyforensics
Lambda Forensics & Incident Response - CySecK
- Digital Forensic Survival Podcast
DFSP # 383 – WMI Exploitation - InfoSec_Bret
SA – SOC202-153 – FakeGPT Malicious Chrome Extension - James Spiteri at ‘Oh My Malware!’
Oh My Malware – Episode 8 – AMOS - John Hammond
- John Hubbard at ‘The Blueprint podcast’
- Magnet Forensics
- MSAB
- OALabs
Tips to Learn Reverse Engineering: Avoid These Common Pitfalls! - SANS
A Visual Summary of SANS Ransomware Summit 2023 - SANS Cloud Security
Building Better Cloud Detection By Hacking | Azure Edition - Sumuri
SUMURI Podcast Episode 019 – Fast, Accurate, and Compassionate - Snigdha Basu at The Citizen Lab
Citizen Lab on Jamal Khashoggi widow suing spyware firm NSO Group: CBC Radio- As It Happens with Nil Köksal, Chris Howden - Uriel Kosayev
Debugging DLL Files with IDA Disassembler
MALWARE
- Any.Run
Gh0stBins, Chinese RAT: Malware Analysis, Protocol Description, RDP Stream Recovery - ASEC
- Warning: Malware Disguised as a Security Update Installer Being Distributed
- Damages to Multiple Korean Websites Created by a Certain Website Development Company
- ASEC Weekly Phishing Email Threat Trends (June 4th 2023 – June 10th, 2023)
- RecordBreaker Infostealer Disguised as a .NET Installer
- Tsunami DDoS Malware Distributed to Linux SSH Servers
- RedEyes Group Wiretapping Individuals (APT37)
- Kimsuky Distributing CHM Malware Under Various Subjects
- Analysis of Ransomware With BAT File Extension Attacking MS-SQL Servers (Mallox)
- Avertium
Analyzing Embedded Files in Malicious OneNote Documents - CISA Analysis Reports
- Cryptax
Inside KangaPack: the Kangaroo packer with native decryption - Shaul Vilkomir-Preisman and Mark Vaitzman at Deep Instinct
PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID - Matthew at Embee Research
SmokeLoader – Malware Analysis and Decoding With Procmon - Fortinet
- Igor Skochinsky at Hex Rays
Igor’s Tip of the Week #145: HTML export - Aaron Hoffmann at ReversingLabs
How to Investigate Security Incidents with Threat Intelligence in Microsoft Sentinel - Securelist
- SentinelOne
Automating String Decryption and Other Reverse Engineering Tasks in radare2 With r2pipe - Ax Sharma at Sonatype
PyPI Attackers Still At It: Malicious Packages Drop Trojans and Info-stealers - Ben Martin at Sucuri
Remote Code Execution Backdoor Uses Unicode Obfuscation & Non-Standard File Extensions - Zhassulan Zhussupov
Malware AV/VM evasion – part 17: bypass UAC via fodhelper.exe. Simple C++ example. - Shatak Jain and Gurkirat Singh at ZScaler
Ransomware Redefined: RedEnergy Stealer-as-a-Ransomware attacks
MISCELLANEOUS
- Adam at Hexacorn
The myth of “knowing your org” -> know_your_org.docx - ADF Solutions
How to View Encrypted Messages with ADF - Belkasoft
DIY YARA vs. YARA with Belkasoft X - Ben Heater
Upgrading Wazuh Components - Doug Burks at Security Onion
Red Hat, Rocky Linux, and Security Onion - Forensic Focus
- Monica Harris at Cellebrite
- Tess Mishoe at Red Canary
Responders assemble: Unboxing Red Canary’s Backdoors & Breaches expansion deck - SANS
Cybersecurity Jobs: Vulnerability Researcher & Exploit Developer (Japanese)
SOFTWARE UPDATES
- Andrew Rathbun
- AbdulRhman Alfaifi
Fennec v0.3.5 - Acelab
New version of the PC-3000 Mobile 2.4x is available now - Corelight
Extending Visibility Through Our New ICS/OT Collection | Corelight - Digital Sleuth
WIN-FOR v7.1.0-rc1 - Doug Burks at Security Onion
Security Onion 2.3.260 now available including Suricata 6.0.13, Grafana 9.2.19, CyberChef 10.4.0, and more! - Elcomsoft
checkm8 extraction for iOS 15.7.6 and 16.5 - Foxton Forensics
Browser History Examiner — Version History – Version 1.19.1 - IsoBuster
IsoBuster 5.2 released - Malwoverview
Malwoverview 5.2 - Mandiant
flare-floss QUANTUMSTRAND preview 7 - Metaspike
Forensic Email Intelligence 2.1.9 Release Notes - Florian Roth at Nextron Systems
New THOR 10.7.8 TechPreview Features - Ninoseki
Azuma v0.2.0 - OpenCTI
5.8.3 - Passware
Passware Kit Mobile 2023 v4 Now Available - DFIR-HBG
v1.2.1 – Major improvements - Xways
X-Ways Forensics 20.9 Beta 3b
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!