Daniel Lunghi

We saw Earth Estries, an advanced #APT group, sharing its access to Earth Naga (Flax Typhoon). We introduce the term "Premier Pass" to describe this behavior, and propose a four-tier classification framework for collaboration types among advanced groups trendmicro.com/en_us/research…

We investigated an #APT with links to Void Rabisu that used Trend Micro updates as a lure in a recent campaign involving vulnerability exploitation. There were at least 4 stages before the final payload, some of them being tailored to the targeted machine trendmicro.com/en_us/research…

Orange Cyberdefense saw the same threat and named the ransomware "NailaoLocker". orangecyberdefense.com/global/blog/ce…. They share interesting thoughts on the motivations of the ransomware deployment, although they don't have the final answer. We also saw no financial gain for the threat actor

For incident responders out there, remember to retrieve the volume serial number where #Shadowpad was deployed, since it is used to encrypt the payload in the registry. Those serial numbers can also be found in LNK and prefetch files in case you don't have live access to the host

We released a report on a threat actor using an updated version of #Shadowpad including anti-debugging features, that in some cases deploy a custom ransomware family. We have mainly seen the manufacturing industry being targeted in Europe and Asia trendmicro.com/fr_fr/research… #APT

Intelligence Online links the Moonshine framework that we discussed in our Earth Minotaur report trendmicro.com/en_us/research… to a Chinese company. Happy new year UPSEC ! 🥳

Ever wonder how attackers use advanced tools to evade detection? Mandiant analyzes #ScatterBrain, an obfuscator in the POISONPLUG.SHADOW backdoor, which is used by China-nexus actors. Learn how we’re unmasking these sophisticated threats. Read more: bit.ly/42xfceL

Our latest report presents Earth Minotaur, a threat actor targeting Tibetans and Uyghurs using Moonshine, an exploitation framework for Android described in 2019 by @citizenlab leveraging vulnerabilities in applications embedding old versions of Chrome trendmicro.com/en_us/research…

Nous recrutons dans notre équipe. Si vous avez des compétences en RE, souhaitez travailler au profit de la Gendarmerie en tant qu'expert judiciaire et manager une équipe de passionnés : …stereinterieur-career.talent-soft.com/Pages/Offre/de… (rt apprécié)

Excellent malware analysis from Checkpoint that describes the Linux version of Xdealer/DinodasRAT that we listed but did not described in our Earth Krahang #APT report research.checkpoint.com/2024/29676/ Kudos for referencing all the related reports 👏

It’s been a minute since the last i-SOON blog 🇨🇳@RecordedFuture is releasing further research exploring infrastructure, tooling, victimology, and personnel overlap between I-SOON & multiple Chinese state-sponsored groups: RedAlpha, RedHotel, & POISON CARP recordedfuture.com/attributing-i-…

Their favorite malware toolkit are Reshell, a basic .NET backdoor, and Xdealer, also named Dinodas RAT, two custom malwares. They also use the infamous #CobaltStrike, #PlugX and #Shadowpad. Many of their offensive and post-exploitation tools are retrieved from public sources.

Targets are spread among 5 continents, although some countries are targeted more heavily: one country had 11 of its government entities compromised. Previous victims are used to compromise new ones by abusing their infrastructure to send spear-phishing emails or host malware

Our latest report on a CN #APT targeting tens of governments entities worldwide has been published 🥳 After monitoring it for a long time we realized it is likely related to the recent I-Soon company leaks. It discusses their TTPs and provides lots of IOCs trendmicro.com/en_us/research…

@hassnain782 Thanks for the interest. As I said in the introduction, we first found the Shadowpad DLL, and then, we could find it was embedded in a CAB file, itself embedded in an MSI file. You can see those links in Virus Total in the "Relations" tab (probably requires enterprise account)

@thehellu Bro i have been following to get more details about your hypothesis about this article you wrote in 2022. Loved the explainaton !! But one question still remains How you was able to get access of mailious e-office version

VB released my talk on a #Shadowpad sample delivered by a Pakistan gov application. It contains an analysis of the modified MSI installer, some tricks to pivot on old and new Shadowpad samples, an overview of the #APT campaign, and attribution discussion youtube.com/watch?v=i52MH-…

@ItsNavdeep You are 100% correct ! The same applies to DeedRAT then. DE DE 43 D0 is the OpenDNS resolver in reverse order (looks like they messed up), and the others are Google, Cloudflare and Quad9 resolvers. I didn't know 4.4.4.4 and 4.2.2.2. Big thanks for pointing this out !

@thehellu Great analysis! Would like to just point out one minor oversight in the report: The bytes 08 08 08… are not a hard-coded delimiter. They are instead the 4 DNS lookup IP addresses used to resolve C2 domains: 8.8.8.8 8.8.4.4 4.4.4.4 4.2.2.2

@_lostpacket_ No, version 2.0.3 of the legitimate MSI installer (the one backdoored by the threat actor) was uploaded to VT the day after we published our report. We know of a PK gov entity that published it between April and June 2023, but the incident happened long before, on September 2022.

@thehellu or simply from VT

We found a probable supply chain attack on eOffice application developed by Pakistan government. It delivers #Shadowpad with an updated obfuscation and encryption scheme. The threat actor carefully chose the C&C to blend in legitimate network traffic trendmicro.com/en_us/research… #APT

@keydet89 @r00tbsd I believe looking at your list of publications would answer that question :) in case of doubt, it was intended as a compliment. I was a happy RegRipper user few years ago