Profile picture
Nick Carr @ItsReallyNick
, 6 tweets, 5 min read Read on Twitter
Fresh APT loader technique for today's #DailyScriptlet:

cs=Array(#,#,#,#,...): cmd="": For each c in cs: cmd=cmd&Chr(c): Next: cmd=cmd&vbcrlf: Execute(cmd)

This is remotely loaded into memory from source phishing doc that uses renamed wscript & pubprn.vbs to load COM Scriptlet.
@bwithnell and I shared an earlier version of this #APT32 phish technique:
Relevant slide screenshots attached.

They are continually improving each phase of their dynamic, multi-stage infection chain.
@bwithnell SPOILER: the VBScript *still* doesn't properly convert temperatures as promised, but it *will* load good tidings of great Cobalt Strike 🎅🏽
I know @subTee and @enigma0x3 just love the slide that shows timestamps of APTweet32 technique adoption.
@bwithnell @JohnLaTwC Here is a different malicious Temperature Conversion example 🌡️

More info:
@threadreaderapp unroll me a #threatintel blog breh
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Nick Carr
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#DailyScriptlet #APT32 #threatintel

More from @ItsReallyNick see all

Profile picture
OVERRULED: Here's our take on outmaneuvering a potentially destructive adversary fireeye.com/blog/threat-re…
We talk compromise, RULER, and links to APT33.
Infosec Twitter suggests they dropped #SHAMOON 💥

Shout-out to co-authors: @QW5kcmV3 @_gackerman_ @a_tweeter_user @WylieNewmark
If you liked this part about our threat similarity engine; I have a confession: that is CYBER #machinelearning!

Designed by @BarryV & Nalani F.
Studied & prototyped by our data scientist @secbern.

Learn more here 📺: (it's not officially called APTinder)
If you like Operational Timelines, #AdversaryPursuit has you covered. We're including them in blogs because it's how we operate & it improves #threatintel sharing. Thx @QW5kcmV3

🖼️ #1: Suspected #APT33 ⏲️ fireeye.com/blog/threat-re…
🖼️ #2: Suspected #APT29 ⏲️ fireeye.com/blog/threat-re…
Read 3 tweets
Profile picture
What they thought *might* be a boring IR based on initial leads, quickly became interesting when the attacker snapped up the endpoint tooling they just deployed.

Peep that renamed rar.exe snapping up our files for nation state attackers (PLATINUM) to analyze 😅

#FireEyeSummit
It takes hard #DFIR work to get this point but there is nothing quite like uncovering novel/rare persistence and playing around with new attacker tools to understand them. A bit jealous of Adrien and Matias finding Platinum's #REDSALT.
Platinum undetected for 9 years at victim.
These guys found multiple APT groups on network.

The talk then gets into additional advanced backdoors with crazier capabilities that were first.

There's so much here. I'm hearing we *might* upload #FireEyeSummit videos to YouTube 🤞
Read 4 tweets
Profile picture
In light of the #FIN7 "Combi Security" DOJ indictment, we've released our massive technical post and indicator release: fireeye.com/blog/threat-re…

We reveal new information from @Mandiant IRs about the extent of FIN7's crimes, their innovative techniques, & how to find them today.
#FIN7 targeted other financial data when they encountered encryption in POS networks. New information today - and certainly helped stack up the charges against Combi Security.

Also @BarryV @stvemillertime first shared SEC filing targeting in March 2017: fireeye.com/blog/threat-re…
Crime doesn't pay. Unless you worked for Combi Security, in which case it paid a pretty decent wage for Russian/Ukrainian "pen testers" 😄

Sidenote: @FireEye's red team is hiring but their operations *are* authorized and the only payment card hijinks is over who expenses dinner.
Read 8 tweets

Related threads

Profile picture
Technique Thread: Shooto Lockflow Combination #1

I have broken down each part of this Lockflow as demonstrated by Yori Nakamura, slow motion + pauses where necessary, with the official names given to Shooto students in America in the 1990's. First: Here's the original video.
Nakamura's place in the Shooto family lineage, for context:

