𝓙𝓪𝓬𝓴2

#vblocalhost 2021 is my 3rd presentation at @virusbtn. Operation Newton: Hi #Kimsuky? Did an Apple(seed) really fall on Newton’s head? - bit.ly/VB2021_Kimsuky I hope that it'll be helpful to many threat researchers:) If you have any questions, please send me DM.

There is a city named Asan in Korea where you can bring your fuzzers and get reports.

🏆 Unit 42 research wins the Péter Szőr Award at #VB2025! The development of our Attribution Framework by Andy Piazza, Kyle Wilhoit, Robert Falcone and David Fuertes is recognized as outstanding technical security research. Read it here: bit.ly/46nvHvB

🚨 New Malware Alert: DocSwap Disguised as Security Document Viewer 🚨 Our latest analysis uncovers #DocSwap, a previously unidentified malware masquerading as a legitimate document-viewing authentication app. This sophisticated threat employs dynamic loading and obfuscation techniques to execute malicious commands, including keylogging and remote control functionalities.​ 🔍 Key findings: - Dynamic Loading & Obfuscation: Utilizes XOR encryption to decrypt embedded security.db files, loading DEX files dynamically to execute malicious activities.​ - Command & Control (C2) Communication: Establishes C2 channels via socket communication, with associated IPs hosting phishing pages impersonating CoinSwap.​ - Attribution: No direct links to known threat groups; designated internally as #puNK-004 by @S2W_Official 's Threat Research & Intelligence Center, #TALON.​ *Separate announcement: There is a connection with the infrastructure used by the #Kimsuky Group, and law enforcement agencies are closely investigating the relevant infrastructure. Details will be shared as soon as the analysis is complete. Stay tuned. Stay vigilant: Avoid downloading apps from unverified sources and be cautious of unexpected prompts for document authentication.​ #CyberSecurity #MalwareAnalysis #ThreatIntelligence #CTI #DPRK #ThreatActor 🔗 Read the full analysis below

@okascmy1 조심히 다녀와 ✨👍

슝슝

In their latest report S2W researchers look into TheftCRow, a voice phishing distribution group targeting Korean users with TheftCalls malware. medium.com/s2wblog/detail…

New updates on #voicephishing malware. S2W categorizes six main organizations distributing voice phishing #malware targeting users in Korea. This report provides a detailed analysis of phishing sites and malware. 👉 Learn more here. bit.ly/4hFSuqi

😈 S2W's Threat Intelligence Center, #TALON, has released a detailed analysis report on the #ZeroDay vulnerability discovery related to the #NorthKorea-based threat group, #APT37. Check it out through the link below! medium.com/s2wblog/unmask…

Behind History: - In early June, several organizations and security firms reached out after reading our Matryoshka: Variant of #ROKRAT, #APT37 (#Scarcruft) analysis on Medium: 🔗medium.com/s2wblog/matryo… - They requested previous artifacts and the associated payload. - To my surprise, three years after my original analysis, this exact method had been deployed in an actual attack. - The #S2W Threat Research & Intelligence Center (a.k.a #TALON) quickly secured the relevant samples and made a significant discovery: we confirmed it was a zero-day vulnerability.

🚨 ITW Zero-Day Vulnerability Discovery: #APT37 (#Scarcruft) 🚨 For Responsible Disclosure, we disclose relevant details at this time: Unmasking CVE-2024-38178 The Silent Threat of Windows Scripting Engine 🔗 medium.com/s2wblog/unmask… 🔍 Key findings: - The attack used a freeware advertising module to exploit the vulnerability, marking a shift from previous methods. - The shellcode execution bore striking similarities to tactics from three years ago, underscoring the importance of studying an attacker’s Tactics, Techniques, and Procedures (#TTPs). A few months ago, this issue was shared exclusively with companies in the Joint Analysis Council led by the NCSC, and yesterday, the security advisory was released to the public. Stay informed and vigilant! #APT37 #ThreatHunting #ITW #ZeroDay #TTPs #ThreatIntel #ResponsibleDisclosure

🚨 Ransomware Risk Assessment: 2024 H1 Findings 🚨 At #DCC2024,The #S2W Threat Research & Intelligence Center (a.k.a #TALON) introduced our ransomware risk assessment framework, x.com/2runjack2/stat… The results are eye-opening. #TALON developed a comprehensive evaluation metric assessing ransomware groups based on five key factors: 1️⃣ Activity 2️⃣ Influence 3️⃣ Brand Continuity 4️⃣ Extensibility 5️⃣ Vulnerability and we've since applied it to analyze the first half of 2024. medium.com/s2wblog/ransom… 🔥 Our analysis revealed the Top 5 Most Dangerous Ransomware Groups of H1 2024: #BlackBasta, #BlackSuit, #Qilin, #Ransomhub, #PLAY Stay vigilant! More details on blog. 📊🔍 #CTI #ThreatIntel #CyberThreatIntelligence #Ransomware #ThreatIntelligence #Infosec #RiskAssessment #DataIntelligence

