Posts

OSINT blog: Reunion in Scotland

Image
  The Beer Farmers recently issued a geo-location OSINT challenge with a mystery prize for the first person to find them.  Under time pressure, I put my OSINT skills to the test to see how difficult it would be to find them.  Some Saturday fun. Where are @SeanWrightSec and @AppSecBloke in this photo? First to get it right wins something. @netsecfocus knows what it's like to win a prize from us. #HereForYou pic.twitter.com/L5HiKGAF8X — The Beer Farmers (@TheBeerFarmers) September 11, 2021 I examined the image closely, looking for any clues. The first thing I think everyone would have immediately noticed was the large greek-style columns behind Mike and Sean. These would come in handy later when roaming the streets on Google Maps.  The second thing I noticed was a backwards JD Sports logo (a highstreet clothing brand in the UK). Therefore, I realised the image was flipped horizontally, so I flipped it back: The task was then to locate which JD Sports this was going to be. Judgin

How Do You Run A Cybercrime Gang?

Image
Cybercrime has many forms, the most common of which is theft and fraud. Aspiring cybercriminals may begin with off-the-shelf malware or phishing kits and run amateur, but profitable, campaigns. Banking Trojans were the next step up, which intercept and manipulate connections during online banking procedures for exploitation and wire fraud. Several infamous groups that graduated from these campaigns went on to form organised crime syndicates and launch 'big game hunting' ransomware campaigns. Ransomware in particular, has caused mass disruption on a national level and huge financial losses. This blog will explore three top-tier cybercrime syndicates which are tracked by the private cybersecurity industry as EvilCorp, WizardSpider, and FIN7. These threat actors are financially motivated cybercriminals whose campaigns have become a scourge to organisations and society at large. So much so, that they are closely tracked by intelligence agencies and international law enforcement. Fi

Summer of Scammers: PancakeSwap cryptocurrency thieves

Image
  Cryptocurrency is experiencing a huge boom. With this explosion in popularity, and people getting rich quick, come the cybercriminals looking to exploit this new technology. Unfortunately, while there may be a large amount of money to be made from cryptocurrecny there are very little controls or regulations preventing scams. Unlike other centralised financial services, such as banks, cryptocurrency users are only as protected as their own personal operational security (OPSEC). While there are long guides on OPSEC for cryptocurrency users, many new users are lacking here and do not use a strong password or two-factor authentication (2FA). This makes them sitting ducks for cybercriminals. This blog will detail how users of a relatively new platform, PancakeSwap, are being highly targeted.  In their own words "PancakeSwap is the leading decentralized exchange on Binance Smart Chain, with the highest trading volumes in the market". Despite its comical name, PancakeSwap is no j

The Lazarus Heist: Where Are They Now?

Image
  Introduction The BBC World Service has recently produced The Lazarus Heist podcast (available here ), researched and presented by Geoff White and  Jean H. Lee . This thrilling podcast dives into the intracacies of the elaborate Bangladesh Bank heist attempt to steal $1 billion. As a security researcher that actively tracks the Lazarus group and any mentions of North Korean cyber activity, I found this podcast series was extremely detailed and well researched. There are so many additional info gems that anyone who has researched North Korea will enjoy. I also highly recommend it for any threat intelligence analysts investigating North Korean cyber activity.  The Lazarus Heist podcast also made me want to revisit what I have learned about North Korean advanced persistent threat (APT) groups. In February 2020, I blogged about who the Lazarus group is and what campaigns they are known for (see here ). This was one of my first blogs and I was eager to learn more while researching this in

Attack campaign analysis and interdiction: Async RAT

Image
  Threat hunting in public sandboxes has been, admittedly, a hobby of mine for the last two years or so. Recently, I have been looking through the geo-specific uploads that arrive in one such sandbox called Any.Run. It is no secret I am from the UK, so from time-to-time I like to check what malware is currently being sent to companies in the UK. This one caught my eye: The file "astro-grep-setup.exe.doc" (available on Any.Run here ) was not uploaded to the sandbox by me, but instead by some stranger from the UK (or is potentially using a VPN server in the UK). It is 596 pages long and 1.38 MB. The attacker behind this document has used an interesting technique: macros are enabled when the document is opened and they deliver an installer for a legitimate app called "AstroGrep" (an open source Windows grep utility), which is also packed with another malicious application containing the Async RAT.  This technique is known as using a "binder" putting two apps