Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).

Operationally this week the big thing was the cyber attack in Iran against the steelworks due to sanction busting. The quality of the operations execution (i.e. they broke into the ICS systems) and then the subtle messaging (i.e. they point out how they kept the people safe) indicates this is likely a sophisticated threat actor doing some 💪. Interesting that a likely state based actor wants to portray this as the capability of a group of unknown heritage. This is the same group that previously disrupted payments in Iran, among other operations.

Gonjeshke Darande @GonjeshkeDarand

#cyberattack against Iran's steel industry

5:12 AM ∙ Jun 27, 2022

---

1,386Likes422Retweets

In the high-level this week:

• SSU prevents Russian special services from hacking Ukrainian TV channels participating in national telethon - good news story..

• China lured graduate jobseekers into digital espionage - FT investigation reveals student translators were targeted by front company for Beijing-backed hacking group APT40

• Deepfakes and Stolen PII Utilized to Apply for Remote Work Positions - warning from the FBI that threats actors are exploiting the remote working environment for hiring using techniques from every insider threat programmes previously ‘unlikely’ category.

• What it Takes to Develop a Military Cyber Force - policy perspective from Swiss academics - it is a little light weight and points to the obvious - people, military/intelligence integration and flexibility within processes.

• EY valued NSO Group at $2.3bn months before emergency bailout - to be fair it likely was, if your due diligence doesn’t uncover the smoulder pool of pain due to who it was sold to/how it was used operationally you aren’t going to factor it in the pricing.

• Appropriations Committee Releases Fiscal Year 2023 Homeland Security Funding Bill | Cybersecurity and Infrastructure Security Agency (CISA) – The bill includes $2.93 billion for CISA, an increase of $334.1million above the FY 2022 enacted level and $417.1 million above the request - 🤑🤤 goes every other government department tasked with national cyber defence around the globe.

• Project Nemesis, Doxxing and the New Frontier of Informational Warfare - from the Institute of Strategic Dialogue looking at a recent doxing campaign in the Russia/Ukraine conflict.

• Supplier hack had “scope to impact entire telco industry" - "We assess with a high degree of confidence that [the supplier] is Syniverse, which in September 2021 reported a breach that had gone undetected by the supplier for five years." - big telecommunications supply chain breach discussed.

• Overseas hacker group attacks email system of Chinese university; case filed for further investigations - China doing its own disclosures on allegedly foreign state activity.

• The U.S. Needs Controls on Data Brokerage - we know data is being traded and various senators don’t appear happy about the fact, despite US big tech making buckets of cash from the data of people globally.

• Cybersecurity review on CNKI underway - China reporting on The top national cyberspace regulator is conducing a security review of the China National Knowledge Infrastructure, the country's largest online academic database, in a bid to prevent risks to national data security and protect public interests - it appears they have woken up to the threat of open source and don’t like it that the world can infer what they are up to through academic publications.

So big news this week is I got an IMDB entry for supporting (by writing the code / advising on what the tools should look like) a new cyber TV docu-drama being shown in the UK (this week on Channel 4) and USA (next month on Peacock) called the Undeclared War. The project started for me in 2019 and has been one of my more novel philanthropic project experiences.

People in the UK / with a UK VPN exit can watch it here - https://www.channel4.com/programmes/the-undeclared-war

Finally in the UK we have some activity around reform of the Computer Misuse Act..

CyberUp Campaign @CyberUpCampaign

Great to hear the Minister's response at committee stage last week and mention of the @CyberUpCampaign's work. While the amendment was not moved we welcome the news that the @ukhomeoffice hopes to provide an 'update' on the #CMA review in the summer.

11:58 AM ∙ Jun 29, 2022

---

4Likes1Retweet

Enjoying this? don’t get via e-mail? subscribe:

Think someone else would benefit? Share:

Share

Have a lovely Friday

Ollie

Cyber threat intelligence

Who is doing what to whom and how.

Russia / Ukraine

Overview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022

An analysis of open source reporting on GRU and SVR campaigns resulting in some graphics which will no doubt be used everywhere.

https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html

Hackers attack Ukrainian telecom operators and service providers

Reporting of a really clumsy operation against their telcos and service providers. It doesn’t look overly targeted and appears to try and play the numbers.

