Below is a link to browse through some of the Hellsing artefacts on ThreatCrowd:
Thursday, 16 April 2015
Example Threat: Hellsing
Kaspersky recently released an article "The Chronicles of the Hellsing APT: the Empire Strikes Back" ( https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/ ) detailing the activities of groups they refer to as Naikon and Hellsing.
Below is a link to browse through some of the Hellsing artefacts on ThreatCrowd:
Below is a link to browse through some of the Hellsing artefacts on ThreatCrowd:
Wednesday, 15 April 2015
Example Threat: APT30
Earlier this week FireEye wrote a report on a Chinese group they call APT30 (https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf)
You can browse some of these relationships in ThreatCrowd at:
https://www.threatcrowd.org/domain.php?domain=km-nyc.com km-nyc[.]com
https://www.threatcrowd.org/domain.php?domain=km153.com km153[.]com
https://www.threatcrowd.org/domain.php?domain=aseanm.com aseanm[.]com
https://www.threatcrowd.org/domain.php?domain=www.iapfreecenter.com www.iapfreecenter[.]com
https://www.threatcrowd.org/domain.php?domain=www.appsecnic.com appsecnic[.]com
https://www.threatcrowd.org/domain.php?domain=www.newpresses.com newpresses[.]com
https://www.threatcrowd.org/domain.php?domain=www.bigfixtools.com bigfixtools[.]com
https://www.threatcrowd.org/domain.php?domain=www.bluesixnine.com bluesixnine[.]com
https://www.threatcrowd.org/domain.php?domain=www.autoapec.com autoapec[.]com
You can browse some of these relationships in ThreatCrowd at:
https://www.threatcrowd.org/domain.php?domain=km-nyc.com km-nyc[.]com
https://www.threatcrowd.org/domain.php?domain=km153.com km153[.]com
https://www.threatcrowd.org/domain.php?domain=aseanm.com aseanm[.]com
https://www.threatcrowd.org/domain.php?domain=www.iapfreecenter.com www.iapfreecenter[.]com
https://www.threatcrowd.org/domain.php?domain=www.appsecnic.com appsecnic[.]com
https://www.threatcrowd.org/domain.php?domain=www.newpresses.com newpresses[.]com
https://www.threatcrowd.org/domain.php?domain=www.bigfixtools.com bigfixtools[.]com
https://www.threatcrowd.org/domain.php?domain=www.bluesixnine.com bluesixnine[.]com
https://www.threatcrowd.org/domain.php?domain=www.autoapec.com autoapec[.]com
Example: DragonOK
Yesterday Palo Alto published an article ( http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/ ) describing some targetting against primarily Japanese organisations using Chinese malware such as PlugX and others.
And here is a link to browse some of these connections in ThreatCrowd:
https://www.threatcrowd.org/email.php?email=wtao1020@gmail.com
And here is a link to browse some of these connections in ThreatCrowd:
https://www.threatcrowd.org/email.php?email=wtao1020@gmail.com
Tuesday, 14 April 2015
Investigating threats with ThreatCrowd - Tutorial
About
This post is a brief tutorial showing how to use ThreatCrowd to quickly find and pivot on threats, and how it can fit in with other tools.
Lets look at some Spearphishes
This table lists some of the malware listed in ThreatCrowd with a .doc or .pdf extension.
These serve as a good place to start looking for interesting themes.
Lets take a look at the potentially interesting sounding file "Secret nuclear reactor deal for Pakistan.doc" at https://www.threatcrowd.org/malware.php?md5=dabca84ea12d60418a652300727f1f00
This refers us to the malwr.com sandbox report https://malwr.com/analysis/MDA3OWVmODg0YzUyNDczZThjOGYzYjhlMWMzMDI0ODc/ . This is worth viewing for the detail - ThreatCrowd is designed to quickly find related entities like a search engine, and lacks the actual detailed information that is found on sites like malwr.com.
Here I've right clicked on the domain "alerymymail[.]com" to pivot. I could also zoom in by scrolling with the mouse.
The page for the domain looks like this:
This post is a brief tutorial showing how to use ThreatCrowd to quickly find and pivot on threats, and how it can fit in with other tools.
Lets look at some Spearphishes
This table lists some of the malware listed in ThreatCrowd with a .doc or .pdf extension.
These serve as a good place to start looking for interesting themes.
Lets take a look at the potentially interesting sounding file "Secret nuclear reactor deal for Pakistan.doc" at https://www.threatcrowd.org/malware.php?md5=dabca84ea12d60418a652300727f1f00
This refers us to the malwr.com sandbox report https://malwr.com/analysis/MDA3OWVmODg0YzUyNDczZThjOGYzYjhlMWMzMDI0ODc/ . This is worth viewing for the detail - ThreatCrowd is designed to quickly find related entities like a search engine, and lacks the actual detailed information that is found on sites like malwr.com.
Here I've right clicked on the domain "alerymymail[.]com" to pivot. I could also zoom in by scrolling with the mouse.
The page for the domain looks like this:
At this point we could pivot through on domains, ip addresses, malware detections and whois data.
Further Tools
Sites such as Passive Total (https://www.passivetotal.org) and VirusTotal (https://www.virustotal.com/en/documentation/private-api/) can be used to add identify further information.
Tools such as Maltego (https://www.paterva.com/web6/) can be used to build graphs of this activity - ThreatCrowd will only allow you to view it.
Subscribe to:
Posts (Atom)