Thomas Roccia 🤘 Profile picture
Dec 6, 2022 14 tweets 12 min read Read on X
📢I recently investigated a campaign targeting the cryptocurrency industry. I wrote a detailed report that includes TTP, IOC and more. Here is a thread about this attack! 🧵👇

@MsftSecIntel @MicrosoftAU #infosec #cryptocurrency #threatintelligence #apt

microsoft.com/en-us/security…
The attack started on Telegram to identify the targets, then they deployed a weaponized Excel document which finally delivered the final backdoor through multiple mechanisms. ☠☠️ #infosec #malware #backdoor
🧐To identify the targets, the threat actor sought out members of cryptocurrency investment groups on Telegram.

👀They created fake profiles using details from employees of the company OKX. #infosec #Cryptocurency
🤝After gaining the trust of the target, the threat actor sent a weaponized Excel document to the target containing further details on the fees to appear legitimate.

💀The macro is obfuscated and abuses UserForm to store data and variables. #infosec #threatintel #malware
☠️The macro then dropped another Excel sheet and executed it in invisible mode. This sheet was encoded in base64 and dropped into C:\ProgramData\Microsoft Media\ as VSDB688.tmp. #malware
👾The VSDB688.tmp file then downloaded a PNG file from OpenDrive containing three executables: a legitimate Windows file, a malicious DLL, and a XOR encoded backdoor. #malware
💀The legitimate file was used to sideload the malicious DLL, which acted as a proxy to the legitimate DLL and loaded the XOR encoded backdoor. #backdoor
The malicious wsock32.dll is loaded by logagent.exe through DLL side-loading and uses DLL proxying to call the legitimate functions from the real wsock32.dll. The screenshot shows the redirection of the function in the malicious dll. #malware #infosec
☠️The malicious wsock32.dll loads and decodes the final implant into the memory with the GUID name which is used to remote access the infected machine. #malware
🧐We identified several related attacks that deployed the same payload in trojanised applications. #cryptocurrency #malware #threatintel
🛡️Recent targeted attacks on the cryptocurrency industry highlight the need for organizations to prioritize cybersecurity and remain vigilant against potential threats.

@Volexity recently published a similar report about this attack.

volexity.com/blog/2022/12/0…
More details including detection, IOCs, hunting rules and @MITREattack techniques are available in the blog. #infosed #threatintel #malware 👇

microsoft.com/en-us/security…
Thanks to @ravitiwari1989 @r3srch3r @fancy_4n6 and @bmcder02 for their help in the analysis and detection! ❤️

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Thomas Roccia 🤘

Thomas Roccia 🤘 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @fr0gger_

Feb 21
Analyzing data leaks is a very interesting Intel challenge, especially when you’re dealing with a foreign language 🤓

The I-SOON leak, which contains mostly PNG files of screenshots of documents, is a good example 🔎

Last night, I created a Notebook to automatically process and analyze the data to speed up your investigation.

Here is my process 👇 🧵

If you don't want to read the thread, you can directly jump to the notebook here:
#infosec #isoon #leak #threatintel #llm #python #jupyterjupyter.securitybreak.io/ISOON_DataLeak…Image
As always, when analyzing new data, check out the structures and formats, and spend time to understand what kind of data you're dealing with. THIS is crucial!🔍

With Python, you can easily peek into the content 💻

Here I created two simple chart to visualize the repartition of the data:

- .md: 70
- .png: 489
- .log: 6
- .txt: 11
- No Extension: 1

#dataanalysis #python #infosecImage
Image
We can see a high number of PNGs, mainly screenshots with Chinese characters as we can see in the example below 👇 Image
Read 12 tweets
Nov 6, 2022
🧵Thread: 10 underestimated resources about malware techniques.

This is a list of various resources to learn more about malware techniques, how to analyse them and how to improve your detection! 🤓 #infosec #malware #threatintel #malwareanalysis #cybersecurity
#1: The Unprotect Project

Of course, I couldn't start this thread without talking about this project we started in 2015. Unprotect Project is a database about Malware Evasion techniques with code snippets and detection rules. cf: @DarkCoderSc

🌐unprotect.it
#2: The LolBas project

Living off the land refers to the use of dual-use tools, which are either already installed in the victims' environment, or are admin, forensic or system tools used maliciously.

🌐lolbas-project.github.io
Read 13 tweets
Apr 20, 2022
Visualizing #cybersecurity concepts can be a great way to learn more about specific tools, methodologies, and techniques! Here is a thread that shows 6 useful infographics on threat intelligence and related topics!🧵👇#infosec #threatintel

1⃣ - Practical Threat Intel
2⃣ - Tactics, Techniques and Procedures is an important concept to understand when you are working on threat intelligence to understand the capabilities of threat actors! 🤓 #Infosec #ttp
3⃣ - Mitre ATT&CK Matrix is became one of the references to classify and categorize attackers' TTPs! ☠️ #cybersecurity
Read 8 tweets
Dec 20, 2020
The #sunburst case is interesting and demonstrates how threat actors can rely on evasion techniques or defense evasion to spy on or make damage. #UnprotectProject Thread 👇
First of all, the use of the supply chain attack made the attack super stealthy and difficult to detect. This is another red flag to increase and improve trust with partners and suppliers, although it is difficult to resolve.
#Sunburst uses the TrackProcesses() function to verify blacklisted processes and services. If an item in the blacklist is found, the loop is terminated.
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(