The Computer Emergency Response Team of Ukraine (CERT-UA) under the SSSCIP informs of dangerous bulk mail titled “Free legal assistance.” The mails come from an (apparently compromised) address in the gov.ua domain and contain a password-protected attachment “Алгоритм дій членів сім’ї безвісти відсутнього військовослужбовця (Algorithm for family members of MIA soldiers) LegalAid.rar.”

https://cip.gov.ua/en/news/khakeri-atakuyut-ukrayinskikh-operatoriv-i-provaideriv-telekomunikacii

further reporting on this event under the article titled Cyberattack against Ukrainian telecommunications operators using DarkCrystal RAT malware which shows some maldoc tradecraft was also used.

https://cert.gov.ua/article/405538

Killnet, Kaliningrad, and Lithuania's Standoff

Interesting potential link between denial of service operations and some staff members from Conti.

Notably, in a post from June 26, 2022, Killnet labeled Lithuania a “testing ground for our new skills” and additionally said that their “friends from Conti” are eager to fight, likely pointing to a connection between Killnet and Conti, a ransomware collective that also expressed their allegiance to Russia at the beginning of the Russia’s invasion of Ukraine. 

https://flashpoint.io/blog/killnet-kaliningrad-and-lithuanias-transport-standoff-with-russia/

GlowSand

Isabelle Quinn provides an analysis of some conflict related maldocs. Interestingly some of these had low detection rates on VT.

https://inquest.net/blog/2022/06/27/glowsand

Russian group claims hack of Lithuanian sites in retaliation for transit ban

Further high-level reporting on the Lithuanian denial of service attacks.

The main targets are state institutions, transport institutions, media websites," deputy Defence Minister Margiris Abukevicius said, in another sign of deteriorating relations between Baltic NATO country Lithuania and neighbouring Russia because of Moscow's invasion of Ukraine in February

https://www.reuters.com/technology/lithuania-hit-by-cyber-attack-government-agency-2022-06-27/

Attacks on industrial control systems using ShadowPad

Terrifying reporting if you are the Pakistani and Afghanistan governments. Also shows the slow evolution of tradecraft and the value if you codify it into detections. Attacks have been attributed to a Chinese speaking threat actor which will not come as a surprise due to the use of ShadowPad.

In mid-October 2021 Kaspersky ICS CERT researchers uncovered an active ShadowPad backdoor infection on industrial control systems (ICS) in Pakistan. Infected machines included engineering computers in building automation systems that are part of the infrastructure of a telecommunications company.

During the investigation researchers uncovered larger-scale activity by the threat actor in the network of the telecommunications company and also identified other victims of the campaign. We found malicious artifacts in organizations in the industrial and telecommunications sectors in both Pakistan and Afghanistan. Moreover, another attack was uncovered, using an earlier, but with very similar set of tactics, techniques and procedures (TTPs), against a logistics and transport organization (a port) in Malaysia

https://ics-cert.kaspersky.com/publications/attacks-on-industrial-control-systems-using-shadowpad/

ZuoRAT Hijacks SOHO Routers to Silently Stalk Networks

Breaching the edge to pivot into networks is nothing new. Danny Adam and Steve Rudd evidence that someone is doing it SOHO devices at a scale. Now one would lean towards Chinese attribution here, but that link isn’t made explicitly in the reporting - although a regional link is shown.

We identified a multistage remote access trojan (RAT) developed for SOHO devices that grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold. While we currently have a narrow view of the full extent of the actor’s capabilities due to the limited state of SOHO device monitoring in general we have enumerated some of the command-and-control (C2) infrastructure associated with this activity and identified some of the targets. We assess with high confidence the elements we are tracking are part of a broader campaign.

There was a second set of actor-controlled C2 infrastructure used to interact with the Windows RATs that was hosted on internet services from China-based organizations, namely Alibaba’s Yuque and Tencent.

https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/

Pro-PRC DRAGONBRIDGE Influence Campaign

Interestingly information operations are being deployed against companies around some critical materials used in electronics. It is interesting that China appears to want to dissuade or slow up some activities designed to ensure no dependence on them for supply.

