Know Your Adversary

Hello everyone! Let's look at another curious example of  System Binary Proxy Execution (T1218) technique. DomainTools reported on FIN6 (Skeleton Spider) campaign, which included phishing with fake resumes. The adversary distributed archives with malicious LNK-files. The file executed an obfuscated command, for example: %ComSpec%" /v /c (for %l in (s) do @set "Alter=%~l") && !Alter!et "Trick=ure = " && !Alter!et "Drawings=-base" && !Alter!et "Person=version" && !Alter!et "Twist=." && !Alter!et "Involves=$win" && !Alter!et "Genius=si" && !Alter!et "Streams=d" && !Alter!et "Grass=t" && !Alter!et "Builders=c" && !Alter!et "Armor=settings" && !Alter!et "Disorder=e" && !Alter!et "Womens=ni" && !Alter!et "Cloth=a" && !Alter!et ...

Hello everyone! Threat actors are always adding new tools to their arsenal. This Symantec report on Fog Ransomware proves it one more time.  Among other uncommon tools, the adversary leveraged Syteca - a legitimate security solution, which enables recording on-screen activity, keystroke monitoring, etc. The threat actors even used  PsExec and SMBExec to execute the tool on the remote systems, for example: cmd.exe /Q /c SytecaClient.exe 1> \\127.0.0.1\ADMIN$\__1748095766.8385904 2>&1 As it's a legitimate tool, it's quite easy to detect, for example: event_type: "processcreatewin" AND proc_file_productname: "syteca" See you tomorrow!

Hello everyone! Reading Check Point's report on Stealth Falcon activities, I spotted an interesting way of abusing iediagcmd.exe . The adversary uses malicious  .url files. The URL parameter points to iediagcmd.exe . Normally this executable spawns additional processes to collect diagnostic data, including route.exe . The working folder is changed by the .url to the attacker-controlled WebDAV server, so iediagcmd.exe runs the route.exe from \\summerartcamp[.]net@ssl@443/DavWWWRoot\OSYxaOjr\route.exe  (Horus Loader) instead of a legitimate one in system32 folder. Of course, we can use it for detection, and search for  iediagcmd.exe executing files from WebDAV servers, for example: event_type: "processcreatewin" AND proc_p_file_path: "iediagcmd.exe" AND proc_file_path: "DavWWWRoot" See you tomorrow!

Hello everyone! Adversaries may have various motivations to conduct cyber attacks. But most of them are interested in getting some money. At least at some point! Kaspersky released a report on an activity cluster we track as Rare Werewolf (or Librarian Ghouls as they call it). You can find lots of curious things to detect and hunt in the report, but let's focus on collecting cryptocurrency wallet credentials and seed phrases: %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*парол*.* /y %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*карт*.* /y %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*кошельк*.* /y %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\wallet.dat /y %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*wallet*.doc* /y %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYS...

Hello everyone! Let's look at a curious example of Protocol Tunneling technique (T1572) as seen in a recent report by SentinelOne. The adversary used a ShadowPad variant, which leveraged DNS over HTTPS (DoH) in an attempt to evade detection. In order to obscure DNS traffic, the threat actors Base-64 encoded queried domains, for example: https://8.8.8.8:443/dns-query?dns=AAABAAABAAAAAAAABG5ld3MKaW1hZ2luZXJqcANjb20AAAEAAQ So, if you have related telemetry - you know what to hunt for! See you tomorrow!

Hello everyone! The Genians Security Center (GSC) reported on a recent Kimsuky (we track this activity cluster as Monolithic Werewolf ) campaign, which took place in between March and April 2025. Interesting enough that the adversary leveraged multiple communication channels to distribute malicious files, including email, Facebook and Telegram. The installation process is quite noisy as always, so we have lots of detection opportunities. For example, the threat actors abused PowerShell and Certutil for decoding: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\ffBqrQ6.rppn C:\Windows\..\ProgramData\sRPCU5y.evJl A good candidate for detection, right? event_type: "processcreatewin" AND proc_file_name: "powershell.exe" AND cmdline: ("certutil" AND "decode") One more thing - abusing reg.exe to achieve persistence: reg add HKCU\Software\Microsoft\Windows\CurrentVersio...