Profile picture
Nick Carr
@ItsReallyNick
, 9 tweets, 11 min read Read on Twitter
We're doing a special #StateOfTheHack episode this week with two of the technical experts who worked for months to graduate the activity clusters into #APT41. I'm sure @cglyer will pepper in #DFIR war stories.

If you've read the report (below),
what QUESTIONS do you still have?
I plan to go deeper on #APT41's:
1️⃣ Supply chain compromises (and nuanced attrib)
2️⃣ Linux & Windows MBR bootkits and how they were found 😉
3️⃣ Third party access 🌶️
4️⃣ Legitimate web services use (and their obsession with Steam)
+concurrent ops, overlaps!
content.fireeye.com/apt-41/rpt-apt…
@FireEye 📺 #StateOfTheHack Stream
"Double Dragon: The Spy Who Fragged Me" 🎮
#APT41 with Jackie, Ray, and @cglyer
pscp.tv/FireEye/1vAGRW…
We answered #APT41 questions from @arekfurt, @likethecoins, @SwitHak
We name dropped the hell out of the #FLARE team (incl. @williballenthin, @jay_smif)
Spice zone: we shared that APT41 might do #flareon6, previewed a #ManagedDefense blog, + SMS backdoor:
Tagging more #FLARE name drops in the episode: @spresec, @mrdurakovich
Here are some blogs we mentioned:
1️⃣ 2015 blog on bootkits (examples from FIN1 #BOOTRASH + APT41 #ROCKBOOT): fireeye.com/blog/threat-re…
2️⃣ 2018 #BOOTWHAT blog on how we find them at scale: fireeye.com/blog/threat-re…
...
3️⃣ 2013 blog on #CHINACHOPPER (by @TekDefense): fireeye.com/blog/threat-re… (part 1 of 2)
I'm including this one since @cglyer gave a quick mention of the web shell, but if it's *somehow* new for you, go read this blog and play with the caidao client.
If you have additional questions, previous #StateOfTheHack guests and resident APT41 experts @MrDanPerez, Jackie, and Ray will be doing a webinar on 8/29:

That's it for my mini "The Spy Who Fragged Me" recap thread. 😎
@threadreaderapp unroll show notes!
Let's try this again... @threadreaderapp unroll me some show notes please!
Also if you liked the mug from today's episode, it was meticulously reconstructed from a dinosaur model by my son.
I took @stonepwn3000's advice
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Nick Carr
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#StateOfTheHack #APT41 #DFIR #FLARE #flareon6 #ManagedDefense #BOOTRASH #ROCKBOOT #BOOTWHAT #CHINACHOPPER

More from @ItsReallyNick see all

Profile picture
Nick Carr
@ItsReallyNick
Someone's trying to backdoor "hexcalc.exe" from GitHub and not doing a great job. Here's a quick exploration of the VT tester's 6 files, the corresponding PDB anomalies, PS1 & Cobalt Strike shellcode, and Yara #hunting rules.

Thread 1/n
The first file tested by the VT account is hexcalc.exe
0433aeff0ed2cdf5776856f2c37be975
PDB: D:\codes\WinHexCalc\Release\hexcalc.pdb

This led me to search for the original (shady) project from Github: github.com/azlan/WinHexCa…
and this indeed contains this initial hexcalc.exe

2/n
They attempt to backdoor the file 4 different times with PS1 shellcode, uploading all to VT:
ae73fe66415edbfd5669ab567793536b
d7c7c9ef1c1725f497ef5feaa654fc2e
7feaa6255459dcba370252e8905a9a4a
ddc442bd5e5d157011ae79c48ee2189a
PDB: F:\Devel\WinHexCalc-master\Release\hexcalc.pdb
3/n
Read 9 tweets
Profile picture
Nick Carr
@ItsReallyNick
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec Next on the show we talked #APT29's early adoption of cross-platform scripting language backdoors. Their primary backdoor in 2014's #NoEasyBreach was the Python-based implant we call SEADADDY.

Every day or two, they'd move to 10 new systems, dropping SEADADDY on 9 of them.

35/n
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec We're finally seeing cross-platform script backdoors as a much wider trend. (Payloads in Go, D, etc). We highlighted this in our 2019 predictions:

For Python fans specifically, @byt3bl33d3r released #SilentTrinity last year: github.com/byt3bl33d3r/SI…

36/n
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec @byt3bl33d3r The Python-based SEADADDY (SeaDuke) implant became APT29's workhorse for years, but we agree with @FSecure/@lehtior2's awesome 2015 deepdive on "The Dukes" that it emerged in mid-2014. READ: labsblog.f-secure.com/2015/09/17/the…

37/n
Read 6 tweets
Profile picture
Nick Carr
@ItsReallyNick
OVERRULED: Here's our take on outmaneuvering a potentially destructive adversary fireeye.com/blog/threat-re…
We talk compromise, RULER, and links to APT33.
Infosec Twitter suggests they dropped #SHAMOON 💥

Shout-out to co-authors: @QW5kcmV3 @_gackerman_ @a_tweeter_user @WylieNewmark
If you liked this part about our threat similarity engine; I have a confession: that is CYBER #machinelearning!

