Discover and read the best of Twitter Threads about #APT32

Most recents (7)

In 2019, a mysterious account called @m4lwatch started dumping extremely relevant information on #Sandworm. Shortly thereafter, they mentioned a company: NTC Vulcan. Fast-forward three years and that company is in the spotlights #VulkanFiles
spiegel.de/netzwelt/web/v…

Short thread
Almost every researcher tracking Russian APTs was following @m4lwatch. This screenshot tells you why: m4lwatch is talking about infrastructure related to #Sandworm almost six months before it showed up in an advisory sent out by the NSA (PDF).

media.defense.gov/2020/May/28/20…
(h/t to @jfslowik who alerted us to this piece of information and helped us understand big chunks of the files.) Anyway, m4lwatch started publishing information on "NTC Vulkan". He even posted diagrams on a supposed exploitation framework called "Znatok"
Read 9 tweets
Facebook’s @ngleicher was right about linking #APT32 to CyberOne and here is why:
As per Group-IB #ThreatIntelligence & #Attribution the domain cbo[.]group had an IP 45[.]61[.]136[.]214 in the A-record. On this IP address, we detected a unique SSH 4b390f0b7125c0d01fe938eb57d24051 Image
According to Group-IB Graph Network Analysis, this fingerprint was also seen on 30 other hosts including on 45[.]61[.]136[.]166 and 45[.]61[.]136[.]65. Both were used to deploy a uniquely configured #CobaltStrike framework, used exclusively by #APT32 aka #OceanLotus Image
All the listed IPs belong to the autonomous network - AS53667 within the range of 45.61[.]128[.]0 to 45[.]61[.]191[.]255. We've also seen #APT32 hosting #CobaltStrike on the 45[.]61[.]139[.]211, which was indicated in the A-record of feeder[.]blogdns[.]com
Read 3 tweets
Pokéregex Challenge:
How many of the 719 Pokémon can you capture in a single regular expression that fits in a tweet?

Here's what to match: gist.githubusercontent.com/itsreallynick/…

Here are awesome regex resources: raw.githubusercontent.com/aloisdg/awesom… [this same text blob will also be used to measure FPs😊]
If you haven't done something like this before, here's a [crappy] bash one-liner to start:

sh -c 'pattern="your|regex"; echo 🎯 Pokémon:; curl -s gist.githubusercontent.com/itsreallynick/… | grep -ioE $pattern | wc -l; echo 🚯 Noise:; curl -s github.com/aloisdg/awesom… | grep -ioE $pattern | wc -l'
Oh, if it wasn't clear ... you put your regular expression in where it says "your|regex"

Because, as written, the results are pretty terrible 😄 [pictured]

This is similar to an interview question @TekDefense & I would ask @ Mandiant.
It's also an #APT32 hunting tweet. 😉🌶️ This is probably a terrible...
Read 7 tweets
OK so this is my last week at @Mandiant / @FireEye 😢

Here's the truth:
♥️ Joining Mandiant was the best decision of my career – the people & company have been SO good to me
🧠 Many of the brilliant minds in security are here & we have FUN every day

1/8
💻🔍 There is no better professional #infosec experience than responding to the intrusions that matter & defending at-scale alongside awesome people. If you have the chance to work here – .
🗓️ One year here is worth many more in experience. So here are some highlights:
2/8
☕️ Doing LRs & writing decoders during my first Mandiant breach response - with #APT17's HIKIT & also BLACKCOFFEE malware using technet for C2: fireeye.com/blog/threat-re…
💰 I was fortunate to lead the first IR for the group that would come to be known as #FIN7
3/8
Read 9 tweets
We've all received emails with no attachment and assume it's "safe" to open in a mail client (as long as we don't explicitly click on any URLs). Right?

Not so much...
Let's talk about email tracking pixels for a minute and how sales/marketing (as well as real threat actor's) can use them to evaluate the success of an email marketing (or phishing) campaign...or for information gathering before sending a follow-up payload.

#DFIR #APT32
Let's start with the basics of tracking pixels.

I'm not attending @RSAConference - but I get marketing emails like this one. If you use the Outlook client - have you ever noticed the "to help protect your privacy; Outlook prevented automatic download of some pictures."?
Read 11 tweets
Stopped using PowerShell for attacks?
Seems to be working just fine for #APT32 🇻🇳

lang.ps1 uploaded yesterday (3/56): virustotal.com/gui/file/f5e74…
I appreciate their signature obfuscation style (pictured)

The underlying backdoor here is very creative... [1/2] Image
...MD5: 82990e2c0432e579a00ab1f75da0dd65
Uploaded to:
- @anyrun_app: app.any.run/tasks/0b459c37…
- @virusbay_io: beta.virusbay.io/sample/browse/…

Connects to attributed C2 over... protocols 😉:
background.ristians[.]com
plan.evillese[.]com
worker.baraeme[.]com
enum.arkoorr[.]com
[2/2]
@anyrun_app @virusbay_io 3 unique Hanoi, VN submitters in the past 24 hours 🇻🇳🔍
Read 3 tweets
Fresh APT loader technique for today's #DailyScriptlet:

cs=Array(#,#,#,#,...): cmd="": For each c in cs: cmd=cmd&Chr(c): Next: cmd=cmd&vbcrlf: Execute(cmd)

This is remotely loaded into memory from source phishing doc that uses renamed wscript & pubprn.vbs to load COM Scriptlet.
@bwithnell and I shared an earlier version of this #APT32 phish technique:
Relevant slide screenshots attached.

They are continually improving each phase of their dynamic, multi-stage infection chain.
@bwithnell SPOILER: the VBScript *still* doesn't properly convert temperatures as promised, but it *will* load good tidings of great Cobalt Strike 🎅🏽
Read 6 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!