Decryption of AsyncRAT config strings with CyberChef

AsyncRAT is an open source remote administration tool written in C#. It is often used by attackers for malicious purposes. It contains obfuscated and AES-encrypted strings in its configuration. In this blog post, I would like to describe my approach of decrypting those strings with CyberChef with leverage the power of Registers and other CyberChef features.
Read more →

Revil Ransomware used in Kaseya

Attackers compromised up to 1500 companies during massive ransomware attack, which is now reported as one of the largest cyber attacks ever. Victims have been infected with REvil ransomware, which is similar to DarkSide ransomware used recently in Colonial Pipeline attack. However, this time, the deployed REvil ransomware was more obfuscated than versions observed in beginning of 2021. In this article, we will discuss the obfuscation techniques used by REvil in Kaseya incident.
Read more →

DarkSide Ransomware

DarkSide Ransomware is a very hot topic now, especially after the Compromise of Colonial Pipeline networks, which has been investigated by FBI, too. It caused so serious problems that even hackers said that they “didn’t mean to create problems”. However, DarkSide ransomware is not something completely new, and it is similar to the infamous Revil/Sodinokibi ransomware. In this post, I would like to highlight some significant similarities between newer samples of both ransomwares with insights about DarkSide victims based on custom ransom notes.
Read more →

Cobalt Strike stagers used by FIN6

In June, LIFARS team worked on engagement related to FIN6 threat actor. FIN6 group was also detected and described in April and May, by various other forensics firms, including SentinelOne and FireEye Managed Defense (Mandiant), which described intrusion by FIN6 threat actor and their latest tactics, techniques, and procedures (TTPs). In particular, they used also LockerGoga and Ryuk ransomware families, and Cobalt Strike for initial compromise and lateral movement. Even three months after publishing their post, some of the URLs for Cobalt Strike stagers have been still active, so I decided to publish analysis of these Cobalt Strike stagers and payloads.
Read more →

Hunting for Blue Mockingbird samples

In my recent post about XMRig-based CoinMiners spread by Blue Mockingbird Group based mainly on Case Study by LIFARS I wrote about multi-stage attack performed by this threat actor. However, this case study doesn’t contain lot of IOCs (one reason could be to maintain privacy of the victims), and when I want to analyze these samples, first I have to find them somewhere. In this post I describe my process of searching for these samples using public services and how we can reconstruct the whole attack chain.
Read more →