Olivia
Online
Daniel Lunghi
@thehellu
Threat researcher @trendai_RSRCH mostly focused on #APT
Joined February 2011
599 Following
2.2K Followers
247 Posts
Pinned Tweet
We saw Earth Estries, an advanced #APT group, sharing its access to Earth Naga (Flax Typhoon). We introduce the term "Premier Pass" to describe this behavior, and propose a four-tier classification framework for collaboration types among advanced groups https://t.co/JVlnE9dP1S
We investigated a CN #APT that targeted multiple governments and companies with government contracts in Asia. In half of the targets we found a second group with different malware toolkit but sharing the infection vector and some post-exploitation tools https://t.co/IN12VBv5k4
We investigated an #APT with links to Void Rabisu that used Trend Micro updates as a lure in a recent campaign involving vulnerability exploitation. There were at least 4 stages before the final payload, some of them being tailored to the targeted machine https://t.co/8YgYC1o8wb
Orange Cyberdefense saw the same threat and named the ransomware "NailaoLocker". https://t.co/v9JjTfwdm5. They share interesting thoughts on the motivations of the ransomware deployment, although they don't have the final answer. We also saw no financial gain for the threat actor
Who to follow
Arkbird
@Arkbird_SOLG
Malware slayer
Member of @CuratedIntel
blackorbird 
@blackorbird
Peace and Love.
Just Analysis/Hunter/Youtuber/AiCoder/Entrepreneur/.
#APT #threatIntelligence #Exploit #CTI #meme #cyber #hacker #OSINT #Ai
Need Remote Job
Ivan Kwiatkowski
@JusticeRage
Security at a Big Tech company. Maintainer of Manalyze, Gepetto, and writer.
Trolling on a purely personal capacity.
We released a report on a threat actor using an updated version of #Shadowpad including anti-debugging features, that in some cases deploy a custom ransomware family. We have mainly seen the manufacturing industry being targeted in Europe and Asia https://t.co/dZsevM8wLr #APT
For incident responders out there, remember to retrieve the volume serial number where #Shadowpad was deployed, since it is used to encrypt the payload in the registry. Those serial numbers can also be found in LNK and prefetch files in case you don't have live access to the host
Intelligence Online links the Moonshine framework that we discussed in our Earth Minotaur report https://t.co/cWcCIRQhEZ to a Chinese company. Happy new year UPSEC ! 🥳
[Free access] 🇨🇳 Intelligence Online has been able to link an official Chinese public security ministry contractor to recent IT hacking operations carried out against the Uyghurs and Tibetans, two peoples reviled by China. 1/3 ⬇️
Ever wonder how attackers use advanced tools to evade detection?
Mandiant analyzes #ScatterBrain, an obfuscator in the POISONPLUG.SHADOW backdoor, which is used by China-nexus actors.
Learn how we’re unmasking these sophisticated threats.
Read more: https://t.co/5vwYoEBwjz
Our latest report presents Earth Minotaur, a threat actor targeting Tibetans and Uyghurs using Moonshine, an exploitation framework for Android described in 2019 by @citizenlab leveraging vulnerabilities in applications embedding old versions of Chrome https://t.co/cWcCIRQhEZ
Nous recrutons dans notre équipe. Si vous avez des compétences en RE, souhaitez travailler au profit de la Gendarmerie en tant qu'expert judiciaire et manager une équipe de passionnés : https://t.co/60oviiU04V
(rt apprécié)
Excellent malware analysis from Checkpoint that describes the Linux version of Xdealer/DinodasRAT that we listed but did not described in our Earth Krahang #APT report
https://t.co/aHc6v1Sn2c
Kudos for referencing all the related reports 👏
It’s been a minute since the last i-SOON blog 🇨🇳@RecordedFuture is releasing further research exploring infrastructure, tooling, victimology, and personnel overlap between I-SOON & multiple Chinese state-sponsored groups: RedAlpha, RedHotel, & POISON CARP
https://t.co/eN0J4DEw0M
Their favorite malware toolkit are Reshell, a basic .NET backdoor, and Xdealer, also named Dinodas RAT, two custom malwares. They also use the infamous #CobaltStrike, #PlugX and #Shadowpad. Many of their offensive and post-exploitation tools are retrieved from public sources.
Our latest report on a CN #APT targeting tens of governments entities worldwide has been published 🥳 After monitoring it for a long time we realized it is likely related to the recent I-Soon company leaks. It discusses their TTPs and provides lots of IOCs https://t.co/2ZQfIZHzv5
Targets are spread among 5 continents, although some countries are targeted more heavily: one country had 11 of its government entities compromised. Previous victims are used to compromise new ones by abusing their infrastructure to send spear-phishing emails or host malware
@hassnain782 Thanks for the interest. As I said in the introduction, we first found the Shadowpad DLL, and then, we could find it was embedded in a CAB file, itself embedded in an MSI file. You can see those links in Virus Total in the "Relations" tab (probably requires enterprise account)
VB released my talk on a #Shadowpad sample delivered by a Pakistan gov application. It contains an analysis of the modified MSI installer, some tricks to pivot on old and new Shadowpad samples, an overview of the #APT campaign, and attribution discussion https://t.co/1puSIuWsWl
@ItsNavdeep You are 100% correct ! The same applies to DeedRAT then. DE DE 43 D0 is the OpenDNS resolver in reverse order (looks like they messed up), and the others are Google, Cloudflare and Quad9 resolvers. I didn't know 4.4.4.4 and 4.2.2.2. Big thanks for pointing this out !
@_lostpacket_ No, version 2.0.3 of the legitimate MSI installer (the one backdoored by the threat actor) was uploaded to VT the day after we published our report. We know of a PK gov entity that published it between April and June 2023, but the incident happened long before, on September 2022.
We found a probable supply chain attack on eOffice application developed by Pakistan government. It delivers #Shadowpad with an updated obfuscation and encryption scheme. The threat actor carefully chose the C&C to blend in legitimate network traffic https://t.co/xbzRqFisEU #APT
Last Seen Users on Sotwe
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers