Share this page!

Steve Miller Profile picture
Twitter logo
10 Feb, 6 tweets, 2 min read
We track a few dozen code languages as they relate to malware and other binary blobs, but I am particularly interested in: Lua, Go, D, NIM, F#, Rust, Python (and various packagers/bundlers/installers/futzers for all of those) (inspired by both @TheEnergyStory and @k_sec)
One way malware developers get extra mileage out of their work is once it has been burned/detected in one code language, they simply rewrite it in another! Many antivirus engines and ML models do not have sufficient sample data for new code language features.
Tired of getting 50+ hits on VirusTotal? Wrap your next payload in Golang. We're tracking 60+ unique code families written in Go...

sidecliff
chaosrat
snakehose
beacon
gost
bestway
trickshow
axeterror
regeorg
smokedham
notrobin
linkspan
punchbuggy
bloodhound
roundbag
sixplus
metasploit
longcut
gofish
googone
gamesip
moneyrun
greenslate
blueslash
valuevault
beacon
sliver
robbinhood
redsonja
eyegrab
merlin
oxeeye
smallfeet
htran
sevenminus
gobrute
steadyone
shadylodge
handyman
nightshow
ironcat

and so many more families we havent given names to yet
Which developers are using Go? Well, let's do a quick pivot. I'm seeing at least 49 tracked APT & FIN groups including:

apt34
apt41
fin8
fin11

and some of your favorite uncs:

unc757
unc897
unc1633
unc1490
unc1857
unc2497
unc2362
unc1853
unc1187
unc2507
unc886

& more
How prevalent is Go in our telemetry? A quick global prevalence check brings just under 70,000 events involving Golang PEs in 2020. I bet if I reduced and uniqued those by the object, it would be 1/4 that. Not too bad at a big scale.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Steve Miller

Steve Miller Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @stvemillertime

Steve Miller Profile picture
12 Feb
FLARE #AdvancedPractices has a rep of being a rowdy, hell raising analyst squad (in a nice, fun way). Our culture is to challenge our company norms, demand excellence, take risks, make mistakes, fail & succeed repeatedly. It's who we are.

A #FF of some teammates & team friends:
@ItsReallyNick and @danielhbohannon taught me to $DoTheNeedful, whether I was asked to or not, Ship It and See What Happens

@reesespcres taught me to take chances and make bold moves in our production infrastructure, to get innovate despite seemingly-immobile technology
@_gormaniac_ & @x04steve taught me to love automations

@ramen0x3f @bwithnell taught me to ask better questions of my data

@3dRailForensics @Isifmobile @ReginaElwell taught me to value quality, and aspire to higher standards

@BakedSec taught me to be a bit nicer
Read 13 tweets
Steve Miller Profile picture
5 Feb
Everyone has diff vernacular for their models and ideas, but I define detection on a spectrum, where logic for the purpose of finding evil is measured by output fidelity, result set size, time/expertise requirements for review, and most importantly, “threat density.” #detectrum
The #detectrum is just a mental model for me, a way to explain the different intents and purposes for all sorts of logic and technologies and haystacks that help us find and attribute intrusion activity.
It’s not novel or special, but the detectrum can be helpful when you are examining the complex systems (people, processes, myriads of technologies) within a large intelligence apparatus.
Read 12 tweets
Steve Miller Profile picture
28 Jan
#ConventionEngine: Part Cinq - OLE Edition

ConventionEngine is *mostly* about PDBs, directory paths that reflect something about the original code project and development environment. The paths are the signal. Where else will they show up? Why, in OLE objects! Let's explore...
We had a revelation that seeing an RTF with an OLE is not that crazy, but when that inside OLE has, for whatever reason, a full directory path, the whole object becomes so much more interesting. For example, RTF with OLE with C:\Users\ in it. Let's use Yara to take a measurement.
Here's a quick #dailyyara rule looking for RTFs with OLE objects with a path of C:\Users\ in it...somewhere...for some reason. This is odd, and unsurprisingly super threat dense.

gist.github.com/stvemillertime… Image
Read 6 tweets
Steve Miller Profile picture
21 Jan
How do @Mandiant UNC clusters get formed, merged, and graduate to APT groups or even personas? Look at serial crimes and sprees in meatspace. Multiple crimes on multiple victim systems, multiple places. It takes forensic evidence to tie the cases together. It's the same process.
Foot impression from the crime scene. Is it unique? What shoe is it, where was it sold? How many made in that size? You have to know if the evidence is unique. All the casings, latents, entry toolmarks. Technical evidence is how we group crimes together and move towards an actor.
TTPs and MOs and methodologies and victimologies are important too, but these don't help you get attribution alone. Technical links, grounded in substantiated evidence is the only way.
Read 16 tweets
Steve Miller Profile picture
14 Oct 20
Students of #infosec: @Mandiant and @FireEye folks have put out tons of blogs over the years. Careful reading of these can help you build familiarity with threat actors, intrusion TTPs, and threat data. And sometimes they're just fun. Here's a thread with some of my favorites:
FIN7 related

LNKs
fireeye.com/blog/threat-re…

SDB persistence
fireeye.com/blog/threat-re…

RDFsniffer
fireeye.com/blog/threat-re…

CARBANAK
fireeye.com/blog/threat-re…
ICS/OT related...

TRITON
fireeye.com/blog/threat-re…

unc878
fireeye.com/blog/threat-re…

IT/OT strategies
fireeye.com/blog/threat-re…

Triton and TriStation
fireeye.com/blog/threat-re…
Read 10 tweets
Steve Miller Profile picture
20 Mar 20
ExportEngine: Find Evil by PE Export DLL Names

(a #dailyyara thread)

PE files w/ exported functions often contain an image directory entry that we usually call something like "PE DLL name" or "export DLL name"

This string is "analytically rich" and is surfaced in many tools
Here in a sample of EVILTOSS (APT29) we see lots of valuable metadata in the IMAGE_EXPORT_DIRECTORY but it also contains the plain-as-day export DLL name "install_com_x32_as_dll.exe"
The export DLL name strings contains enough predictable developer conventions that you can use simple Yara rules to surface, cluster, detect/hunt for malicious activity that might otherwise be missed (similar to my prior research on ConventionEngine and PDB paths). Let's look...
Read 16 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @stvemillertime has new unrolls!

Check out other threads from @stvemillertime!

Read all threads by @stvemillertime