For the fourth year, S2W Inc. - Threat Research and Intelligence Centre (aka #TALON) is presenting its research findings to #VirusBulletin. This year's presentation topics are as follows. 1) Presentation topic on 3 October: Go-ing Arsenal: A Closer Look at #Kimsuky’s Go Strategic Advancement medium.com/s2wblog/virusb… 2) Presentation topic on 4 October: The Phantom Syndicate: a hacking collective with a #NorthKorean allegiance medium.com/s2wblog/virusb… StayTuned #VB2024

S2W has published an analysis report on the #Handala Group. The report details Handala's claim of responsibility for the #Israeli supply chain attack related to the #Hezbollah walkie-talkie explosion incident. For the full report, please contact us. 👉 s2w.inc/en/contact

Really enjoyed this podcast on DPRK threat actors by MSTIC. Here's a note on the two actors mentioned! Podcast: thecyberwire.com/podcasts/micro… 🕵️‍♂️ Citrine Sleet: 1. North Korean threat actor primarily focused on crypto theft and financial gain 2. One of the three main actors dedicated to crypto theft, alongside Sapphire Sleet and Jade Sleet 3. Known for targeting financial institutions, blockchain technology companies, and crypto exchanges 4. Associated with the AppleJeus malware 5. Recently used a sophisticated exploit chain involving, 0-day in Chromium (CVE-2024-7971) leading to RCE and a sandbox escape vulnerability 6. Deployed the FudModule rootkit as part of their attack 🕵️‍♂️ Onyx Sleet: 1. Also known as Silent Chollima and Andariel 2. One of the oldest North Korean threat actors 3. Primarily focused on traditional espionage 4. Targets defense companies, energy companies, and organizations in the US and India 5. Has pivoted to include ransomware operations since 2021 6. Uses both custom malware and off-the-shelf tools 7. Employs various malware including: - D-Track, Sliver framework, Custom RATs and proxy tools 8. Exploits various vulnerabilities, including Apache ActiveMQ, Confluence, PaperCut, TeamCity, and Log4j 9. Associated with Storm-0530 (also known as H0lyGh0st), which conducts ransomware operations 10. Targeted multiple aerospace and defense organizations from October 2023 through June 2024

@RBTree_ Congrats

gg

I was privileged to present at the "Dark Web and Secure Messaging App: Hideout for Criminals" closed session during #ISCR (International Symposium on Cybercrime Response) 2024. My topic, "Uncovering Evidence in the Shadows of the Dark Web: Reveal The Onion," focused on shedding light on dark web investigations. As an Interpol Gateway Partner, I shared how our center(a.k.a #TALON), in collaboration with law enforcement, has successfully tackled some of the complex cases at @S2W_Official It was an excellent opportunity to discuss real-world analysis, methodologies, and impactful takedowns. I'm thrilled that the presentation resonated with the audience—several attendees contacted us afterward. A big thank you to the South Korean National Police for organizing such a significant event and for the chance to contribute to the conversation on global cybercrime response. Also, a special thanks to Peter Stanier.

🚨 Threat Tracking: Analysis of #puNK-003's #Lilith RAT ported to AutoIt Script by @gimchesh *puNK: partially unidentified North Korean threat actors 🇰🇵(Threat Group Taxonomy in #S2W #TALON) (🐛Malware) The hunted malware is an LNK file with the Downloader role that downloads and executes AutoIt scripts and executables from the attacker's server called CURKON. - #LINKON: Dropper type of LNK malware used by the KONNI group. - #CURKON: LNK malware of the Downloader type used by the puNK-003 group. (🔑Key Features) The file downloaded by CURKON is Lilith RAT malware ported as an AutoIt script. This script attaches a reverse shell to a specific port to execute arbitrary commands on the victimized system. - Lilith RAT has been identified as an open-source remote control malware implemented in C++. - It is not known how the existing C/C++ code is converted into AutoIt scripts, and it is believed that it was either ported manually using a separate tool or using AI. (🥽Attribution) Based on the similarities between the puNK-003 group's CURKON executable and the AutoIt re-implemented malware, we believe that the group behind this malware is related to the KONNI group. Learn the latest in cyber threat intelligence! Take a closer look at S2W TALON's analysis of the malware tactics of the North Korean APT group puNK-003. Stay up to date and stay secure!🔍 #CyberSecurity #ThreatIntelligence #APT #MalwareAnalysis