Olivia
Online
๐๐ช๐ฌ๐ด2
@2RunJack2
#ThreatIntel Researcher @S2W_Official @TALON_INTEL
Main Author of Threat Intel Report 'Campaign DOKKAEBI : Documents of Korean and Evil Binary' / Formerly FSI
๋ํ๋ฏผ๊ตญ
Joined April 2010
2.9K Following
1.5K Followers
5.8K Posts
ย Pinned Tweet
#vblocalhost 2021 is my 3rd presentation at @virusbtn.
Operation Newton: Hi #Kimsuky? Did an Apple(seed) really fall on Newtonโs head?
- https://t.co/pgdMZMsoLa
I hope that it'll be helpful to many threat researchers:)
If you have any questions, please send me DM.
๐ Unit 42 research wins the Pรฉter Szลr Award at #VB2025! The development of our Attribution Framework by Andy Piazza, Kyle Wilhoit, Robert Falcone and David Fuertes is recognized as outstanding technical security research. Read it here: https://t.co/Ytvo3HbPkm
https://t.co/eZJbdb44Fq
Who to follow
Seongsu Park
@unpacker
Hustlinโ in Cyber Threat Intelligence | Tweets are my own | Keybase: @seongsupark | Mastodon: @[email protected]
S2W
@S2W_Official
AI-powered Data Intelligence
CyberWar - ์ธ์
@cyberwar_15
Since. 2001. 8. 8
We have been fighting against North Korean cyber operatives since August 8, 2001.
๐จ New Malware Alert: DocSwap Disguised as Security Document Viewer ๐จ
Our latest analysis uncovers #DocSwap, a previously unidentified malware masquerading as a legitimate document-viewing authentication app.
This sophisticated threat employs dynamic loading and obfuscation techniques to execute malicious commands, including keylogging and remote control functionalities.โ
๐ Key findings:
- Dynamic Loading & Obfuscation: Utilizes XOR encryption to decrypt embedded security.db files, loading DEX files dynamically to execute malicious activities.โ
- Command & Control (C2) Communication: Establishes C2 channels via socket communication, with associated IPs hosting phishing pages impersonating CoinSwap.โ
- Attribution: No direct links to known threat groups; designated internally as #puNK-004 by @S2W_Official 's Threat Research & Intelligence Center, #TALON.โ
*Separate announcement: There is a connection with the infrastructure used by the #Kimsuky Group, and law enforcement agencies are closely investigating the relevant infrastructure. Details will be shared as soon as the analysis is complete. Stay tuned.
Stay vigilant: Avoid downloading apps from unverified sources and be cautious of unexpected prompts for document authentication.โ
#CyberSecurity #MalwareAnalysis #ThreatIntelligence #CTI #DPRK #ThreatActor
๐ Read the full analysis below
๐จ Unveiling the Full #DocSwap Malware Report
S2W analyzed the 'Document Viewing Authentication App' malware, linked to a #NorthKorea-backed APT group. The C2 address showed a Naver favicon & "Million OK !!!!", linking it to #Kimsuky.
๐ Read on Medium: https://t.co/eU3nJxEdhA
@okascmy1 ์กฐ์ฌํ ๋ค๋
์ โจ๐
In their latest report S2W researchers look into TheftCRow, a voice phishing distribution group targeting Korean users with TheftCalls malware. https://t.co/h4zTTP0Aih
New updates on #voicephishing malware.
S2W categorizes six main organizations distributing voice phishing #malware targeting users in Korea. This report provides a detailed analysis of phishing sites and malware.
๐ Learn more here. https://t.co/0aleE8uByh
๐ S2W's Threat Intelligence Center, #TALON, has released a detailed analysis report on the #ZeroDay vulnerability discovery related to the #NorthKorea-based threat group, #APT37.
Check it out through the link below!
https://t.co/xH6J3MxA87
Behind History:
- In early June, several organizations and security firms reached out after reading our Matryoshka: Variant of #ROKRAT, #APT37 (#Scarcruft) analysis on Medium:
๐https://t.co/XhW3jAF9xx
- They requested previous artifacts and the associated payload.
