@BushidoToken Threat Intel

I'm surprised this is my first blog of 2023, but I have been more busy than usual. My work at the Equinix Threat Analysis Center (ETAC) has been very engaging and when I'm not chasing cyber bad guys with ETAC I'm writing down how to do it as I'm developing SANS FOR589: Cybercrime Intelligence .  While researching packers and crypters (that are used to obfuscate malware code, like VMProtect or UPX), I came across a site in the search results billing itself as a generic "FUD Crypter" as-a-Service type offering (FUD = Fully Undetectable in cybercriminal lingo). The website "fudcrypter[.]io" is still online and looks pretty amateurish to me and was ripe for investigating. Figure 1: Screenshot of the FUD Crypter website I navigated around the site and hovered over some of the buttons and found redirects to another website called "data-encoder[.]com". This second site, however, was offline at the time I tried to visit it. But using a coveted CTI

  Welcome to the final BushidoToken blog of 2022. Over the last year or so, an associate of mine in the UK has been targeted by a persistent Chinese-speaking scammer. The scammer often calls once or twice a month from a unique UK-based phone number and, if left unanswered, leaves an unusual automated voicemail.  I got the recorded voicemails and identified that they are almost certainly scam calls from Chinese-speaking fraudsters targeting Chinese international students at universities in the UK.  I have tracked this campaign for over a year and built a profile on the group's activities based on just the calls and voicemails they have left. I am now disclosing these attempts and subsequently tracking this activity group as "RedZei" (aka "RedThief"). The RedZei fraudsters have chosen their targets carefully, researched them and realized it was a rich victim group that is ripe for exploitation. A quick OSINT search found several recent articles about this apparent

  Cyber threat intelligence largely involves the tracking and studying of the adversaries outside of your network. Gaining counterintelligence about your adversaries' capabilities and weaponry is one of the final building blocks for managing a strong cyber defense.  In the pursuit of performing this duty, I have been studying how to discover adversary infrastructure on the internet. One good way of doing this has been via leveraging the scan data available through the popular Shodan search engine. If you've not used it before, Shodan periodically scans the entire internet and makes it available for users to query through. It is often used to monitor networks, look for vulnerabilities, and ensure the security of an organization's perimeter.  But we can also use Shodan for tracking the adversaries. Through the process of fingerprinting - that is to identify unique attributes of IPs on the internet - we can find command and control (C2) servers and login panels belonging to cy

  In February 2022, following the Russian invasion of Ukraine, the operators of Conti ransomware announced their support of the Russian government. They shortly walked back their support, seemingly after rifts by members of the group. Not long after that, hundreds of thousands of messages from internal chat logs were shared publicly by two accounts on Twitter called @ContiLeaks and @TrickLeaks. This treasure trove of information revealed a wealth of insights about the inner workings of a sophisticated Russian cybercrime business linked to the Conti and Ryuk ransomware campaigns and Trickbot malware botnet , which are tracked as Wizard Spider (by CrowdStrike ), DEV-0193 (by Microsoft ), GOLD ULRICK (by Secureworks ), and  Ryuk as FIN12 (by  Mandiant ) . Following the fallout of the internal chat leaks, the Conti ransomware group carried on, seemingly business as usual. In April 2022, the Government of Costa Rica had to declare a state of emergency following a sprawling Conti ransomwar

  A short blog to document the proliferation of an advanced commercial penetration testing tool among cybercriminal threat actors across various Russian- and English-speaking underground forums. What? Available since December 2020, Brute Ratel C4 (aka BRC4) is one of the hottest new Red Team frameworks to hit the scene. It is similar to other frameworks such as Cobalt Strike but is uniquely concerning for its focus on evading endpoint detection and response (EDR) and antivirus (AV) tools. A technical analysis of BRC4 has already been provided by Palo Alto Networks Unit42 (see their blog here ). At 19:59:20 UTC o n 13 September 2022, an archive file called " bruteratel_1.2.2.Scandinavian_Defense.tar.gz " was uploaded to VirusTotal. This file contains a valid copy of  BRC4 version 1.2.2/5.  On 28 September, the developer of BRC4, Chetan Nayak, tweeted  unfounded and disproven accusations that archive was leaked by MdSec and said they were the ones who uploaded it to VirusTota

Background Active since at least August 2021, a new English-speaking threat actor calling themselves "1977" has developed and advertised a new eCrime market on multiple underground forums called  Darth Maul Shop . This blog aims to highlight some of the key aspects of a new emerging eCrime market, analyze its reception by other threat actors, and discuss the underground cybercrime communities making money buying and selling credentials without launching any intrusions themselves. If you want to learn more about Initial Access Brokers (IABs), SentinelOne recently shared a good up-to-date overview of this type of threat actor and how they interface with various ransomware groups and the types of services they offer. These IABs can be just as dangerous as the ransomware groups themselves, as they are capable of infiltrating a target network and achieving the privileges of "Domain Admin (DA) access with reach to over 10,000 hosts. " The eCrime market has also shifted r

  This is a short blog analyzing some artifacts  left over by a Mimikatz operator's campaign. Background While doing to some internet dumpster-diving (as I like to call it) I came across an open directory belonging to a threat actor's Mimikatz staging server (see Figure 1).  The threat actor's server was hosted on DigitalOcean AS14061  (165[.]232[.]*.*) and a takedown request was submitted by myself to the DigitalOcean Abuse team. Figure 1: Mimikatz opendir The files on the server were not that interesting, most of it was default Mimikatz components from the GitHub and other resources online. The files are available on VirusTotal too if needed. im.ps1 (Invoke-Mimikatz PowerShell script) https://www.virustotal.com/gui/file/1b441fde04d361a6fd7fbd83e969014622453c263107ce2bed87ad0bff7cf13f mimidrv.sys (signed Windows Driver Model (WDM) kernel mode software driver) https://www.virustotal.com/gui/file/f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5 mimikatz.exe