thehellu - Network

For incident responders investigating Shadowpad cases, remember to retrieve the volume serial number where #Shadowpad was deployed. The...

For incident responders investigating Shadowpad cases, remember to retrieve the volume serial number where #Shadowpad was deployed. The first time the malware is run, it will delete the encoded payload file (<random name>.tmp), and encrypt it in the Windows registry using the volume serial number. Those can also be found in LNK and Prefetch files in case you don't have live access to the host anymore.
You can then use the VolumeID tool from Sysinternals to change the volume serial number of your virtual machine
https://learn.microsoft.com/en-us/sysinternals/downloads/volumeid

We released a report on an updated version of #Shadowpad including anti-debugging features and new configuration structure, that in some...

We released a report on an updated version of #Shadowpad including anti-debugging features and new configuration structure, that in some cases deploy a custom ransomware family. We have mainly seen the manufacturing industry being targeted in Europe and Asia https://www.trendmicro.com/fr_fr/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html
#APT
Orange Cyberdefense saw the same threat and named the ransomware "NailaoLocker" https://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors They share interesting thoughts on the motivations of the ransomware deployment, although they don't have the final answer. We also saw no financial gain for the threat actor

Intelligence Online links the MOONSHINE framework that we discussed in our Earth Minotaur report...

Intelligence Online links the MOONSHINE framework that we discussed in our Earth Minotaur report (https://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html) to a Chinese company https://www.intelligenceonline.com/surveillance--interception/2025/01/29/chinese-firm-behind-hacking-operations-against-uyghurs-and-tibetans-unveiled,110368855-evg (article is free but needs registration to access it). Happy new year UPSEC ! 😘

Our latest report on a CN #APT targeting tens of governments entities worldwide has been published 🥳 After monitoring it for a long time...

Our latest report on a CN #APT targeting tens of governments entities worldwide has been published 🥳 After monitoring it for a long time we realized it is likely related to the recent I-Soon company leaks. It discusses their TTPs and provides lots of IOCs https://trendmicro.com/en_us/research/24/c/earth-krahang.html
Targets are spread among 5 continents, although some countries are targeted more heavily: one country had 11 of its government entities compromised. Previous victims are used to compromise new ones by abusing their infrastructure to send spear-phishing emails or host malware.
Their favorite malware toolkit are Reshell, a basic .NET backdoor, and Xdealer, also named Dinodas RAT, two custom malwares. They also use the infamous #CobaltStrike, #PlugX and #Shadowpad. Many of their offensive and post-exploitation tools are retrieved from public sources.

Virus Bulletin released my talk on a #Shadowpad sample delivered by a Pakistan governmental application named eOffice. It contains an...

Virus Bulletin released my talk on a #Shadowpad sample delivered by a Pakistan governmental application named eOffice. It contains an analysis of the modified MSI installer, some tricks to pivot on old and new Shadowpad samples, an overview of the #APT campaign, and attribution discussion https://www.youtube.com/watch?v=i52MH-YFEeo
The slides https://virusbulletin.com/uploads/pdf/conference/vb2023/slides/Slides-Possible-supply-chain-attack-targeting-South-Asian-government-delivers-Shadowpad.pdf and paper https://virusbulletin.com/uploads/pdf/conference/vb2023/papers/Possible-supply-chain-attack-targeting-South-Asian-government-delivers-Shadowpad.pdf are also available. In addition to what we published in July in our blog, the paper details our failed attempts to attribute this attack based on custom malware families and their links to other advanced threat actors #threatintel

We found a possible supply chain attack on eOffice application developed by Pakistan government. It delivers #Shadowpad with an updated...

We found a possible supply chain attack on eOffice application developed by Pakistan government. It delivers #Shadowpad with an updated obfuscation and encryption scheme. The threat actor carefully chose the C&C to blend in legitimate network traffic https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html
It is possible that the MSI installer could have been modified and then redistributed. However, as it was not publicly available at the time of the incident (September 2022), that would imply that the threat actor retrieved it from a PK gov entity before weaponizing it. #APT

The slides https://botconf.eu/wp-content/uploads/2023/04/2023_5856_LUNGHI.pdf and video https://youtube.com/watch?v=713CsmcNE3o of my...