Recently, we identified and investigated a subset of information operations activity we attribute to the DRAGONBRIDGE campaign across social media that targeted the Australian rare earths mining company, Lynas Rare Earths Ltd, with content criticizing its alleged environmental record and calling for protests of its planned construction of a rare earths processing facility in Texas. Subsequently in June, we observed additional DRAGONBRIDGE activity begin to target the Canadian rare earths mining company Appia Rare Earths & Uranium Corp and the American rare earths manufacturing company USA Rare Earth with negative messaging in response to potential or planned rare earths production activities involving those companies. 

https://www.mandiant.com/resources/dragonbridge-targets-rare-earths-mining-companies

Evilnum APT returns with updated TTPs and New Targets

Sahil Antil and Sudeep Singh continue their spate of useful reporting on this unattributed APT group who has been known to conduct information theft and espionage operations. Reporting on this group first emerged in mid-2020.

[We have] been closely monitoring the activities of the Evilnum APT group. We identified several instances of their low-volume targeted attack campaigns launched against our customers in the UK and Europe region.

• The key targets of the Evilnum APT group have predominantly been in the FinTech (Financial services) sector, specifically companies dealing with trading and compliance in the UK and Europe.
   

• In March 2022, we observed a significant update in the choice of targets of Evilnum APT group. They targeted an Intergovernmental organization which deals with international migration services.
   

• The timeline of the attack and the nature of the chosen target coincided with Russia-Ukraine conflict.

https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets

Typod Python Packages

Ax Sharma documents some malicious packages designed to look related to some other well used packages. The fact that the threat actor had such sloppy opsec to allow anyone to then access the stolen information is the standout.

Last week, [we] discovered multiple Python packages that not only exfiltrate your secrets—AWS credentials and environment variables but rather upload these to a publicly exposed endpoint.

https://blog.sonatype.com/python-packages-upload-your-aws-keys-env-vars-secrets-to-web

Avos ransomware group expands with new attack arsenal

Flavio Costa, Chris Neal and Guilherme Venere show the reality of cyber i.e. the tools did their thing, but no one reviewed the events. Also note the varied implant frameworks used by the threat actor (likely to evade increasing CobaltStrike detections).

• In a recent customer engagement, we observed a month-long AvosLocker campaign.

• The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners.

• The initial ingress point in this incident was a pair of VMWare Horizon Unified Access Gateways that were vulnerable to Log4Shell. While Cisco products were deployed on the network, the appliances were never configured, allowing the attacker to gain access to internal servers and maintain a foothold.

• During the time the attacker was active in the network, several security events were detected by the security products but were not reviewed by the security team, which could have prevented the ransomware activity.

http://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html

Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem

Vishal Kamble and team document showing that Bumblebee is being used by various organised crime groups to gain their initial access.

By analysis of three other tools used in recent attacks involving Bumblebee, [we have] linked this tool to a number of ransomware operations including Conti, Quantum, and Mountlocker.

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime

There Is More Than One Way to Sleep

A unique sandbox evasion technique with a limited lifetime of execution to ensure they look busy and boring before they do their thing. Neat trick for sure and the fact that organised crime found it and used it in the wild is of note.

[We] have discovered Zloader and BazarLoader samples that had interesting implementations of a sandbox evasion technique. This blog post will go into details of the unique implementations of API Hammering in these types of malware. API Hammering involves the use of a massive number of calls to Windows APIs as a form of extended sleep to evade detection in sandbox environments.

https://unit42.paloaltonetworks.com/api-hammering-malware-families/

Discovery

How we find and understand the latent compromises within our environments.

KQL for Microsoft Intune - First of 50 days of queries

Ugur Koc is intending to provide 50 days of Intune related KQL queries. Help get those mobile devices under robust management.

The goal of this repository is to share awesome KQL Queries that will help every Intune Administrator to filter for relevant information and also present the data visually to interested parties in the form of a Azure Workbook.

https://github.com/ugurkocde/KQL_Intune

De-anonymizing ransomware domains on the dark web

Paul Eubanks provides some excellent tradecraft (which we can expect some actors to now defend against) and also raises an interesting point in the context of UK Computer Misuse Act reform because of this line:

Double dot slash has been shown to be illegal under the UK’s 30 year old CMA law as shown in R v Cuthbert in 2005. As such no researchers based in the UK could conduct this type of research nor apply it for the good shown in this article.

