Posts

Showing posts from April, 2017

OLE: Not to beat a dead horse...

Since I keep seeing new malicious OLEs, I wanted to do a few posts about writing yara signatures for them. I don't have the time right now for a full post, but I'll share a few preliminary links that I'll be referencing for metadata extraction. [MS-OLEPS]: SummaryInformation https://msdn.microsoft.com/en-us/library/dd942545.aspx [MS-OLEPS]: FILETIME (Packet Version) https://msdn.microsoft.com/en-us/library/dd942482.aspx [MS-DTYP]: FILETIME https://msdn.microsoft.com/en-us/library/cc230324.aspx
Post a Comment
Read more

Operation Cloud Hopper

Although long, a highly recommended read: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-updated.pdf One thing I want to call out is Table 3, where PWC clearly demonstrated an interesting composite indicator of a TTP that appears to be specific to this operation. Specifically, the use of @india.com registrants and ITITCH nameservers. If you have the ability to pivot on this TTP, then you're likely to find a significant number of other similar domains. Happy hunting, y'alls!
Post a Comment
Read more

Your report is bad and you should feel bad

Image
Kaspersky Labs published a report today discussing overlap between Turla and Moonlight Maze. https://securelist.com/blog/sas/77883/penquins-moonlit-maze/ From their conclusion: An objective view of the investigation would have to admit that a conclusion is simply premature. For shame, Kaspersky.
Post a Comment
Read more