Discover and read the best of Twitter Threads about #TEARDROP
Most recents (3)
#niet_in_journaal #nieuwsuur #1V #Op1 #bbvpro #NPORadio1 @envirosec @LeeSpacey #Russia #cyberwarfare #SolarWinds #retaliation aljazeera.com/news/2021/3/9/…
#niet_in_journaal #nieuwsuur #1V #OP1 #bbvpro #NPORadio1 @envirosec @LeeSpacey #US #cyberwarfare #cybersecurity #NSC #Jen_Easterley #Rob_Silvers #Anne_Neuberger #Philip_Reiner #Michael_Sulmeyer #Elizabeth_Sherwood_Randall #Russ_Travers #Caitlin_Durkovich aljazeera.com/news/2021/1/22…
Ik vermoed dat we #Anne_Neuberger de komende weken wat meer in de gaten moeten gaan houden. #niet_in_journaal #nieuwsuur #1V #OP1 #bbvpro #NPOradio1 @envirosec @LeeSpacey #US #cyberwarfare #SolarWinds nytimes.com/2021/01/13/us/…
#GoldMax (aka #SUNSHUTTLE) is a new and capable backdoor written in Go/Golang. It is typically used as a late-stage (e.g. 3+) backdoor brought into an environment using access enabled via #TEARDROP, #RainDrop and other related malware deployed by #NOBELIUM/UNC2452.
#GoldMax creates & maintains a config file (name unique to each implant). The config file is AES-256 encrypted (unique-to-each-implant key) & then Base64 encoded (custom alphabet, '=' replaced with null). A handy C2 command allows the operators to update certain config fields. 
As part of our commitment to keeping our customers/community protected & informed, we are releasing a blog that shines light on transition between Stage 1 and 2 of #Solorigate/#SUNBURST campaign, custom Cobalt Strike loaders, post-exploit. artifacts, IOCs: microsoft.com/security/blog/…
Here are some highlights:
The missing link between the Solorigate backdoor and the custom #CobaltStrike loaders observed during the #Solorigate is an Image File Execution Options (IFEO) Debugger registry value created for the legitimate process dllhost.exe (ATT&CK ID: T1546.012).
The missing link between the Solorigate backdoor and the custom #CobaltStrike loaders observed during the #Solorigate is an Image File Execution Options (IFEO) Debugger registry value created for the legitimate process dllhost.exe (ATT&CK ID: T1546.012).
Once the registry value is created, the attackers wait for the occasional execution of dllhost.exe, which might happen naturally on a system. This execution triggers a process launch of wscript.exe configured to run the VBScript file dropped by the SolarWinds backdoor (Stage 1).
