Target Package: APT 18

Target Package: APT 18 Summary: APT 18 is a threat group that has been in operation since at least 2009. A broad overview of how they operate consists of usually sending their victims a phishing email which will download a Remote Access Trojan (RAT). Some of their observed persistence mechanisms have been using registry run […]

Read More Target Package: APT 18

Detecting MITRE ATT&CK Technique: Part 2 – T1003.001 (LSASS Memory)

Today I wanted to write a quick blog post on how you can detect, with free and open source tools, attackers using rundll32.dll and the comsvcs.dll to dump the memory from LSASS. You can find out how my environment is setup in part1 of this series: https://marcusedmondson.com/2020/07/29/detecting-mitre-attck-technique-t1218-010-regsvr32/ So now let’s cover how MITRE ATT&CK describes […]

Read More Detecting MITRE ATT&CK Technique: Part 2 – T1003.001 (LSASS Memory)

PowerShell Downloader – Emotet

Today I wanted to do a real quick post on a PowerShell downloader linked to Emotet. Here is a little background on what Emotet is according to Malwarebytes: Emotet is a Trojan that is primarily spread through spam emails. The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails […]

Read More PowerShell Downloader – Emotet

Basic Dynamic Analysis Pteranodon.bin – Gamaredon Group

So today I wanted to do a blog post on an executable SHA-256: 408e38b4d81de63e5762dcb8024f81360b426429821f9934b087aa0a6b44c56f that has been tied back to the Gamaredon Group, in my research. I pulled it down from @0xffff0800 .onion website http://iec56w4ibovnb4wc.onion/Library/GamaredonGroup/. Thank you @0xffff0800 with sharing these samples with the community! A little background on who the Gamaredon Group is. According […]

Read More Basic Dynamic Analysis Pteranodon.bin – Gamaredon Group