Designed by @BarryV & Nalani F.
Studied & prototyped by our data scientist @secbern.

Learn more here 📺: (it's not officially called APTinder)
If you like Operational Timelines, #AdversaryPursuit has you covered. We're including them in blogs because it's how we operate & it improves #threatintel sharing. Thx @QW5kcmV3

🖼️ #1: Suspected #APT33 ⏲️ fireeye.com/blog/threat-re…
🖼️ #2: Suspected #APT29 ⏲️ fireeye.com/blog/threat-re…
Read 3 tweets

Related threads

Profile picture
FireEye
@FireEye
#StateOfTheHack: #APT41 - Double Dragon: The Spy Who Fragged Me pscp.tv/w/cCRRwTFWR1F2…
Get your copy of our #APT41 here. feye.io/apt41report
Don't worry podcast fans! This episode is available on #iTunes, #Spotify, and #GooglePlay. Follow the thread for direct links.
Read 7 tweets
Profile picture
Filomena Rocha
@Filomen03258997
14. Holocaust in Yemen caused by US, France, UK, Saudi Arabia, UAEmirates, Israel, Bahrain, Egypt, Jordan, Kuwait, Senegal, Sudan, Qatar, Morocco, Canada, Australia, Germany
#Yemen #CrimesAgainstHumanity #WarCrime #Holocaust #YemenCantWait #YemenHolocaust #WorldHypocrisy
1. Holocaust in Yemen caused by US, France, UK, Saudi Arabia, UAEmirates, Israel, Bahrain, Egypt, Jordan, Kuwait, Senegal, Sudan, Qatar, Morocco, Canada, Australia, Germany 🤨👇🏼
threadreaderapp.com/thread/1109495…
2. Holocaust in Yemen caused by US, France, UK, Saudi Arabia, UAEmirates, Israel, Bahrain, Egypt, Jordan, Kuwait, Senegal, Sudan, Qatar, Morocco, Canada, Australia, Germany 🤨👇🏼
threadreaderapp.com/thread/1112537…
Read 100 tweets
Profile picture
Simon Usherwood
@Usherwood
Let's just review the "brainwave" model of Brexit:

1/
At numerous points in the process, there has been a strong element of "there's probably a very clever solution to all this: we just need to think of it"

2/
A quick trawl from my tweets pulls up this from last month, when MPs were trying to work out what to do with the Meaningful Vote result



3/
Read 16 tweets
Profile picture
Wendy Siegelman
@WendySiegelman
Here's another question, what was Jag Singh - who in 2011 helped Medvedev on Russia's Skolkovo project & in 2013 partnered with Matthew Elliott, Paul Staines, Andy Whitehurst on WESS digital & METIS database - doing as 'Special Advisor' to the DNC from October to December 2016?
Jag Singh worked for Clinton campaign in 2006-2008, then worked with the WESS team with Matthew Elliott and then back to the DNC during the 2016 election period
Read 3 tweets
Profile picture
Post-Coup Mubaiwa Bandambira ✊
@The_Mos_Native
38 Reasons To Vote Zanu PF:

(in sort of chronological order)
1. From 1966 the Rhodesian govt repeatedly bulldozed homes, burnt crops and stole livestock (500 cattle) belonging to the Tangwena people - all to evict and give their land to a white farmer.

After independence Zanu PF refused to have their cattle returned or any compensation.
2. The numbers and politics are debatable, but what is fact, is that Mugabe, with the full knowledge of [redacted], recruited and trained a partisan brigade of former guerillas to murder and torture thousands of civilians between 1983-1987 ✊😳
Read 71 tweets
Profile picture
Andrew
@QW5kcmV3
#StateOfTheHack follow up. Thank you to everyone who tuned in, and we apologize for the technical difficulties and audio. We are going to get that figured out for future iterations. I wanted to follow up with indicators I talked about at the end to prove a point regarding #GDPR.:
My team develops sources and methods for pursuing adversaries across our customers networks, and beyond. We do not become reliant on a single source, nor do we allow the loss of a source to cripple our collection efforts. Loss of WHOIS information is not a deal breaker.
This is the domain I dropped in our #StateOfTheHack discussion today. The screenshot indicates we illuminated it on day zero of the adversary establishing it. The WHOIS information is privacy protected. However, we didn't discover the domain through registrant information.
Read 5 tweets

Trending hashtags

#Yeah #MoveToPasco #debatenight #desire #Spotify #VoterFraud #YES #evidence #NewYorkValues #ElectionDay #FFS #important #official #apt #special #coldcases #lifebood #ChrisNocoo #coverup #attacks #árabe #ReadTheMuellerReport #LIED #CONFLUENCE #Holocaust
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!