Share this page!

Enter Twitter Thread URL to Unroll

Needs to be the full URL like: https://twitter.com/threadreaderapp/status/1644127596119195649

How to get URL link on Twitter App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Will Profile picture
@BushidoToken
Jun 17 3 tweets 3 min read Twitter logo Read on Twitter
🧵#MustangPanda 🐼 (& other #APT groups) use DLL side-loading/search-order hijacking (see ATT&CK).

It's a pain for #CTI analysts who manually vet IOCs -> as this TTP involves delivering a valid vulnerable application, Bring-Your-Own-Vulnerable-App (BYOVA), if you will... 1/3
For example, take this Symantec.exe binary, it's a valid, signed file 🔍 but it's used by #MustangPanda 🐼 for dll side-loading!

Should you pre-emptively block it? Maybe. But first, be sure to check 📝 for its presence in the org -> before causing lots of alerts or worse ⚠️ 2/3 ImageImage
OR you should give warnings ⚠️ before sharing these BYOVA bins as IOCs!

🥲The CTI analyst struggle to vet IOCs is real... but this may help!

I created a Gist & VT Collection for triage:

1.🔗gist.github.com/BushidoUK/181d…

2. 🔗 virustotal.com/gui/collection…

Hopefully this is useful! 2/2

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Will

Will Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @BushidoToken

Will Profile picture
Jun 19
🧵New #CTI assessment based on OSINT research:

🔎ScatteredSpider/0ktapus is a BlackCat (ALPHV) affiliate, but doesn't deploy ransomware

- Based on some temporal, technical, and behavioral analysis

Follow me 🐇🕳 (1/6)
9 Feb 23, Reddit faced a 'highly-targeted phishing attack' & had docs and source code stolen

TTPs are very similar to ScatteredSpider/0ktapus campaigns:
- a landing page impersonating its intranet site
- stolen employees' credentials and 2FA codes
reddit.com/r/reddit/comme… (2/6)
22 May 23, Trend Micro revealed that a BlackCat affiliate used an identical Microsoft-signed POORTRY sample (909f3fc221acbe999483c87d9ead024a) used by UNC3944 (ScatteredSpider/0ktapus), which Trend says they have used since February 2023 (3/6)
Read 6 tweets
Will Profile picture
May 10
Kudos to @DragosInc for being transparent over a recent security incident:
dragos.com/blog/deconstru…
CTI vendors and their platforms are lucrative target for cybercriminals. They host tons of valuable reports and threat intel data, including breach data.

Cybercriminals have targeted multiple CTI platforms to see this information. Cybercrime Counterintelligence, if you will.
⬇️
Read 6 tweets
Will Profile picture
May 23, 2020
My iCloud is recently getting a few #16Shop #phishing emails, I RE'd the links (for lack of a better term) and found a whole trawl of their previous phish. Highly organised operation which has been going on for a few years.
The links are text which have been highlighted and use s[.]id URL shorteners & IP logging service from (surprise surprise) Indonesia. More specifically: Pengelola Nama Domain Internet Indonesia.
They also use app[.]link from Branch.io that uses "Deep Linking".
Found that the IP range and relations are similar (not the same) to those found by @sysgoblin here:
gist.github.com/sysgoblin/7bc6…
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(