Posts

Showing posts from April, 2017

OLE: Not to beat a dead horse...

Since I keep seeing new malicious OLEs, I wanted to do a few posts about writing yara signatures for them. I don't have the time right now for a full post, but I'll share a few preliminary links that I'll be referencing for metadata extraction.

[MS-OLEPS]: SummaryInformation
https://msdn.microsoft.com/en-us/library/dd942545.aspx

[MS-OLEPS]: FILETIME (Packet Version)
https://msdn.microsoft.com/en-us/library/dd942482.aspx

[MS-DTYP]: FILETIME
https://msdn.microsoft.com/en-us/library/cc230324.aspx

Operation Cloud Hopper

Although long, a highly recommended read:

https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html

https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-updated.pdf

One thing I want to call out is Table 3, where PWC clearly demonstrated an interesting composite indicator of a TTP that appears to be specific to this operation. Specifically, the use of @india.com registrants and ITITCH nameservers. If you have the ability to pivot on this TTP, then you're likely to find a significant number of other similar domains.

Happy hunting, y'alls!

Your report is bad and you should feel bad

Image
Kaspersky Labs published a report today discussing overlap between Turla and Moonlight Maze.

https://securelist.com/blog/sas/77883/penquins-moonlit-maze/

From their conclusion:
An objective view of the investigation would have to admit that a conclusion is simply premature.

For shame, Kaspersky.