• We have developed three techniques to identify ransomware operators' dark websites hosted on public IP addresses, allowing us to uncover previously unknown infrastructure for the DarkAngels, Snatch, Quantum and Nokoyawa ransomware groups.

• The methods we used to identify the public internet IPs involved matching threat actors’ TLS certificate serial numbers and page elements with those indexed on the public internet, as well as taking advantage of ransomware operators’ security failures.

• In de-anonymizing the dark web infrastructure used by ransomware actors, we can enable hosting providers to reduce illegal activity on their networks, enhance threat actor tracking, assist in possible law enforcement investigations, and/or slow ransomware operations as they make operational changes.

http://blog.talosintelligence.com/2022/06/de-anonymizing-ransomware-domains-on.html

Velociraptor Version 0.6.5: Table Transformations and More

Carlos Canto details a new release of this wonderful forensics tool, including:

Velociraptor collections or hunts are usually post-processed or filtered in Notebooks. This allows users to refine and post-process the data in complex ways. For example, to view only the Velociraptor service from a hunt collecting all services (Windows.System.Services), one would click on the Notebook tab and modify the query by adding a WHERE statement.

https://www.rapid7.com/blog/post/2022/06/24/velociraptor-version-0-6-5-table-transformations-multi-lingual-support-and-better-vql-error-handling-let-you-dig-deeper-than-ever/

French CERT launch MISP feed of IoCs

Much 💖for the 🇫🇷 government here. They have released a free MISP feed of IoCs from their technical reporting. This will save teams globally lots of effort copying and pasting from PDFs, blog posts and similar. 👏all government should follow in their footsteps.

https://misp.cert.ssi.gouv.fr/feed-misp/

Defence

How we proactively defend our environments.

A Beginners All Inclusive Guide to ETW (Windows)

Blake from Microsoft’s DART team provides a wonderful overview of ETW (Event Tracing for Windows). Anyone protecting a Windows estate should make the time to read this.

http://bmcder.com/blog/a-begginers-all-inclusive-guide-to-etw

krabsetw

KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions

https://github.com/microsoft/krabsetw

Dealing with large BloodHound datasets

Arris Huijgen provides a great read and useful tooling for dealing with very large BloodHound datasets. Scaling is what we are all going to have to do and this is a good practical set of steps of how it starts.

In this article I describe some of my experiences using BloodHound, including the challenges I ran into when trying to import large datasets. I also provide alternative ways to query the BloodHound database so depending on the scenario, different types of data can be extracted for further analysis and reporting. I hope this post provides some new insights that you can use to your advantage.

https://blog.bitsadmin.com/blog/dealing-with-large-bloodhound-datasets

the code of this can be found here:

https://github.com/bitsadmin/chophound

Announcing Windows 11 Insider Preview Build 25145

The legacy Local Administrator Password Solution product (aka “LAPS”) is now a native part of Windows and includes many new features and AAD compatible as well.

https://blogs.windows.com/windows-insider/2022/06/22/announcing-windows-11-insider-preview-build-25145/

Offense

Attack capability, techniques and tradecraft.

LAPSDumper: Dumping LAPS from Python

Does what it says on the tin..

https://github.com/n00py/LAPSDumper

The Phantom Credentials of SCCM: Why the NAA Won’t Die

Duane Michael is provide some robust resilience advice for those who are heavily invested in the on-premises Microsoft eco-system. Make sure all the loose ends are tidied.

If a Windows machine has ever been an SCCM client, there may be credential blobs for the network access account (NAA) on disk.

If an Active Directory account has ever been configured as an NAA, there may be credential blobs for that account on Windows hosts in the environment.

Stop using NAAs and transition to Enhanced HTTP. That’s not enough! The credentials may persist on former clients. The NAA accounts should be disabled/removed from Active Directory!

https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9

Spoofing Call Stacks To Confuse EDRs

William Burgess drops some offensive tradecraft that if adopted is going to degrade some detection capabilities.

Call stacks are an understated yet often important source of telemetry for EDR products. They can provide vital context to an event and be an extremely powerful tool in determining false positives from true positives (especially for credential theft events such as handle access to lsass). An example of this is that attackers will typically reside in-memory via injected code. This unbacked, or floating memory, will show up in call stacks when making API calls and appear highly anomalous.