- To my surprise, three years after my original analysis, this exact method had been deployed in an actual attack.
- The #S2W Threat Research & Intelligence Center (a.k.a #TALON) quickly secured the relevant samples and made a significant discovery: we confirmed it was a zero-day vulnerability.
๐จ ITW Zero-Day Vulnerability Discovery: #APT37 (#Scarcruft) ๐จ
For Responsible Disclosure, we disclose relevant details at this time: Unmasking CVE-2024-38178 The Silent Threat of Windows Scripting Engine
๐ https://t.co/f62GMDyKPb
๐ Key findings:
- The attack used a freeware advertising module to exploit the vulnerability, marking a shift from previous methods.
- The shellcode execution bore striking similarities to tactics from three years ago, underscoring the importance of studying an attackerโs Tactics, Techniques, and Procedures (#TTPs).
A few months ago, this issue was shared exclusively with companies in the Joint Analysis Council led by the NCSC, and yesterday, the security advisory was released to the public.
Stay informed and vigilant!
#APT37 #ThreatHunting #ITW #ZeroDay #TTPs #ThreatIntel #ResponsibleDisclosure
๐จ Ransomware Risk Assessment: 2024 H1 Findings ๐จ
At #DCC2024,The #S2W Threat Research & Intelligence Center (a.k.a #TALON) introduced our ransomware risk assessment framework,
https://t.co/2Kd7qampmE
The results are eye-opening.
#TALON developed a comprehensive evaluation metric assessing ransomware groups based on five key factors:
1๏ธโฃ Activity
2๏ธโฃ Influence
3๏ธโฃ Brand Continuity
4๏ธโฃ Extensibility
5๏ธโฃ Vulnerability
and we've since applied it to analyze the first half of 2024.
https://t.co/Zuy2INm2vu
๐ฅ Our analysis revealed the Top 5 Most Dangerous Ransomware Groups of H1 2024:
#BlackBasta, #BlackSuit, #Qilin, #Ransomhub, #PLAY
Stay vigilant! More details on blog. ๐๐
#CTI #ThreatIntel #CyberThreatIntelligence #Ransomware #ThreatIntelligence #Infosec #RiskAssessment #DataIntelligence
S2W's #TALON released a report on #ransomware groups for the first half of 2024.
2,260 companies had their ransomware infection details posted on leak sites, up 445 from last year. Top ransomware groups: #BlackBasta, #BlackSuit, #Qilin, #Ransomhub, #PLAY.
https://t.co/Kb7lSh9yk6
For the fourth year, S2W Inc. - Threat Research and Intelligence Centre (aka #TALON) is presenting its research findings to #VirusBulletin.
This year's presentation topics are as follows.
1) Presentation topic on 3 October:
Go-ing Arsenal: A Closer Look at #Kimsukyโs Go Strategic Advancement
https://t.co/MtJSxJdNNA
2) Presentation topic on 4 October:
The Phantom Syndicate: a hacking collective with a #NorthKorean allegiance
https://t.co/OFNWWNLW7k
StayTuned #VB2024
S2W has published an analysis report on the #Handala Group.
The report details Handala's claim of responsibility for the #Israeli supply chain attack related to the #Hezbollah walkie-talkie explosion incident.
For the full report, please contact us.
๐ https://t.co/zTexTaT4Nj
Really enjoyed this podcast on DPRK threat actors by MSTIC. Here's a note on the two actors mentioned!
