Today we delivered a session on Adversary Infrastructure Tracking that we conducted in 2023, here are some of key stats🐧

=> USA and China hosted 50% of total C2 servers

=> Top 🇺🇸 ASNs: Amazon & Digital Ocean

=> Top 🇨🇳 ASNs: Tencent, Alibaba & Huawei

More on Infostealers ⬇️

STIX2.1 supports YARA as an Indicator type. This allows Intel providers to distribute YARA rules in an automated fashion🐧

I wrote a Python script to convert an input YARA rule file into STIX2.1 JSON Bundle and also create a relationship with a Malware

github.com/RustyNoob-619/…

YARA rule for Python #UPSTYLE Backdoor used in #0Day against Palo Alto Networks GlobalProtect VPNs

github.com/RustyNoob-619/…

Thanks to Germán Fernández for uploading sample to malware bazaar which enabled rule creation 🐧

Also, checkout YARA rules by Volexity here:
github.com/volexity/threa…

#100DaysofYARA Day85: Detecting Strela Stealer

github.com/RustyNoob-619/…

While I covered StrelaStealer in my previous YARA rule, this variant has a different Import Hash along with a couple of other properties

Link to previous rule: github.com/RustyNoob-619/…

您的浏览器版本过低，请升级浏览器版本
Signed #AsyncRAT stealer dressed as Chrome targeting chinese users 💀 Low detection rate 🦠
/download-updata.com
C2 /s2.download-updata.com
tria.ge/240323-vjw6mac…

Russian threat actor COLDRIVER/Callisto has recently been identified employing a new family of backdoor.

Here's some KQL to conducting proactive hunting for SPICA malware.

github.com/BloodshotCTI/K…

Bridewell
Joshua Penny
Yashraj Solanki

#SPICA #malware #threathunting

#100DaysofYARA Day79: An Interesting Rust Backdoor/Stealer

YARA rule matches on 39 files with one being Spica Backdoor Used by Russian APT COLDRIVER aka Callisto

Currently only one sample surfacing on VT🐧

Bridewell
Joshua Penny
Bloodshot_CTI

github.com/RustyNoob-619/…

This 👇 is interesting and suggests that we can't anymore consider only the possibility of a common initial access broker #IAB in case of one victim claimed under more than one #ransomware brand.
I've counted 88 cases of cross-claims since Jan. 1st, 2023. Let's take a look...

For those unfamiliar with the 'crypter' threat and its use by cybercriminals, I invite you to read our analysis on the subjet!

Crypters are essential for malware distribution.

Excellent and comprehensive paper by Livia!

⬇️

twitter.com/sekoia_io/stat…

Interesting loader disguised as CreateStudio Pro, dropping an obfuscated Python payload via PythonAnywhere 🐳
/download-createstudioo.com
/kingkh.pythonanywhere.com
↪️/kingkh.pythonanywhere.com/SRC/test.zip

Thrilled to share our latest CSIRT KNF report on #HookBot & #HookBuilder , where I contributed as a co-author!

📊 Diving deeper into the infrastructure and tools behind this Android malware.

📖A must-read for #cybersecurity enthusiasts: cebrf.knf.gov.pl/images/Hookbot…

🎯 Hunting #Grandoreiro Infrastructure (1st stage):

▪ Shodan: http.html_hash:1528083672 port:443 org:'Microsoft Corporation''
▪ Censys: services.http.response.body_hash='sha1:b6306fe94c164053882259f3d3105e6c4519bf81' and services.port=`443` and…

In February, we'll release modules/lessons on👇

A comprehensive guide about tracking Sliver C2 🔥
Hunting Cobalt Strike redirectors ⚡️ (APT29 style)
Using the Diamond Model of Intrusion Analysis 💎
Hunting APT38 and APT43 part 2 🇰🇵
Magecart 🧙‍♂️
Tips for open directories 🕵️
and…

#100DaysofYARA Day34: Suspicious AnyDesk Impersonating software

Downloaded the latest AnyDesk software which has the latest code sign certificate. The loose rule detects software with any other cert thumbprint.

github.com/RustyNoob-619/…

Inspired by Florian Roth's YARA rule 🐧