Satoru Sayama (Tiger Mask) > Yori Nakamura > Erik Paulson > Josh Barnett > Shayna Baszler.
The first main technique in Shooto Lockflow #1 is "Chicken Wing Arm Lock #1" which is what they called the Double Wrist Lock.
Read 32 tweets
Profile picture
Today the First Nations challenge to #SiteC in BC Supreme Court resumes, asking for an injunction to stop work on the dam until the rest of the Treaty 8 infringement case is decided in court. A critical case for BC. Follow the #SiteC & #SiteCInjunction hashtags this week! #bcpoli
Heading over to 800 Smithe now for 9:45 entry. All are welcome to be in the courtroom - please join us. Latecomers not admitted; proceedings start 10 am sharp. #bcpoli
This final week of the #SiteCinjunction hearing involves lawyers from the Province of BC (we have already heard from @sage_legal on behalf of West Moberly & Prophet River FNs, and BC Hydro's lawyers. #bcpoli #SiteC
Read 238 tweets
Profile picture
พี่เยี่ยจะถือถุงช้อปปิ้งให้แฟนนนนน
#หวังcเยี่ย

“เอาตัวนี้ด้วยค่ะ แล้วก็คิดเงินเลยนะคะ”
พนักงานสาวยิ้มร่าแล้วรับเสื้อตัวที่3 มา เมื่อรวมกับของที่ลูกค้าสาวท่านนี้เลือกก็มีทั้งเสื้อ กางเกง และเสื้อโค้ท รวมเกือบสิบตัวแล้ว

“เสี่ยวหวัง...”
“ไม่เป็นไร เดี๋ยวฉันจ่ายเอง”
“ไม่ใช่เรื่องนั้น” เยี่ยซิวยิ้มแหยๆ แน่ละว่าเขาไม่อาจทำเท่บอกว่าจะจ่ายเงินเองได้ ก็แอดมินกะดึกกระเป๋ากลวงอย่างเขา ขืนมาเข้าร้านหรูแบบนี้ ทำงานอีกสิบชาติก็ใช้คืนไม่หมดหรอก แต่ประเด็นที่เขาต้องการจะบอกก็คือ...
“หรือว่าเหนื่อยแล้ว? งั้นจบร้านนี้ก็กลับกัน”
ขณะที่เยี่ยซิวกำลังจะอธิบาย พนักงานสาวก็นำบัตรเครดิต สลิปและถุงใส่ชุดที่หวังเจี๋ยซีเลือกไว้ทั้งหมดมาให้ หลังจากสาวสวยเซ็นชื่อตัวเองก็รับถุงมาไว้ในมือ

“กลับกันเถอะ แบ่งถุงในมือมาสิ เดี๋ยวฉันช่วยถือ”
Read 19 tweets
Profile picture
#Today's story to #EndFamilySeparation Four months ago, Dad and 4-month-old entered at the Texas/Mexico border and requested #asylum. Dad and child were immediately separated and the baby put in ORR custody. #FamiliesBelongTogether
Dad was detained in a #Texas detention center where @RAICESTEXAS consulted. Dad accepted a deportation to be quickly reunited w/ his infant child. However, the Dad was deported & NOT his child. The now 8-month-old baby has been in ORR custody for 4 months. #EndFamilySeparation
The Mom and Dad now have once weekly Skype calls with their 8-month-old baby. That's right, folks. They Skype with an infant. #EndFamilySeparation #FamiliesBelongTogether
Read 7 tweets
Profile picture
Il est urgent que les #Césars en viennent à un système de nominations par branches et je vais expliquer pourquoi. #Cesar2018 #Cesars2018
Aux Oscars, chaque branche nomine sa propre catégorie. Les costumiers votent et désignent les 5 nommés au Meilleurs Costumes.
Puis TOUT LE MONDE vote dans chaque catégorie et on obtient les gagnants.
Aux Césars, TOUT LE MONDE désigne les nominations dans chaque catégorie.
Les costumiers donnent leur avis sur les acteurs, les attachés de presse sur les décors, les acteurs sur le son...
Read 10 tweets
Profile picture
#next, I need your #help, and I mean all of you #please, regardless of party-politics, ideological differences, geo-location, can I have your <3 engaged to help a family, friends, a local community & a student community in their #search for a #MissingPerson #missing since Nov.2nd
2/" #StephenCullinan (25), the son of North #Tipperary #IFA Chair, Tim #Cullinan, hasn’t been seen since November 2 when he left his home in Castletroy, County #Limerick and made his way to #Dublin. "
independent.ie/irish-news/new…
3/"His worried relatives believe he may have made his way to another major Irish city, even as far as #Belfast. The vulnerable young man is without his medication." " He could be in #Galway. We’re grasping at straws."
Read 9 tweets

Trending hashtags

#QueueJumpers #thistown #bcopli #Louth #IAM #Belfast #Limerick #Cypriot #Dublin #ImmigrationWhitePaper #NXT #Morek #SE #PeakTV #MarchForOurLives #CarlosSlim #citizensrights #Galway #Sitecinjunciton #LookNow #SOTU #SuperBowl #Today #tratovip #botnets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!