Discover and read the best of Twitter Threads about #APT32

Most recents (6)

Facebook’s @ngleicher was right about linking #APT32 to CyberOne and here is why:
As per Group-IB #ThreatIntelligence & #Attribution the domain cbo[.]group had an IP 45[.]61[.]136[.]214 in the A-record. On this IP address, we detected a unique SSH 4b390f0b7125c0d01fe938eb57d24051 Image
According to Group-IB Graph Network Analysis, this fingerprint was also seen on 30 other hosts including on 45[.]61[.]136[.]166 and 45[.]61[.]136[.]65. Both were used to deploy a uniquely configured #CobaltStrike framework, used exclusively by #APT32 aka #OceanLotus Image
All the listed IPs belong to the autonomous network - AS53667 within the range of 45.61[.]128[.]0 to 45[.]61[.]191[.]255. We've also seen #APT32 hosting #CobaltStrike on the 45[.]61[.]139[.]211, which was indicated in the A-record of feeder[.]blogdns[.]com
Read 3 tweets
Pokéregex Challenge:
How many of the 719 Pokémon can you capture in a single regular expression that fits in a tweet?

Here's what to match: gist.githubusercontent.com/itsreallynick/…

Here are awesome regex resources: raw.githubusercontent.com/aloisdg/awesom… [this same text blob will also be used to measure FPs😊]
If you haven't done something like this before, here's a [crappy] bash one-liner to start:

sh -c 'pattern="your|regex"; echo 🎯 Pokémon:; curl -s gist.githubusercontent.com/itsreallynick/… | grep -ioE $pattern | wc -l; echo 🚯 Noise:; curl -s github.com/aloisdg/awesom… | grep -ioE $pattern | wc -l'
Oh, if it wasn't clear ... you put your regular expression in where it says "your|regex"

Because, as written, the results are pretty terrible 😄 [pictured]

This is similar to an interview question @TekDefense & I would ask @ Mandiant.
It's also an #APT32 hunting tweet. 😉🌶️ This is probably a terrible...
Read 7 tweets
OK so this is my last week at @Mandiant / @FireEye 😢

Here's the truth:
♥️ Joining Mandiant was the best decision of my career – the people & company have been SO good to me
🧠 Many of the brilliant minds in security are here & we have FUN every day

1/8
💻🔍 There is no better professional #infosec experience than responding to the intrusions that matter & defending at-scale alongside awesome people. If you have the chance to work here – .
🗓️ One year here is worth many more in experience. So here are some highlights:
2/8
☕️ Doing LRs & writing decoders during my first Mandiant breach response - with #APT17's HIKIT & also BLACKCOFFEE malware using technet for C2: fireeye.com/blog/threat-re…
💰 I was fortunate to lead the first IR for the group that would come to be known as #FIN7
3/8
Read 9 tweets
We've all received emails with no attachment and assume it's "safe" to open in a mail client (as long as we don't explicitly click on any URLs). Right?

Not so much...
Let's talk about email tracking pixels for a minute and how sales/marketing (as well as real threat actor's) can use them to evaluate the success of an email marketing (or phishing) campaign...or for information gathering before sending a follow-up payload.

#DFIR #APT32
Let's start with the basics of tracking pixels.

I'm not attending @RSAConference - but I get marketing emails like this one. If you use the Outlook client - have you ever noticed the "to help protect your privacy; Outlook prevented automatic download of some pictures."?
Read 11 tweets
Stopped using PowerShell for attacks?
Seems to be working just fine for #APT32 🇻🇳

lang.ps1 uploaded yesterday (3/56): virustotal.com/gui/file/f5e74…
I appreciate their signature obfuscation style (pictured)

The underlying backdoor here is very creative... [1/2] Image
...MD5: 82990e2c0432e579a00ab1f75da0dd65
Uploaded to:
- @anyrun_app: app.any.run/tasks/0b459c37…
- @virusbay_io: beta.virusbay.io/sample/browse/…

Connects to attributed C2 over... protocols 😉:
background.ristians[.]com
plan.evillese[.]com
worker.baraeme[.]com
enum.arkoorr[.]com
[2/2]
@anyrun_app @virusbay_io 3 unique Hanoi, VN submitters in the past 24 hours 🇻🇳🔍
Read 3 tweets
Fresh APT loader technique for today's #DailyScriptlet:

cs=Array(#,#,#,#,...): cmd="": For each c in cs: cmd=cmd&Chr(c): Next: cmd=cmd&vbcrlf: Execute(cmd)

This is remotely loaded into memory from source phishing doc that uses renamed wscript & pubprn.vbs to load COM Scriptlet.
@bwithnell and I shared an earlier version of this #APT32 phish technique:
Relevant slide screenshots attached.

They are continually improving each phase of their dynamic, multi-stage infection chain.
@bwithnell SPOILER: the VBScript *still* doesn't properly convert temperatures as promised, but it *will* load good tidings of great Cobalt Strike 🎅🏽
Read 6 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!