Posts

Showing posts from May, 2020

OZH RAT - New .NET malware

Image
Introducing a new remote access tool (RAT) I recently discovered: Filenames include ‘OzhSecSys.exe’ or ‘system.exe’. Interestingly, the IP address used to host the OZH RAT domain (185[.]176.43[.]94) is used in prior #Konni attack campaigns, but is not thought to be connected to the North Korean APT.#OZHRAT

IOCs:https://t.co/B5KNjQBWUX— Will | BushidoToken 👁‍🗨 (@BushidoToken) May 28, 2020
Malpedia link: https://malpedia.caad.fkie.fraunhofer.de/details/win.ozh_rat
IOCs in my OTX feed for this threat have been attached here.
More info:

Florian Roth's THOR APT Scanner picked it up early on:
Windows Forms & System Configuration checks:


OZH RAT is a new malware as far as I can tell. I would be very much interested if another security researcher is able to investigate or share samples of OZH RAT for further malware analysis.
Updated - 2nd June 2020: I recently discovered the OZH RAT #crimware website, which is written in Turkish. The #malware has an exceptionally low detection rating on Viru…

Cyber Threat Intelligence and the Law of the Jungle

Image
Nowadays, the internet can be viewed as the closest thing humans have to a predator and prey food chain where it’s truly a free-for-all. One novel method of threat modelling could be to examine what threats prey face in the animal kingdom. 

By evaluating what potential predators are out there we can identify vulnerabilities and risks, before they become a threat. The main aim of this blog is to explain clearly to non-technical people how certain persistent threats exist in the wild with memorable analogies.

All Artwork is from www.pexels.com
The Law of the Jungle

The Venus Flytrap is a good example of how prey can be lured in, away from safety, into the clutches of the predators. This carnivorous plant uses a special nectar that entices insects to fall for the trap and end up in its jaws. This process in nature is comparable to that of phishing lures with decoy documents, malvertising, free Trojanised apps, pirated games, films or eBook, fake competitions and many many other techniques th…

Turkey targeted by Cerberus and Anubis Android banking Trojan campaigns

Image
I recently set out to become more acquainted with Maltego, a useful program for open-source intelligence (OSINT) and forensics, developed by Paterva. I also noticed there is an ongoing campaign against Turkey using Android banking Trojans such as Anubis and Cerberus. Both are Malware-as-a-Service offerings that supply a builder and mobile remote access Trojan (MRAT) to steal credentials from Android users.

Security researchers such as @MalwareHunterTeam, @ReBensk, @pr3wtd, and @mertcangokgoz, and others have all recently shared new samples of Cerberus and Anubis targeting users in Turkey with mobile data “gifts” that are offered from their mobile carriers due to COVID-19. Various websites are registered hosting links to fake apps, which were downloaded from the threat actor’s GitLab or BitBucket repositories. These apps are Android packages (.APK) that can be distributed via SMS, instant messaging app, on Twitter, via email, and other social engineering techniques.
With the Tweets of th…

Gone Phishing

Image
This is a blog on some of the latest phishing threats that are out there and ones I have recently, personally experienced and reverse engineered.

On 1 May I received this SMS text: 
Just received this: (1 May)

http://security[.]hsbcuk[.]confirm-securekey[.]com@HSBC_UK#phishing#smishing

(I’m not with HSBC) pic.twitter.com/HU3sqBlPhz — Will | BushidoToken 👁‍🗨 (@BushidoToken) May 1, 2020To me, it was quite clearly a phish, as I'm not with HSBC, however, someone who is may have been easily fooled. The trick the phishermen used here is via a subdomain. Average users may be able to recognise their usual bank domain and feel safe. However, the threat actors who sent this to me could use a domain like 'digitalbanking.com' (which is for sale) and simply insert my bank's full URL as a subdomain - making it quite convincing. Plus, they can add a free digital certificate from Let's Encrypt CA to give it HTTPS and now we have a pretty convincing phish.

I chucked the domain into…