Is it just me, or has the global pandemic completely shifted the construct of time? It has been “three months” (feels like only weeks), since we last published our quarterly blog wrap up, hence the inclusion of the gif below.
As a quick reminder, this wrap up series is meant to highlight our most read blogs over the past quarter. That way, if you happen to miss something you or your peers would find valuable, you can quickly navigate to our “Top Blogs” category and skip the FOMO (fear of missing out). You’ll notice there is a combination of research and educational resources in the section below, but there have been a few other items you might find useful:
- Conceptualizing a Continuum of Cyber Threat Attribution
Ahh attribution, a prickly topic in cyber threat intelligence (CTI). As this is such a hotly debated subject, Joe Slowik wrote a paper to redefine attribution as a continuum. In addition, he outlines how this methodology can maximize analysts decision making and follow-on analysis. This paper is well worth a read!
- SANS 2021 Report: Top Skills Analysts Need to Master
I’d also recommend burying your head in the SANS…paper which underscores security models and frameworks to develop and improve analysts skills. It also makes the fine distinction between investigative tasks and thinking, and introduces how to incorporate the OODA Loop concept in investigations.
I won’t keep you much longer before divulging the definitive list of our most read blogs from this past quarter. A quick reminder that if you are seeking out timely and relevant threat intelligence, you may be interested in following our Twitter handle, @SecuritySnacks, which is managed by the DomainTools Security Research Team, as well as our weekly podcast, Breaking Badness. Lastly, be sure to tune into our monthly training series, Indicators Over Cocktails. This training not only includes fun beverages, but you’ll walk through a timely investigation with the engaging Tim Helming.
Catch Up On Your Industry Reading
This will be another of a hopefully long series of practical OSINT blog posts from the Security Research team here at DomainTools. This blog briefly compares the reverse image search capabilities of some major image search engines: Google, Yandex, Bing, and TinEye. Hopefully you’re familiar with these search engines already but if not, this post is a good crash course for the kind of results you can expect from each.
The DomainTools Security Research Team, in the course of monitoring newly registered Coronavirus and COVID labeled domain names, discovered a website luring users into downloading an Android application under the guise of a COVID-19 heat map. Analysis on the application showed that the APK contained ransomware. SSL certificates of the malicious domain (coronavirusapp[.]site) link the site to another domain (dating4sex[.]us) which is also serving the malicious application. The linked site has registration information pointing to an individual in Morocco.
Multiple adversaries, from criminal groups to state-directed entities, have engaged in malicious cyber activity using COVID-19 pandemic themes since March 2020. Adversaries continue to leverage the pandemic, arguably the most significant issue globally as of this writing, in various ways. Yet the most persistent avenue remains using COVID-19 themes for building malicious document files. Examples include lures associated with Cloud Atlas-linked activity and broader targeting of health authorities.
The aim of this post is to introduce you to log collection on the Microsoft Windows platform. It starts with an illustration of a Windows source-only log deployment, followed by a collection of chosen fields from log samples and a brief description of these sources. The last part ison audit logging, as it holds an important role in ensuring infrastructure defense.
Since at least 2017, various threat actors, generally associated with or assessed to be located in the People’s Republic of China (PRC), utilized a malicious document builder referred to as Royal Road as part of phishing activity. Observed in conjunction with multiple, distinct threat actors, Royal Road provides a mechanism to embed malicious, encoded objects within Rich Text Format (RTF) files. Code execution and object delivery relies on exploiting one of several vulnerabilities in the Microsoft Equation Editor.
DomainTools Research has kept an eye on all new COVID-themed domain registrations producing both our COVID-19 Threat List as well as uncovering CovidLock, a COVID-themed Android ransomware APK that preyed on user’s fear of the virus. During the course of this research, the DomainTools Research team opened the floodgates on COVID-related domains in order to continuously monitor and analyze what domains are spun up on a daily basis. Each day, some 300,000 domains are registered and a small subset of those are pandemic-related.
On April 21, 2021, Netlab released an excellent report on a malware sample they dubbed RotaJakiro, a long-lived backdoor targeting 64-bit Linux systems with 0 detections on VirusTotal. This backdoor used a number of techniques to remain unnoticed and the craftiness of the sample piqued the attention of the DomainTools Research Team. Netlab’s post concluded with an analysis of why the binary was just the tip of the iceberg in discovering what this malware sample was about. DomainTools, with our 20+ years of Whois and DNS information, was able to take a deeper look at the infrastructure behind RotaJakiro. For analysis on the binary itself, we suggest reading their excellent post while we concentrate here on one of our specialties: digital archeology.
What’s To Come
We will continue to work hard for all of you throughout the course of the quarter. Additionally, we will be sure to keep you apprised of recent security research, product enhancements, technical topics, industry news, and much more. If there are any topics you would be interested in reading about on our blog or covering in our weekly podcast, Breaking Badness, please feel free to tweet us at @DomainTools.