Just Another Blue Teamer<p>Good day everyone!</p><p>An APT group known as Angry Likho (a.k.a. Sticky Werewolf) is being monitored by Kaspersky's Securelist researchers and they have identified hundreds of victims of a recent attack in Russia, several in Belarus, and additional incidents in other countries. They used an age-old technique of spear-phishing to gain initial access that had various attachments that would contain the legitimate bait file as well as other files, in some cases malicious LNK files. Execution would lead to a newly discovered implant named FrameworkSurvivor.exe.</p><p>As usual, check out all the juicy details that I left out and enjoy the read! Happy Hunting!</p><p>Angry Likho: Old beasts in a new forest<br><a href="https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">securelist.com/angry-likho-apt</span><span class="invisible">-attacks-with-lumma-stealer/115663/</span></a></p><p>Intel 471 Cyborg Security, Now Part of Intel 471 <a href="https://ioc.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntel</span></a> <a href="https://ioc.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatHunting</span></a> <a href="https://ioc.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatDetection</span></a> <a href="https://ioc.exchange/tags/HappyHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HappyHunting</span></a> <a href="https://ioc.exchange/tags/readoftheday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>readoftheday</span></a></p>
Nylige søk
Ingen søk nylig
Alternativer for søk
Ikke tilgjengelig på snabelen.no.
snabelen.no is one of the many independent Mastodon servers you can use to participate in the fediverse.
Ein norsk heimstad for den desentraliserte mikroblogge-plattformen.
Administrert av:
Serverstatistikk:
443aktive brukere
snabelen.no: Om · Status · Profilkatalog · Personvernregler
Mastodon: Om · Last ned appen · Hurtigtaster · Vis kildekode · v4.3.7
#happyhunting
0 innlegg · 0 deltakere · 0 innlegg i dag
Just Another Blue Teamer<p>Good day everyone!</p><p>Fortinet's FortiGuard Labs discovered a new variant of the <a href="https://ioc.exchange/tags/Snake" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Snake</span></a> keylogger, a.k.a. "404 Keylogger". According to the report most of the detections from their "FortiSandbox" have come from China, Turkey, Indonesia, Taiwan, and Spain but if you aren't from these countries, you still may be a target! </p><p>Behaviors (MITRE ATT&CK):<br>Persistence - TA0003:<br>Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - After the malware is executed and drops a copy of itself in the %Local_AppData%\supergroup directory then copies itself the the %Startup% folder. </p><p>Defense Evasion - TA0005:<br>Process Injection: Process Hollowing T1055.012 - The malware injects itself into a legitimate .NET process, in this sample it was RegSvcs.exe. This allowed it to run within a trusted process to evade detection.</p><p>Command And Control - TA0011:<br>Application Layer Protocol: Web Protocols - T1071.001<br>Application Layer Protocol: Mail Protocols - T1071.003</p><p>The malware used multiple techniques to upload stolen credentials. The researchers observed SMTP, Telegram bots, and HTTP Post requests to transmit the data.</p><p>As usual, go check out the research for yourself to check out the details that I left out and support the good work! Enjoy and Happy Hunting!</p><p>FortiSandbox 5.0 Detects Evolving Snake Keylogger Variant<br><a href="https://www.fortinet.com/blog/threat-research/fortisandbox-detects-evolving-snake-keylogger-variant" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">fortinet.com/blog/threat-resea</span><span class="invisible">rch/fortisandbox-detects-evolving-snake-keylogger-variant</span></a></p><p>Intel 471 Cyborg Security, Now Part of Intel 471 <a href="https://ioc.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntel</span></a> <a href="https://ioc.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatHunting</span></a> <a href="https://ioc.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatDetection</span></a> <a href="https://ioc.exchange/tags/HappyHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HappyHunting</span></a> <a href="https://ioc.exchange/tags/readoftheday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>readoftheday</span></a></p>
Just Another Blue Teamer<p>Good day everyone, new Blizzard has dropped!</p><p>Microsoft's Threat Intelligence shares their research on a Russian state actor dubbed <a href="https://ioc.exchange/tags/SeashellBlizzard" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SeashellBlizzard</span></a>! Part of the GRU, they specialize in operations from espionage to information operation and cyber-enabled disruptions which have resulted in destructive attacks and manipulation of ICS. They have leveraged different types of malware to include <a href="https://ioc.exchange/tags/KillDisk" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>KillDisk</span></a>, <a href="https://ioc.exchange/tags/FoxBlade" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FoxBlade</span></a>, and <a href="https://ioc.exchange/tags/NotPetya" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NotPetya</span></a>. </p><p>Behavior Summary (With MITRE ATT&CK):<br>Initial Access - TA0001:<br>Exploit Public-Facing Application - T1190<br>Seashell Blizzard commonly exploited vulnerable public facing infrastructure. </p><p>Persistence - TA0003:<br>Create or Modify System Process: Windows Service - T1543.003 -<br>Among other means of persistence, Seashell Blizzard created a system service.</p><p>Execution - TA0002:<br>Command and Scripting Interpreter: PowerShell - T1059.001<br>Command and Scripting Interpreter: Windows Command Shell - T1059.003<br>Seashell Blizzard abused both of these living off the land binaries for multiple reasons and using multiple different parameters. </p><p>As always, there is WAAAAY too many technical details here, so go check it out yourself! Enjoy the read and Happy Hunting!</p><p>The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation<br><a href="https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">microsoft.com/en-us/security/b</span><span class="invisible">log/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/</span></a></p><p>Intel 471 Cyborg Security, Now Part of Intel 471 <a href="https://ioc.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntel</span></a> <a href="https://ioc.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatHunting</span></a> <a href="https://ioc.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatDetection</span></a> <a href="https://ioc.exchange/tags/HappyHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HappyHunting</span></a> <a href="https://ioc.exchange/tags/readoftheday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>readoftheday</span></a></p>
UtforskTidslinjer
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Opprett kontoLogg innDra og slipp for å laste opp