Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Nick Carr Profile picture
Nick Carr
@ItsReallyNick
Lead, Cyber Crime Intelligence + Tradecraft @Microsoft (#MSTIC) Previous: Director, Incident Response + Research @Mandiant πŸ¦… & @CISAgov Chief Technical Analyst

Oct 10, 2019, 7 tweets

πŸ€™πŸ’° Mahalo FIN7: fireeye.com/blog/threat-re…
β€’ On several on-going investigations we saw #FIN7 trying to retool πŸ„πŸΌ
β€’ Used DLL search order hijacking of a legit POS management utility with a signed backdoor (0 detections on VirusTotal)
β€’ Hunting for #BOOSTWRITE and #RDFSNIFFER πŸ’³

.@josh__yoder & I stayed up much of the night to get this blog out.
The signed #BOOSTWRITE sample is still undetected by static VT scanners: virustotal.com/gui/file/18cc5…
We were fair on why that is and how that doesn't fully represent detection posture.
Then we provided hunting rules.

#FIN7's code signing certificate is purportedly from Mango Enterprise Limited in the UK.
Prob not theirs - based on the street address, I suspect there's more car theft than certificate theft 😜: maps.app.goo.gl/MbznDeJPHJr4n5…

We analyze & discuss how to find the certificate anomalies!

Btw, here's an awesome Yara certificate anomaly signature concept from @wxs in a thread discussing them, including @NCCGroupInfosec's rule from @edeca that's featured in today's #FIN7 blog:
Oh and Google/@virustotal crew was great to work with on the bug!

We tried to share a few examples of #AdvancedPractices πŸ¦… leveraging certificate, PDB path, and export features for discovery.
I snuck some content in those rules 🌢️ but they are inspired by @stvemillertime, who I've decided has a PhD in hunting
β†˜οΈfireeye.com/blog/threat-re…

In a perfect confluence *cough* of events, @BarryV talked about #FIN7's historical code signing of binaries, scripts, and even documents @ #FireEyeSummit:
Note the operator environment details we extract for FIN7, like their LNKs
CC @keydet89, @silascutler

Hey so, we accidentally included a #Turla REDUCTOR export DLL name in one of the blog's Yara rules. πŸ€¦β€β™‚οΈ Whoops!
Turla β‰  #FIN7
🧒 h/t @OleVilladsen for the catch!

I updated the rule & noted the change in Figure 7: fireeye.com/blog/threat-re…

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling