Posts

Writing Hacker Fiction With Help From AI

Image
  I wanted to do something a bit different and fun so I created a new site  hackerfiction.medium.com  with one purpose: Telling fictional short stories about hacking using AI. I’ve explained why and how I’m doing this in my Introduction blog, I recommend checking it out first. Ultimately, I made these stories for me. But think others may enjoy them too so I shared them. I’ve enjoyed making these short stories and generating some visuals. And I may make some more. To me, these stories show how the future of all entertainment will be influenced by AI. Interestingly, some have noted that these hacker fiction short stories, initially designed purely for fun, could also be used productively by governments, militaries, and organizations. The ideas are fundamentally generated by the human through a series of "what if" scenarios. The story contents are generated by the AI and then further edited to make sense by the human. For these stories to be useful, though, they would have to be

Unmasking Ransomware Using Stylometric Analysis: Shadow, 8BASE, Rancoz

Image
  I recently came across a cool GitHub repo from Zscaler's ThreatLabz team (see here ) which contains a whole array of ransom notes from known and new ransomware families. I imagine that Zscaler has some sort of malware hunting capability (potentially LiveHunt YARA rules in VirusTotal) and they manually check for ransom notes uploaded to VT containing strings such as ".onion" to find new and interesting ransomware families. However they actually do it, this is a handy repo for the community to use. Three new ransom notes that Zscaler shared that caught my eye belonged to Shadow, 8BASE, and Rancoz. Tracking new ransomware families can be an interesting task because so many new groups are appearing, it is hard to tell which ones are worth paying attention to of the literal hundreds of variants out there launching attacks. These three stick out, however, due to the presence of the ".onion" Tor link inside their ransom notes though because that means they have setup

Fake Steam Desktop Authenticator App distributing DarkCrystal RAT

Image
  I recently came across an interesting campaign that is using fake websites to distribute malware. Although this TTP is not new, it seems to be on the rise. Anecdotally, I've seen it in multiple cases in 2023 more so than before. It's difficult to quantify without doing extensive research, it is something for other analysts to be aware of more at least.  A suspected Russia-based cybercriminal decided to clone the website of a legitimate open-source desktop app (see here ) called Steam Desktop Authenticator (SDA) which is simply a convenient desktop version of the mobile authenticator app. However, for that convenience, there is a price - impersonation scams and account hijacking. The GitHub repo of the SDA app also has a warning to other about the fake versions floating around. Figure 1: Warning from the real Steam Desktop Authenticator site The threat actors distributing the fake version of SDA use two techniques that are effective when paired together: Site Cloning and Typos

GreenMwizi - Kenyan scamming campaign using Twitter bots

Image
  Images made with Bing Create AI Prologue I find uncovering new campaigns and sharing research on novel threats is one the most enjoyable parts of my job as a CTI researcher. Especially the types of threats not many other researchers really spend much time investigating, or at least those who do rarely disclose their findings publicly. My investigation on the RedZei group is also an example of this. Background I have recently been investigating a financially motivated threat actor I've dubbed "GreenMwizi" that I believe to be from Kenya. They have setup a dozen fake Booking.com Twitter accounts and are currently targeting users who make public complaints. The main aim of these scammers is to socially engineer users over the phone into sending them funds via  Remitly, an  international money transfer service.  By interacting with the scammers myself I was able to find out their phone number and trace their IP address and device information. This type of activity is extre

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e

Tips for Investigating Cybercrime Infrastructure

Image
I'm surprised this is my first blog of 2023, but I have been more busy than usual. My work at the Equinix Threat Analysis Center (ETAC) has been very engaging and when I'm not chasing cyber bad guys with ETAC I'm writing down how to do it as I'm developing SANS FOR589: Cybercrime Intelligence .  While researching packers and crypters (that are used to obfuscate malware code, like VMProtect or UPX), I came across a site in the search results billing itself as a generic "FUD Crypter" as-a-Service type offering (FUD = Fully Undetectable in cybercriminal lingo). The website "fudcrypter[.]io" is still online and looks pretty amateurish to me and was ripe for investigating. Figure 1: Screenshot of the FUD Crypter website I navigated around the site and hovered over some of the buttons and found redirects to another website called "data-encoder[.]com". This second site, however, was offline at the time I tried to visit it. But using a coveted CTI

RedZei - Chinese-speaking scammers targeting Chinese students in the UK

Image
  Welcome to the final BushidoToken blog of 2022. Over the last year or so, an associate of mine in the UK has been targeted by a persistent Chinese-speaking scammer. The scammer often calls once or twice a month from a unique UK-based phone number and, if left unanswered, leaves an unusual automated voicemail.  I got the recorded voicemails and identified that they are almost certainly scam calls from Chinese-speaking fraudsters targeting Chinese international students at universities in the UK.  I have tracked this campaign for over a year and built a profile on the group's activities based on just the calls and voicemails they have left. I am now disclosing these attempts and subsequently tracking this activity group as "RedZei" (aka "RedThief"). The RedZei fraudsters have chosen their targets carefully, researched them and realized it was a rich victim group that is ripe for exploitation. A quick OSINT search found several recent articles about this apparent

Detecting and Fingerprinting Infostealer Malware-as-a-Service platforms

Image
  Cyber threat intelligence largely involves the tracking and studying of the adversaries outside of your network. Gaining counterintelligence about your adversaries' capabilities and weaponry is one of the final building blocks for managing a strong cyber defense.  In the pursuit of performing this duty, I have been studying how to discover adversary infrastructure on the internet. One good way of doing this has been via leveraging the scan data available through the popular Shodan search engine. If you've not used it before, Shodan periodically scans the entire internet and makes it available for users to query through. It is often used to monitor networks, look for vulnerabilities, and ensure the security of an organization's perimeter.  But we can also use Shodan for tracking the adversaries. Through the process of fingerprinting - that is to identify unique attributes of IPs on the internet - we can find command and control (C2) servers and login panels belonging to cy