blue tangle

  Raspberry Robin aka "QNAP Worm" is a suspected pay-per-install malware botnet linked to threat actor DEV-0856. Raspberry Robin spreads through infected USB, users click a .lnk file on the USB and from there msiexec.exe grabs a remotely hosted .msi file and quietly installs it, which is the next stage of the Raspberry Robin payload. One of the interesting things about Raspberry Robin is that it uses a very distinctive, low effort, form of command line obfuscation, mixed case (or "alternating caps"). You can see what that looks like below, from what looks like a Defender detection in the attached screenshot.     I wanted to come up with a way to detect mixed case obfuscation in Splunk, you can see what I came up with below:   index=winlogs EventCode=4688 Creator_Process_Name=*\\cmd. exe | rex field=Process_Command_Line max_match=0 "(?<upper>[A-Z])" | rex field=Process_Command_Line max_match=0 "(?<lower>[a-z])" | eval count_upper=m

    I'm very aware that in infosec we tend to be like magpies, distracted by new and shiny objects while sometimes underestimating the impact of the boring tried and true techniques that hackers use day in and day out because they just work. Having said that, I'm only human and when I see something I haven't seen before it piques my curiosity. That was the case with this tweet by Jazi , a Fortinet threat intel researcher, talking about a Darkbit payload. Before we get into the content of that tweet though let's have a quick look at Darkbit, as there are so many ransomware groups now, and the smaller ones can start to blur together as there are only so many adjectives that they seem to favour.   Darkbit are not a very active ransomware group, from what I can tell they have had one high profile victim, the Technion - Israel Institute of Technology. The group heavily implies that they are a disgruntled former tech worker, the further implication is that they may have work

    I wrote a Sigma rule for security/hacking tool Seatbelt, you can find it below.

  Following on from reading an unSafe.sh post about recent Lockbit ransomware gang activity, aka the new "Lockbit Black", I decided to look into a file that was posted along with the analysis, "123.bat".   You can view or grab a gist of the batch file below: We're going to run this batch file on a test VM and have a look at the resulting logs for some detection ideas, I'll be giving examples in Splunk SPL but I am certain with a little SIEM magic you can adapt the content to elastic, Sentinel or Defender Advanced Hunting queries instead. Lets get to it. The first questions we have to ask though, are around log availability and log visibility.  Are you ingesting Windows EventID 4688 and command line parameters along with that? How about logs from Powershell? If you are still running an older version of Powershell in your estate and finding motivation to update to 5+ is tough then here's your driver, better security and better logs that you can bung i

  If you want inspiration for a slidedeck on the history of ransomware look no further. Where I wanted to nail down specific dates I looked for when ransomware strains or incidents made the mainstream news and used that as my base timeline. The slides cover the first incident of data held for ransom that I could find (in 1981) through to Karakurt as what I see as the future of ransomware, touching on targeted ransomware attacks and the advent of Big Game Hunting in between. The talk is made to be delivered in about 25 - 30 minutes, though I was cutting it rather close with that timing. Feel free to use and alter this PowerPoint as you wish.