Good day everyone!

Check Point Software researchers provide us a detailed report on a newly discovered malware the #StyxStealer! It is capable of "stealing browser data, instant messenger sessions from Telegram and Discord, and cryptocurrency" and contains defense evasion techniques. While the malware may be new, one technique that stood out isn't! The use of the Windows run registry key for persistence (Software\Microsoft\Windows\CurrentVersion\Run) is not.

This registry key is abused because of the function it carries with it: you can reference an executable or script or whatever you want in the registry details and it will execute once a user logs in. This removes the need for the adversary to have to social engineer or compromise a host over and over again.

Knowing that, enjoy the article and stay tuned for your Threat Hunting Tip of the Day!

Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove
https://research.checkpoint.com/2024/unmasking-styx-stealer-how-a-hackers-slip-led-to-an-intelligence-treasure-trove/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Monday everyone! I hope everyone is doing well!

Researchers from Rapid7 observed some updated #TTPs and behaviors exhibited by the APT known as #Kimsuky (AKA Black Banshee or Thallium). One update to their tactics include the use of a Compiled HTML Help file, or CHM file. Rapid7 found this significant because these types of files were seen to make it past the first line of defense and then lead to its execution. Following the CHM execution, other behaviors were seen and included registry key modification of the Windows Run registry key (SOFTWARE\Microsoft\Windows\CurrentVersion\Run).

Interested in tracking malicious infrastructure but don't know where to start? Come join us March 21st at 2 PM ET where
@embee_research will step through some examples of how to do so using Censys. Sign up here! https://cnys.io/iu6hzj

And if you can't make it, check out the corresponsing blog instead: https://censys.com/a-beginners-guide-to-tracking-malware-infrastructure/

#HappyMonday and it is that time again!

The The DFIR Report has released their latest report that mentions NetSupport Manager, a remote access tool that I have not heard of before. Initial access was a zip file contained a .js file which was designed to execute an encoded PowerShell command that deployed the NetSupport tool AND established persistence through the modification of the #Windows run registry key. I would go on but you are going to have to read this report for yourself! It is so full of details that I can't begin to cover them myself! Enjoy and Happy Hunting!

NetSupport Intrusion Results in Domain Compromise
https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/

Good day all! The Computer Emergency Response Team of Ukraine, CERT-UA reports on a targeted attack attributed to #APT28 they observed on critical energy infrastructure facility in Ukraine. It started with a #phishing email that contained a link to an archive that led to a downloaded zip file that contained three decoy JPGs and a bat file that would run on the victims computer. The BAT file would, again, open some decoy web pages, but more importantly would create a .bat and .vbs file. There was some discovery commands issued, TOR program downloaded and hidden on the victim's computer as a hidden service, and abused common ports (445,389,3389,443). Last but not least, a PowerShell script was used to collect the password hash of the account. Enjoy and Happy Hunting!

https://cert.gov.ua/article/5702579

Good day all! If you have been looking for technical and behavioral artifacts regarding CVE-2023-2868, look no further! Mandiant (now part of Google Cloud) takes a deep-dive into #UNC4841, a Chinese-nexus threat group, activity that shows how the group is growing in maturity and sophistication. There is a lot to learn about TTPs from this article and I hope you enjoy it as much as I did! Happy Hunting everyone!

Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)
https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation

#HappyMonday everyone! The DFIR Report released another amazing report, this time they provide details of an incident that started with #IcedID and ended with #Nokoyawa #ransomware. Interesting enough, it was a malicious EXCEL doc this time that used utilized a VBA macro to download the payload. Enjoy and Happy Hunting!

IcedID Macro Ends in Nokoyawa Ransomware
https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/

Notable MITRE ATT&CK TTPs:
The DFIR team did all the hard work on this one!

Happy Friday everyone, not only did we make it to the end of the week but to the end of March! Today's #readoftheday is brought to you by Proofpoint. They report on a threat actor, #TA473 (aka Winter Vivern & UAC-0114) and how they leveraged a vulnerability in public facing Zimbra hosted webmail portals to conduct espionage campaigns against NATO personnel. I hope you have a wonderful weekend and Happy Hunting!

Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe
https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability

Good day everyone! I normally try to have my posts focus on other researchers, developers, and community members successes but today I am going to take the time to put myself in the spotlight.

Ever since landing at Cyborg Security the passion to train our customers and the community on the topic of threat hunting has been my number one focus and that passion has been my main driver in the past year. So I set myself a goal and I wanted to apply to be a trainer at #BlackHat in 2023. I didn't know if I was going to get accepted or not, but it was a goal to get a plan and training path in place, which was met, I applied to be a trainer.

What I did not expect was to be accepted! So it is my great honor and privilege to be able to train whoever is willing to register for my 2-Day training session at #BlackHat2023! I cannot wait! See you there and Happy Hunting!

https://www.blackhat.com/us-23/training/schedule/#beyond-iocs-how-to-effectively-threat-hunt-using-ttps-and-behaviors-301641675698501