Podcast: https://t.co/N6kTFo0kYA
๐ต๏ธโโ๏ธ Citrine Sleet:
1. North Korean threat actor primarily focused on crypto theft and financial gain
2. One of the three main actors dedicated to crypto theft, alongside Sapphire Sleet and Jade Sleet
3. Known for targeting financial institutions, blockchain technology companies, and crypto exchanges
4. Associated with the AppleJeus malware
5. Recently used a sophisticated exploit chain involving, 0-day in Chromium (CVE-2024-7971) leading to RCE and a sandbox escape vulnerability
6. Deployed the FudModule rootkit as part of their attack
๐ต๏ธโโ๏ธ Onyx Sleet:
1. Also known as Silent Chollima and Andariel
2. One of the oldest North Korean threat actors
3. Primarily focused on traditional espionage
4. Targets defense companies, energy companies, and organizations in the US and India
5. Has pivoted to include ransomware operations since 2021
6. Uses both custom malware and off-the-shelf tools
7. Employs various malware including:
- D-Track, Sliver framework, Custom RATs and proxy tools
8. Exploits various vulnerabilities, including Apache ActiveMQ, Confluence, PaperCut, TeamCity, and Log4j
9. Associated with Storm-0530 (also known as H0lyGh0st), which conducts ransomware operations
10. Targeted multiple aerospace and defense organizations from October 2023 through June 2024
@RBTree_ Congrats
https://t.co/g7Pc2NZZsO
I was privileged to present at the "Dark Web and Secure Messaging App: Hideout for Criminals" closed session during #ISCR (International Symposium on Cybercrime Response) 2024.
My topic, "Uncovering Evidence in the Shadows of the Dark Web: Reveal The Onion," focused on shedding light on dark web investigations. As an Interpol Gateway Partner, I shared how our center(a.k.a #TALON), in collaboration with law enforcement, has successfully tackled some of the complex cases at @S2W_Official
It was an excellent opportunity to discuss real-world analysis, methodologies, and impactful takedowns. I'm thrilled that the presentation resonated with the audienceโseveral attendees contacted us afterward.
A big thank you to the South Korean National Police for organizing such a significant event and for the chance to contribute to the conversation on global cybercrime response. Also, a special thanks to Peter Stanier.
https://t.co/f412cpbU4Y
๐จ Threat Tracking: Analysis of #puNK-003's #Lilith RAT ported to AutoIt Script by @gimchesh
*puNK: partially unidentified North Korean threat actors ๐ฐ๐ต(Threat Group Taxonomy in #S2W #TALON)
(๐Malware) The hunted malware is an LNK file with the Downloader role that downloads and executes AutoIt scripts and executables from the attacker's server called CURKON.
- #LINKON: Dropper type of LNK malware used by the KONNI group.
- #CURKON: LNK malware of the Downloader type used by the puNK-003 group.
(๐Key Features) The file downloaded by CURKON is Lilith RAT malware ported as an AutoIt script. This script attaches a reverse shell to a specific port to execute arbitrary commands on the victimized system.
- Lilith RAT has been identified as an open-source remote control malware implemented in C++.
- It is not known how the existing C/C++ code is converted into AutoIt scripts, and it is believed that it was either ported manually using a separate tool or using AI.
(๐ฅฝAttribution) Based on the similarities between the puNK-003 group's CURKON executable and the AutoIt re-implemented malware, we believe that the group behind this malware is related to the KONNI group.
Learn the latest in cyber threat intelligence!
Take a closer look at S2W TALON's analysis of the malware tactics of the North Korean APT group puNK-003.
Stay up to date and stay secure!๐
#CyberSecurity #ThreatIntelligence #APT #MalwareAnalysis
Last Seen Users on Sotwe
๐ช๐๐๐๐๐๐ ๐ณ๐๐๐โฃ๏ธ
Seen from Turkey
HotGayhunks
Seen from India
BROTHERAGEM | Frot & Gouinage ๐
TรRKPORNOIFลA
Seen from Turkey
ๅฐ้ฌผ้ ญ๐บ
Seen from Turkey
็พๅผๆฟ้
Top Milf ๐ ๐๐ฅ
Hamza Saima
e
Seen from Australia
Strictlyfootjobs
Seen from United Kingdom
Most Popular Users
Elon Musk
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.5M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.1M followers
Taylor Swift
@taylorswift13
80.9M followers
Lady Gaga
@ladygaga
72.5M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
69M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.7M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.2M followers