The focus of the third part of Elastic's "Dissecting #REMCOS#RAT: An in-depth analysis of a widespread 2024 malware" is all about the command and control (C2) configuration and commands. Looking at the long list of capabilities, it is easy to see why this is a formidable malware indeed. Some of the commands that can be issued control the persistence between two registry run keys, can enable key logging, it can disable the User Account Control (UAC) within the registry and much more. I really don't have enough space or time to list everything that it is capable of, you just have to check it out yourself!
One of the TTPs and Behaviors that shows up time and time again when it comes to persistence is the abuse of the AutoRun registry key locations. In this instance, we see that the Remcos rat can modifies the CurrentVersion\Run keys in both the HKCU and HKLM hive. As always, if we can help we do! Cyborg Security has a community hunt package that captures this activity as well as other registry run locations. Enjoy and Happy Hunting!
Jumping around a bit because that is just how my brain works! But, here is Elastic's part two of their "Dissecting #REMCOS#RAT: An in-depth analysis of a widespread 2024 malware" series. This episode they focus on the watchdog, keylogger, and screen and audio recording capabilities and much more! The technical details here are amazing and I can't wait to finish the rest of the series!
Enjoy and Happy Hunting!
“We take the privacy and confidentiality of your information seriously.”
TRANSLATION:
“Every time we have a data breach we’ll let you know about it! Mainly ‘cuz we are required to in order to minimize our legal liability… and of course after we’ve consulted with our legal firm and our new 3rd party incident response vendor.”
A malicious lookalike domain for Scotiabank Canada scotiabankcanada-auth[.]com was recently registered 5/5/2024. This domain features a landing page with a reCAPTCHA that changes languages depending on the user's geolocation. It resolves to a Russian IP 141[.]8[.]193[.]14 hosting a number of other malicious lookalikes for Scotiabank, the Royal Bank of Canada, and Telus Mobility. These domains appear to be used for phishing. auth-scotiaonline-scotiabank-secure[.]com previously resolved to a page imitating the Scotiabank login page shown in the screenshot below.
Using a 16 character password seems to work. Everything else above does not always work.
Also, passwords that are too long are still changed, so you have to reset them by email.
Confidential and highly critical logs packed with credentials
SMTP Access
PAuth Pointer Auth Access
SSL Passkeys & SSL Certificates
some others (will be on contact)
Price: $20K in XMR or ETH
Middleman / Escrow accepted (Auto Escrow or @Baphomet
)
Message me on the forums for a point of contact.
Proof of funds is required.
I am only selling to reputable members. No time wasters or default rank users.
I am flattered that I have the opportunity to present my 2-day training "A Beginner's Guide To Threat Hunting: How to Shift Focus from IOCs to Behaviors and TTPs" again at Black Hat USA 2024 and that early bird registration is open and you have two opportunities to take the course!
Day 1 begins with a theory section where we discuss resources and models that can help aid our threat hunting from both an intel and communication perspective. We then move to a section that covers how to extract artifacts from an intel report and how to make those artifacts actionable. Then we create some hypotheses and test them against a set of data to see what we can find.
Day 2 will put all the theory and applications to the test where the students will break into teams, process another intel report, create hypotheses, and hunt again!
Last year was a lot of fun and we receive high ratings, so we hope you can join us again this year for the fun! I hope to see you there, but until then, Happy Hunting!
The Final Fantasy XIV Reddit sub is currently full of discussion about the DDoS attack which disrupted servers worldwide yesterday.
Finding it very interesting how in the world of cybersecurity and infosec, DDoS attacks are often dismissed as one of the simplest form of cyber attack, while on the subs and forums, many people are hearing about this kind of thing for the first time and have no idea what's going on.
Makes me think about the difference in how 'cyber' is perceived by those who live and breath it compared with those who only happen to stumble across it when it actively disrupts something in their life. #FFXIV#infosec
Shared Services Connected Limited has been named as the vendor of the compromised payroll system. I guess there's a sudden bout of incident response going on in certain orgs right now https://sscl.com/our-clients/#breach#infosec#cybersecurity
The National Security Agency has released a report detailing evidence of North Korean actors exploiting weak Domain-based Message Authentication, Reporting and Conformance (DMARC) records to conceal social engineering attempts. Without proper DMARC configuration, the NSA says that the actors were able to spoof emails as if they came from a legitimate domain. They also provide more background information about DMARC configurations and examples of the emails and email headers.
While detecting malicious emails can be accomplished by deploying email gateways, antivirus, and spam filters just to name a few. But what happens when some slip through the tracks? Then you look for the behaviors! A common TTP and behavior is to provide the victim with a malicious document that will run some code or commands to progress the attack. In a Microsoft environment, this is commonly accomplished by executing #Powershell, Windows Command Shell (cmd.exe), or other living-off-the-land binaries (LOLBINs). And that is the basis of this Cyborg Security Community Edition Hunt Package! Enjoy the article, get your free account, and Happy Hunting!
Researchers at Leviathan Security have released some interesting findings that illustrate why your VPN service may not be as secure as it claims.
From the story:
"VPNs work by creating a virtual network interface that serves as an encrypted tunnel for communications. But researchers at Leviathan Security say they’ve discovered it’s possible to abuse an obscure feature built into the DHCP protocol so that other users on the local network are forced to connect to a rogue DHCP server.
“Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway,” Leviathan researchers Lizzie Moratti and Dani Cronce wrote. “When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.”"
A "new" VPN vulnerability dubbed #TunnelVision (CVE-2024-3661), published by Leviathan Security and reported on by @briankrebs has been known for many years. However, most people had never thought about this whenever I mentioned it in the past, which explains why this is making the rounds now.
I personally have known it for ~10 years and posted about it on Twitter years ago.
I didn't request a CVE or write half a book's worth of a blog post about it, though :D