Call stacks are an understated yet often important source of telemetry for EDR products. They can provide vital context to an event and be an extremely powerful tool in determining false positives from true positives (especially for credential theft events such as handle access to lsass). An example of this is that attackers will typically reside in-memory via injected code. This unbacked, or floating memory, will show up in call stacks when making API calls and appear highly anomalous.

https://labs.withsecure.com/blog/spoofing-call-stacks-to-confuse-edrs/

Disabling Security Event Log on Microsoft Windows

Through the addition of one registry key you can turn Windows into WinPE (Windows Preinstallation Environment) and thus disable logging. The host needs to be rebooted to recover.

A strong IoC to watch for is on the registry key

CurrentControlSet\Control\MiniNt

Embedding Payloads and Bypassing Controls in Microsoft InfoPath

Eugene Lim provides an interesting technique for prompt-less resource loading which will have value for some recon purposes.

While browsing a SharePoint instance recently, I came across an interesting URL in the form https://<server>/_layouts/FormServer.aspx?XsnLocation=https://<server>/resource/Forms/template.xsn. The page itself displayed a web form that submitted data to SharePoint. Intrigued by the .xsn extension, I downloaded the file and started investigating what turned out to be Microsoft InfoPath’s template format. Along the way, I discovered parts of the specification that enabled loading remote payloads, bypassing warning dialogs, and other interesting behaviour.

https://spaceraccoon.dev/embedding-payloads-bypassing-controls-microsoft-infopath/

The hidden side of Seclogon part 3: Racing for LSASS dumps

Covers how to get LSASS dumps (i.e. the password hashes) using various novel techniques which may not be detected.

"Unfortunately, even if the seclogon process opens a new process handle to lsass to create a child process, we cannot duplicate that handle from seclogon because it's closed shortly after. I didn't want to deal with race conditions, so I started to explore some alternative way to get my hands on a lsass process handle... (Well, technically it's possible to steal that lsass handle in a reliable way. “

https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html

Extracting Whitelisted Paths from Windows Defender ASR Rules

Get the paths that mean payloads will go undetected for those second and third stages.

https://adamsvoboda.net/extracting-asr-rules/

Mangle

The fragile payload detection eco-system just got more fragile. This is why detection post compromise actions becomes critical.

Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL). Mangle can remove known Indicators of Compromise (IoC) based strings and replace them with random characters, change the file by inflating the size to avoid EDRs, and can clone code-signing certs from legitimate files. In doing so, Mangle helps loaders evade on-disk and in-memory scanners.

https://github.com/optiv/Mangle

FabricScape: Escaping Service Fabric and Taking Over the Cluster

A cloud scale vulnerability..

[We] identified FabricScape (CVE-2022-30137), a vulnerability of important severity in Microsoft’s Service Fabric – commonly used with Azure – that allows Linux containers to escalate their privileges in order to gain root privileges on the node, and then compromise all of the nodes in the cluster. The vulnerability could be exploited on containers that are configured to have runtime access, which is granted by default to every container.

https://unit42.paloaltonetworks.com/fabricscape-cve-2022-30137/

Empire 4.6.0/4.6.1 post compromise framework released

Various further C# obfuscations added to this post compromise framework to frustrate detections.

https://github.com/BC-SECURITY/Empire/releases/tag/v4.6.1?s=09

Vulnerability

Our attack surface.

CVE-2022-28219: Unauthenticated XXE to RCE and Domain Compromise in ManageEngine ADAudit Plus

This product was the root cause of various nation state intrusions previously. New vulnerability means more sobbing.

CVE-2022-28219 is an unauthenticated remote code execution vulnerability affecting Zoho ManageEngine ADAudit Plus, a compliance tool used by enterprises to monitor changes to Active Directory. The vulnerability comprises several issues: untrusted Java deserialization, path traversal, and a blind XML External Entities (XXE) injection.

If you’re running ADAudit Plus in your enterprise, we strongly recommend upgrading to build 7060 or later to fix this vulnerability.

https://www.horizon3.ai/red-team-blog-cve-2022-28219/

CookieMonsteRCE: Stored XSS to RCE in ASG Zena

James Barnett and Jeff Green provide details of vulnerabilities that will likely be scanned for and exploited due to environment access they will provide.

