Tag: INFOSEC

• A Quick Look at ELF Bifrose (Part 1)

  Bifrose or Bifrost is a backdoor initially targeting Windows systems with a long history. First identified in the early 2000’s, it is believed a hacking group (likely BlackTech), purchased the source code or gained access to it around 2010, and enhanced the malware for use in its own campaigns. BlackTech has long targeted both Windows […]

  Mike

  December 30, 2022

  INFOSEC

  APT, BlackTech, INFOSEC, Malware

• So Long (Go)Daddy | Tracking BlackTech Infrastructure

  Summary BlackTech has built a reputation relying on (much to the delight of defenders) tech-themed domains and predictable registration patterns. Recent reporting linking malicious domains to the actor suggests these patterns may be fading, at least for the time being signifying a departure from the previous infrastructure configuration. Items to Note Background BlackTech, a.k.a. Huapi, […]

  Mike

  September 24, 2022

  INFOSEC

  INFOSEC

• Analyzing Manjusaka Infrastructure

  21 August 2022 Recently, Avast tweeted a GitHub link of indicators of compromise (IOC) linked to the Manjusaka Framework. Cisco Talos released a blog earlier this month covering the framework in great detail, so I will not rehash their great work here. https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html Self-admittedly, I briefly glanced over the detection rules and scripts and immediately […]

  Mike

  August 21, 2022

  INFOSEC

  INFOSEC, Malware

• Overview of AppleSeed Dropper

  

  02 June 2022 Summary The Kimsuky APT Group has routinely utilized the AppleSeed Backdoor to target various entities within South Korea, mainly for the purposes of espionage. While phishing still remains the primary vector of delivering the backdoor, over the past year, Kimsuky has gone to great lengths to disguise its attacks, utilizing numerous types […]

  Mike

  June 5, 2022

  INFOSEC

  APT, INFOSEC, Malware, NorthKorea

• Analyzing the Royal Road to Space Pirates

  

  26 May 2022 While the actual blog post has been difficult to access for some, Positive Technologies released research on the Space Pirates APT group that has been spotted intruding on government, IT, and critical infrastructure networks in Russia, Georgia, and Mongolia. Believed to be operating since at least 2019, the Space Pirates group has […]

  Mike

  May 26, 2022

  INFOSEC

  APT, INFOSEC, Maldoc

• Shortcut to Windows Update

  

  Summary On January 27, 2022, Malwarebytes Labs shared an article covering new tactics including abusing the Windows Update Client for code executing believed to be the work of Lazarus. The purpose of this post will be to cover possible detection points for defenders to identify adversaries misusing the Windows Update Client. Please give the blog […]

  Mike

  February 4, 2022

  INFOSEC

  INFOSEC, Lazarus, lolbin, Malware

• Info-Stealing Tool Posing As Naver OTP

  

  Summary SHA256: 3275f42c85c9e2fcb80d1f8c1c6227c2bcde9c0e719905ddbd2ca7373c6a8ec6 Filename: UpHelpers.exe Size: 3.41MB Extension: EXE Compilation Timestamp: 2022-01-05 23:41:20 Sandbox analysis: https://tria.ge/220118-emrgjsgfb7 UpHelpers.exe is an information-stealing/reconnaissance tool disguised as a Naver One Time Password, (OTP) generator app. Naver is a South Korean web portal that first debuted in 1999 and offers a number of services. The tool collects drive and directory […]

  Mike

  January 18, 2022

  INFOSEC

  INFOSEC, Malware, NorthKorea

• A “GULP” of PlugX

  

  Often attributed to Chinese-speaking threat actors, PlugX a remote access trojan(RAT), was identified by security researchers in 2012. With several variants of the RAT identified by vendors over the year, many techniques used to compromise systems have remained the same. While perusing public malware sandboxes for interesting new samples, I stumbled upon a Windows executable […]

  Mike

  January 6, 2022

  INFOSEC

  APT, INFOSEC, PlugX