Showing posts from August, 2022

Analysis of the emerging Darth Maul eCrime Market

Background Active since at least August 2021, a new English-speaking threat actor calling themselves "1977" has developed and advertised a new eCrime market on multiple underground forums called  Darth Maul Shop . This blog aims to highlight some of the key aspects of a new emerging eCrime market, analyze its reception by other threat actors, and discuss the underground cybercrime communities making money buying and selling credentials without launching any intrusions themselves. If you want to learn more about Initial Access Brokers (IABs), SentinelOne recently shared a good up-to-date overview of this type of threat actor and how they interface with various ransomware groups and the types of services they offer. These IABs can be just as dangerous as the ransomware groups themselves, as they are capable of infiltrating a target network and achieving the privileges of "Domain Admin (DA) access with reach to over 10,000 hosts. " The eCrime market has also shifted r

Unravelling a Mimikatz campaign

  This is a short blog analyzing some artifacts  left over by a Mimikatz operator's campaign. Background While doing to some internet dumpster-diving (as I like to call it) I came across an open directory belonging to a threat actor's Mimikatz staging server (see Figure 1).  The threat actor's server was hosted on DigitalOcean AS14061  (165[.]232[.]*.*) and a takedown request was submitted by myself to the DigitalOcean Abuse team. Figure 1: Mimikatz opendir The files on the server were not that interesting, most of it was default Mimikatz components from the GitHub and other resources online. The files are available on VirusTotal too if needed. im.ps1 (Invoke-Mimikatz PowerShell script) mimidrv.sys (signed Windows Driver Model (WDM) kernel mode software driver) mimikatz.exe