Discover and read the best of Twitter Threads about #RainDrop
Most recents (3)
***BIG NEWS***
We couldn’t be more delighted with this #RareDiseaseDay announcement of a new Rare Disease Clinical Trial Network, from @hrbireland. And we're very proud to be part of it.
Full press release 👉 bit.ly/3ssuejN
A thread 🧵 (1/6)...
We couldn’t be more delighted with this #RareDiseaseDay announcement of a new Rare Disease Clinical Trial Network, from @hrbireland. And we're very proud to be part of it.
Full press release 👉 bit.ly/3ssuejN
A thread 🧵 (1/6)...
Congratulations to Prof Rachel Crowley (@rachsail) & Prof Cormac McCarthy, of @UCDMedicine, for their drive to make a difference to the rare disease patients that they see in their clinics & people living with rare diseases all across the country.
#RareDiseaseDay (2/6)
#RareDiseaseDay (2/6)
Kudos to @hrbireland for getting behind their vision and for making such a big commitment to rare diseases, beyond their already significant commitments through the HRCI-HRB Joint Funding Scheme & other schemes.
@DonnellyStephen welcomed the announcement.
#RareDiseaseDay (3/6)
@DonnellyStephen welcomed the announcement.
#RareDiseaseDay (3/6)
#GoldMax (aka #SUNSHUTTLE) is a new and capable backdoor written in Go/Golang. It is typically used as a late-stage (e.g. 3+) backdoor brought into an environment using access enabled via #TEARDROP, #RainDrop and other related malware deployed by #NOBELIUM/UNC2452.
#GoldMax creates & maintains a config file (name unique to each implant). The config file is AES-256 encrypted (unique-to-each-implant key) & then Base64 encoded (custom alphabet, '=' replaced with null). A handy C2 command allows the operators to update certain config fields.
As part of our commitment to keeping our customers/community protected & informed, we are releasing a blog that shines light on transition between Stage 1 and 2 of #Solorigate/#SUNBURST campaign, custom Cobalt Strike loaders, post-exploit. artifacts, IOCs: microsoft.com/security/blog/…
Here are some highlights:
The missing link between the Solorigate backdoor and the custom #CobaltStrike loaders observed during the #Solorigate is an Image File Execution Options (IFEO) Debugger registry value created for the legitimate process dllhost.exe (ATT&CK ID: T1546.012).
The missing link between the Solorigate backdoor and the custom #CobaltStrike loaders observed during the #Solorigate is an Image File Execution Options (IFEO) Debugger registry value created for the legitimate process dllhost.exe (ATT&CK ID: T1546.012).
Once the registry value is created, the attackers wait for the occasional execution of dllhost.exe, which might happen naturally on a system. This execution triggers a process launch of wscript.exe configured to run the VBScript file dropped by the SolarWinds backdoor (Stage 1).
