Our first public analysis, new campaing from #Aggah analyzed with a lot of #bashfu blog.malwarelab.pl/posts/basfu_ag…

mak at #x33fcon 2020! Fishing Elephant, or How To Build Cloud Based APT x33fcon.com/#!s/mak.md Register: x33fcon.com/#!conference.m…

We put some effort into analyzing #RoyalRoad (aka 8t) rtf weaponizer. Take a look blog.malwarelab.pl/posts/on_the_r… /cc nao_sec #APT #malware #ThreatIntel

New #aggah campaign, #GuLoader added to chain Doc: 7418b898c989e3fb0d13b5db2c9773478e23150c590acad5832ccc3c14b80a26 remote payloads: hxxp://office-updates-index[.]com/{Report.rtf,Attack.jpg,File.vbs, track.jpg,max.bin} #AgentTesla c2: fxp://ftp.centredebeautenellycettier[.]fr/

We put some hours into covering blanks about tool used by #Nazar #APT /cc: J. A. Guerrero-Saade blog.malwarelab.pl/posts/nazar_ey…

Quick update on #Nazar #APT capabilities (blog.malwarelab.pl/posts/nazar_ey…) | Tomorrow will post analysis of c2 protocol

Second part (and last;) of our #Nazar's #APT tool is live. blog.malwarelab.pl/posts/nazar_ey… . With some experimental #snort/#suricata rule for you amusement #Malware #ThreatIntel #sig37 /cc J. A. Guerrero-Saade

Couple of #Lazarus #APT samples, with decoy documents referencing Lockheed Martin, BAE Systems, The Boeing Company. Downloads remote templates and drops double-base64 encoded patched sqlite3 dlls, iocs: gist.github.com/mak/81f6161f85… patched/added exports: sqlite3_stmt_all,sqlite3_stepsW

We write up our analysis of a validator dropped by documents used by #Lazarus, this validator was used in a campaing described by telsy as well as the ones recenty conducted against LockheedMartin, BAESystemsplc, Boeing. blog.malwarelab.pl/posts/lazarus_… cc: Emanuele De Lucia Arkbird

#APT #Konni 6973fa7aed812980f0539302d64e618f Name: North Korea-South Korea Relations.doc Downloads: hxxp://footballs.sportsontheweb.net/{2,3}.dat c2:hxxp://footballs.sportsontheweb.net custom alphabet for base64 used to conceal strings

Interesting clue about operation timeline of #Higaisa based on samples from Malwarebytes's article - before jumping to shellcode loader checks if current year is in [2018,2021] time frame (it also makes quite a good #yara ) #APT #Malware #ThreatHunting #threatintel

bunch of #TA505 docs with name: Human Resources Annual Report.docx (list: github.com/MalwareLab-pl/…) mimics real vba code, will drop a dll with typical packer and #get2 with c2: shr-links[.]com probable lure email: virustotal.com/gui/file/91459… #ThreatIntel #Malware #APT #ThreatHunting

document (virustotal.com/gui/file/ab541… - Bubar Parlimen.docx) dropping #DADSTACHE, download urls: hxxps://armybar.hopto[.]org/{RemoteLoad.dotm,LogiMailApp.exe,LogiMail.dll,Encrypted} c2: tomema.myddns[.]me #Leviathan/#APT40 cc: Brian Bartholomew

This time we write about #Skidware - blog.malwarelab.pl/posts/venom/ | We found new #hackforums grade rat based on #Quasar - its hilarious, check it out #Malware //cc JAMESWT_MHT James Casperinous

mak is our next speaker at #CCCC2020. He worked before as Senior Security Researcher in Kaspersky GReAT or Principal Botnet owner at CERT.pl. He'll talk about #Fishing Elephant, or How to Build a Cloud-Based #APT. bit.ly/3dSx8E0 #Conference

Jeżeli chcecie zobaczyc jakas konkretna kampanie - czekamy na propozycje do 14.07, jak nie to cos sobie znajdziemy ;]

mak is getting us some details on Fishing Elephant tools and tactics #x33fcon #APT

Last month, for Amnesty Tech, we analyzed OSX sample of #FinFisher and provide other insights we gather along the way including some scripts aiding further analysis. If you need any help with any #malware related problems, don't hesitate to drop us an email, we are happy to help!