The slides https://botconf.eu/wp-content/uploads/2023/04/2023_5856_LUNGHI.pdf and video https://youtube.com/watch?v=713CsmcNE3o of my #Botconf talk about #IronTiger TTPs are online. I discuss recent infection vectors (including a supply chain attack), the evolution of their malware toolkit and targeting, and explain how we attributed these campaigns to #IronTiger #APT27 #APT threat actor

My latest #APT research on #IronTiger (#APT27/#EmissaryPanda/#LuckyMouse) is out ! It includes analysis of a new version of SysUpdate ported...

My latest #APT research on #IronTiger (#APT27/#EmissaryPanda/#LuckyMouse) is out ! It includes analysis of a new version of SysUpdate ported to Linux, a new communication protocol through DNS TXT requests, a VMProtect certificate compromise, and probable infection vector https://trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html

Here we go again, someone uploading old APT samples to VT with different submitter IDs, changing the entry point with garbage content, thus...

Here we go again, someone uploading old APT samples to VT with different submitter IDs, changing the entry point with garbage content, thus generating a new hash. The files embed MS certificates, yet the signature is invalid. A quick script to filter these https://gist.github.com/thehellu/f4f7e70f47848ad0159e0ced9590ded8
I have seen two certificates being used (again, thousands of files as you can see): https://virustotal.com/gui/search/signature%253A%252233%252000%252000%252003%25206C%2520E5%25207E%2520EB%25205D%25201C%2520C2%2520BE%252017%252000%252000%252000%252000%252003%25206C%2522%2520fs%253A2022-12-05%252B/files https://virustotal.com/gui/search/signature%253A%252233%252000%252000%252002%252052%25208B%252033%2520AA%2520F8%252095%2520F3%252039%2520DB%252000%252000%252000%252000%252002%252052%2522%2520fs%253A2022-12-05%252B/files
The script defines a time interval, and ignores the files that are signed by those certificates and that are valid, such as https://virustotal.com/gui/search/signature%253A%252233%252000%252000%252002%252052%25208B%252033%2520AA%2520F8%252095%2520F3%252039%2520DB%252000%252000%252000%252000%252002%252052%2522%2520fs%253A2022-12-05%252B%2520tag%253Asigned%2520NOT%2520tag%253Ainvalid-signature/files
Third time this year I see this kind of behavior... Probably the same person behind this "experiment", files being uploaded from US through the web GUI, with no name (appears as "file" in the Telemetry tab). If you want to see yourself, this is a threat actor's hash https://www.virustotal.com/gui/file/ef51b08234488b6cb51eb949dff5b7421e9a040f73c10a40d5320dac561d944f/details, and this is a modified hash https://www.virustotal.com/gui/file/a3db5bf1e64e28a4ee58f2ff450ed8e46a4bbbd1236dab5b765493fe6fb8a6aa/details

I created a quick n' dirty python3 script using vt-py (https://virustotal.github.io/vt-py/howtoinstall.html) that takes a hash and VT...

I created a quick n' dirty python3 script using vt-py (https://virustotal.github.io/vt-py/howtoinstall.html) that takes a hash and VT API key as input, and checks whether the file has been uploaded between 2022-11-21 and 2022-11-25 and contains the calc.exe icon or the .benignb section https://gist.github.com/thehellu/f2fe4b563693fded8ed142fdf48f82a2
Feel free to use it to triage your samples

For 2 days, someone has been uploading known #APT samples in PE format to #VirusTotal, with minor changes inside them. The VT submitter...

