Posts

Showing posts from May, 2023

Writing Hacker Fiction With Help From AI

Image
  I wanted to do something a bit different and fun so I created a new site  hackerfiction.medium.com  with one purpose: Telling fictional short stories about hacking using AI. I’ve explained why and how I’m doing this in my Introduction blog, I recommend checking it out first. Ultimately, I made these stories for me. But think others may enjoy them too so I shared them. I’ve enjoyed making these short stories and generating some visuals. And I may make some more. To me, these stories show how the future of all entertainment will be influenced by AI. Interestingly, some have noted that these hacker fiction short stories, initially designed purely for fun, could also be used productively by governments, militaries, and organizations. The ideas are fundamentally generated by the human through a series of "what if" scenarios. The story contents are generated by the AI and then further edited to make sense by the human. For these stories to be useful, though, they would have to be

Unmasking Ransomware Using Stylometric Analysis: Shadow, 8BASE, Rancoz

Image
  I recently came across a cool GitHub repo from Zscaler's ThreatLabz team (see here ) which contains a whole array of ransom notes from known and new ransomware families. I imagine that Zscaler has some sort of malware hunting capability (potentially LiveHunt YARA rules in VirusTotal) and they manually check for ransom notes uploaded to VT containing strings such as ".onion" to find new and interesting ransomware families. However they actually do it, this is a handy repo for the community to use. Three new ransom notes that Zscaler shared that caught my eye belonged to Shadow, 8BASE, and Rancoz. Tracking new ransomware families can be an interesting task because so many new groups are appearing, it is hard to tell which ones are worth paying attention to of the literal hundreds of variants out there launching attacks. These three stick out, however, due to the presence of the ".onion" Tor link inside their ransom notes though because that means they have setup

Fake Steam Desktop Authenticator App distributing DarkCrystal RAT

Image
  I recently came across an interesting campaign that is using fake websites to distribute malware. Although this TTP is not new, it seems to be on the rise. Anecdotally, I've seen it in multiple cases in 2023 more so than before. It's difficult to quantify without doing extensive research, it is something for other analysts to be aware of more at least.  A suspected Russia-based cybercriminal decided to clone the website of a legitimate open-source desktop app (see here ) called Steam Desktop Authenticator (SDA) which is simply a convenient desktop version of the mobile authenticator app. However, for that convenience, there is a price - impersonation scams and account hijacking. The GitHub repo of the SDA app also has a warning to other about the fake versions floating around. Figure 1: Warning from the real Steam Desktop Authenticator site The threat actors distributing the fake version of SDA use two techniques that are effective when paired together: Site Cloning and Typos

Tracking Adversaries: GreenMwizi, Kenyan scamming campaign using Twitter bots

Image
  Images made with Bing Create AI Prologue I find uncovering new campaigns and sharing research on novel threats is one the most enjoyable parts of my job as a CTI researcher. Especially the types of threats not many other researchers really spend much time investigating, or at least those who do rarely disclose their findings publicly. My investigation on the RedZei group is also an example of this. Background I have recently been investigating a financially motivated threat actor I've dubbed "GreenMwizi" that I believe to be from Kenya. They have setup a dozen fake Booking.com Twitter accounts and are currently targeting users who make public complaints. The main aim of these scammers is to socially engineer users over the phone into sending them funds via  Remitly, an  international money transfer service.  By interacting with the scammers myself I was able to find out their phone number and trace their IP address and device information. This type of activity is extre

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e