Zeke and Zena are two enterprise IT orchestration tools by ASG Technologies (a Rocket Software Company)

[We show] how even a simple vulnerability like stored XSS, can lead to a worst-case scenario such as RCE (Remote Code Execution) on the hosting server and lateral movement through the network.

https://phoenix-sec.io/2022/06/17/Zena-CookieMonsteRCE.html

Bug: Cisco IOS SNMPv3 ACL Issues

Gerry Gosselin shows that even large western network equipment OEM struggle to get the basic right too. Scanning in 3..2..

We discovered on our Cisco IOS router, SNMPv3 was listening on an interface’s network and broadcast addresses. We also discovered evidence that SNMPv3 may be exposed to the public Internet despite typical ACL configurations.

https://medium.com/@gerrygosselin/cisco-ios-snmpv3-acl-issues-66dbab0bd138

Commonly existing PLC Supply Chain Threats: Multiple critical vulnerabilities in Codesys Runtime

Large number of ICS vulnerabilities from 🇨🇳 with 💙

• We conducted an in-depth research on CODESYS V2 runtime and PLCs using this kernel (ABB AC500 PLCs)

• We found 11 vulnerabilities in CODESYS V2 runtime;

• 2 of all accepted vulnerabilities graded as critical, 7 as high risk, and 2 as medium risk.

https://github.com/ic3sw0rd/Codesys_V2_Vulnerability

Unrar Path Traversal Vulnerability affects Zimbra Mail

More sobbing for e-mail servers, this payload can be emailed so could be sprayed around the Internet with ease.

We discovered a 0-day vulnerability in the unrar utility, a 3rd party tool used in Zimbra. The vulnerability ultimately allows a remote attacker to execute arbitrary code on a vulnerable Zimbra instance without requiring any prior authentication or knowledge about it.

https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/

Exploitation

What is being exploited.

Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems

US Government reporting around the on going exploitation Log4Shell in the VMWare eco-system. They have released a whole host of IoCs in this post.

Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers. As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.

https://www.cisa.gov/uscert/ncas/alerts/aa22-174a

further reporting:

https://www.trendmicro.com/en_us/research/22/g/log4shell-vulnerability-in-vmware-leads-to-data-exfiltration-and-ransomware.html

Atlassian Confluence OGNL Injection Remote Code Execution (RCE) Vulnerability (CVE-2022-26134)

Mayank Deshmukh provides a writeup of the exploitation of this vulnerability and the class more generally. Useful for those looking to discover this class of vulnerability at scale.

https://blog.qualys.com/vulnerabilities-threat-research/2022/06/29/atlassian-confluence-ognl-injection-remote-code-execution-rce-vulnerability-cve-2022-26134

Tooling and Techniques

Low level tooling for attack and defence researchers.

The Matrix

A process inspection tool aimed at easier the malware analysis task

In this post I'll describe a project that I created to easier the malware analysis process. The goal of the project is to run a target binary in a controlled environment and logging the Win32 function calls. I wanted to create something that is easy to extend and robust.

http://antonioparata.blogspot.com/2022/06/thematrix-process-inspection-tool-aimed.html

Footnotes

Some other small bits and bobs which might be of interest.

• Ziring Keynote at Cybersecurity Automation Workshop - Keynote for Cybersecurity Automation Workshop from Ziring who is NSA and who has been involved in security automation since 2005. Worth a listen about the why we should care..

• Conti vs. LockBit: A Comparative Analysis of Ransomware Groups - When we rank the top 10 ransomware groups in terms of the number of organizations that had their data leaked (from November 2019 to March 2022), we see two clear leaders - useful data.

• Why Cyber Dogs Have Yet to Bark Loudly in Russia’s Invasion of Ukraine - analysis piece on why cyber hasn’t been the conflict slam dunk we expected.

• How Threat Actors Hijack Attention: The 2022 Social Engineering Report - some useful analysis and quantification of technologies / techniques used.

• Societal Risks and Potential Humanitarian Impact of Cyber Operations - from the Geneva Academy of International Humanitarian Law and Human Rights. Designed to provide an up-to-date assessment of existing risks and protection needs in light of contemporary and future military cyber capabilities.

That’s all folks.. until next week..