For 2 days, someone has been uploading known #APT samples in PE format to #VirusTotal, with minor changes inside them. The VT submitter changes frequently, the file hash is different, but most of the metadata is similar, leading to hundreds of Livehunt notifications 😢
I did a quick analysis, and found some info you might use to quickly triage those useless files and not waste time analyzing them:
Most of those executables have the legitimate Calc.exe icon, which means they all embed the same resource ! The following VT search query returns almost 10K files embedding that resource: https://virustotal.com/gui/search/resource%253Aa2160d96a1fc0c94875844e0cefeb502a7afef890ce4c5b0fadeb2768d8d039e%2520and%2520fs%253A2022-11-21%252B/files
The same can be achieved using the main_icon_md5 VT modifier https://virustotal.com/gui/search/main_icon_md5%253A80890f0a8ed6b8f7644ae58033396698%2520and%2520fs%253A2022-11-21%252B/files
Some of the uploaded files did not embed this resource. I noticed they had a section named ".benignb", you can find them here: https://virustotal.com/gui/search/section%253A.benignb%2520and%2520fs%253A2022-11-21%252B/files
Note that all of the files (with the icon or with the section) are uploaded with the name "file" in the Telemetry tab
I did not check the differences between former and modified files, but if this is the work of some researcher, I wish he/she will publish the results, in order to justify the wasted time for all the others 😅 I bet it is the same person that appended a Microsoft certificate to thousands of samples in September 🤓

If you are like me and used Twitter to monitor specific keywords with Tweetdeck, just to find out there is no such thing as general keyword...

If you are like me and used Twitter to monitor specific keywords with Tweetdeck, just to find out there is no such thing as general keyword search in here, don't /ragequit yet.
AFAIK, you cannot search for a keyword on random users unless you favorited/boosted or have been mentioned in them. Which means you already read them and know about their existence in the first place, which is good for bookmarking, but useless for discovering relevant toots from random users.
However, there is a nice feature in the web advanced view (which you can enable in the "Appearance" preferences):
You get a 3 columns' view, one for notifications, one for your regular timeline, and the last one with the content of your choice: either federated timeline, local timeline, your DMs, etc ...
That's a nice first step, but there is still a lot of space wasted if you have a big screen and resolution.
Here comes the trick I just learned: if you search for a hashtag (let's say, #apt), you get some hashtags results. By clicking on the one you're interested in, it becomes the content of the 3rd column we mentioned before.
Then, if you click on the top-right icon, a "Pin" feature appears. A final click, and tadaaaa, now you have a 4th and permanent column with a hashtag you are interested in !
You can reproduce the same for any hashtag you want and finally have a reason to buy one of those giant screens :)

It does not match the Twitter keyword feature, but it's still nice. It also means that, as a toot writer, it is important to use relevant hashtags.

#introduction I have been working on targeted attacks for a long time now, first as an incident responder, and now doing threat intelligence...

#introduction I have been working on targeted attacks for a long time now, first as an incident responder, and now doing threat intelligence at Trend Micro.
I usually focus for a while on a threat actor, and when I feel I know enough, publish something about it. The fun part is that very often, while investigating a threat actor, you end up finding stuff on another one, which you can add to your TODO list once the current investigation is completed :)
BTW, this is a good reason to be careful with the attribution out there, infrastructure overlap and tool sharing are common stuff nowadays.

Some of my previous work on #APT groups:

#Patchwork:
https://www.trendmicro.com/en_us/research/17/l/untangling-the-patchwork-cyberespionage-group.html
#Confucius:
https://www.trendmicro.com/fr_fr/research/18/b/deciphering-confucius-cyberespionage-operations.html
https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html
#UrPage/#Bahamut:
https://www.trendmicro.com/en_us/research/18/h/the-urpage-connection-to-bahamut-confucius-and-patchwork.html
A bit of all previous actors:
https://www.first.org/resources/papers/tallinn2019/Linking_South_Asian_cyber_espionnage_groups-to-publish.pdf

#MuddyWater:
https://www.trendmicro.com/en_us/research/18/k/new-powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools.html
https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf

Maybe APT37 (unconfirmed):
https://www.trendmicro.com/en_us/research/19/c/new-slub-backdoor-uses-github-communicates-via-slack.html

#EarthAkhlut/#Tonto:
https://vb2020.vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf
Operation DRBControl:
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia
#EarthBerberoka:
https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/exposing-earth-berberoka-a-multiplatform-apt-campaign-targeting-online-gambling-sites
#IronTiger/#EarthSmilodon:
https://www.trendmicro.com/en_no/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html
https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html