Tag Archives: IoC

Will Cyber Attacks Spread from Ukraine to the Whole World?

Russian troops entered Ukraine, the whole world is watching this situation with surprise and sadness. Before the invasion, numerous Ukrainian organizations getting hit with a sophisticated new disk-wiping malware. Mandiant is tracking this threat as ‘NEARMISS’ and ESET is tracking as ‘HermeticWiper’ and they reported that they found traces of the malware in hundreds of systems in Ukraine. According to their statement, ESET observed the first sample around 14h52 UTC on 23th of February. “The PE compilation timestamp of one of the sample is 2021-12-28, suggesting that the attack might have been in preparation for almost two monthsESET explained.

According to researches, malware being deployed against organizations in several industries in Ukraine and designed solely to damage the Master Book Record (MBR) on Windows systems, making them unbootable once compromised. The malware does not contain any propagation functionality and, according to several reports. The attackers used a genuine code-signing certificate issued to a Cyprus-based company called Hermetica Digital Ltd., hence the wiper’s name (MD5: 94bc2ff3969d9775de508e1181318deb).

In January, Microsoft reported another similar malware targeting organizations in Ukraine. This malware was designed to overwrite and destroy the MBR too.

Currently, while the invasion continues, cyber attacks continue too. And most of the world stands against Russia about this attacks. Also the sanctions are increasing against Russia and with these situation, it is easy to understand that other nations will be the target of these cyber attacks. “Russia and its allies will conduct cyber espionage, information operations, and disruptive cyber attacks during this crisis. Though cyber espionage is already a regular facet of global activity, as the situation deteriorates, we are likely to see more aggressive information operations and disruptive cyber attacks within and outside of UkraineMandiant says about that.

All organizations and security teems should be aware of these threat. Events and incidents should be followed closely. We should work together with strong intelligence services that closely monitor threat groups to follow situation closer.


MD5 – 84ba0197920fd3e2b7dfa719fee09d2f

SHA-1 – 912342f1c840a42f6b74132f8a7c4ffe7d40fb77

SHA-256 – 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da

MD5 – 3f4a16b29f2f0532b7ce3e7656799125

SHA-1 – 61b25d11392172e587d8da3045812a66c3385451

SHA-256 – 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

BotenaGo Malware Source Code Published

AT&T Alien Labs last week announced that the source code of BotenaGo malware has been published in GitHub. BotenaGo was discovered and named in November 2021 by Alien Labs again, and according to the post of Alien Labs, the source code of this malware has been published on 16th of October 2021.

It is noticed that too few AV vendors can detect (3/60) this malware already and now it is more dangerous because with the published source code, it is possible to change code simply and create new variants to bypass the detection.

It is also possible to find a source code analysis and IoCs of the malware in the post with recommended actions suggestions.

CTI does not mean Fraud Detection

Organizations invests more and more to security tools, breach statistics keep increasing. About ten years ago and more, attackers were mostly alone, and were using basic tools, so it was easier to block them. But with the advanced techniques and tools, and the groups that came together to attack, made these attacks more difficult to block. There was no such thing as intelligence on our agenda. Some basic blacklists and virus databases were enough against most of the attackers.

CTI (Cyber Threat Intelligence) has become indispensable nowadays. We need more and more information about attackers day by day to gain advantage in this fight. At the same time, we see that a lot of people confuse threat intelligence with fraud. People seem really confused about what to expect from threat intelligence. In this post, I try to mention the needs and usage for CTI.

IoCs: Of course, IoCs are one of the most important things that we are waiting from a CTI product. We are feeding our tools with IoCs and this is the simplest thing for our security intelligence. It is possible to find open source IoCs on many historical threats on the internet. Our expectation from a CTI product should be that it gives us the latest IOCs on threats. While evaluating a CTI tool, it should be observed how much IOC it gives compared to its competitors. Some CTI vendors are mostly using Open IoCs, so it is important to check this value before paying money. Meanwhile, the accuracy of the IOCs is also an issue that should not be overlooked. There will be no point in pushing so many wrong IoCs into our systems every day, even those false positive IoC will cause us to waste time. And time is the most important value in a battle.

TTPs: According to Pyramid of Pain – we discussed in the related post deeply – TTPs are the most valued information for defenders. Sun Tzu says that “if you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Of course this is very meaningful. If you do not know what tools, techniques and tactics your enemies are using, it d be very difficult to win a battle. For a defender, the most valuable information are these TTPs and tools that the enemy is using. From a CTI vendor, this must be one of your most important expectations.

Threat Groups: As mentioned before, attackers now works together, they come together and join forces. And while a group is successful on technique with specific tools and malwares, they rarely change these TTPS and tools. So, it is very important to know who is targeting your geography, country and sector. With these information, organizations get really useful IOCs for themselves, and can design their defense according to these attackers’ TTPs. According to this, maybe tracking the threat groups are also the most important thing for the first two bullets (IoCs and TTPs). You can take random IOCs and install them on your systems, but this is never the same as working with the information of attackers you know who they are.

Vulnerabilities: are critical because attackers use these vulnerabilities to infiltrate. It is vital to be aware of vulnerabilities as quickly as possible after they appear. Meanwhile, the information whether these vulnerabilities are exploitable or not, and their criticality and knowledge of affected systems should also be among the things you expect from CTI. Of course, you need a proactive patch management to use these information in success.

Dark Web Tracking: Every day, a lot of information about companies is offered for sale on the dark web or different attackers and groups come together by communicating here. It is not possible to track all forums and portals in dark web continuously for a security team. One of the expectations from the CTI should be the constant monitoring of the dark web and access to information about threats to the organization.

CTI is not Fraud Detection: Fraud is an important subject to save customers our and users. There are many fraud techniques that fraud teams need to be aware of but CTI is not fraud. As mentioned at the beginning, people seem really confused about what CTI and fraud are. Some CTI vendors provide fraud data to their customer. It is undisputed very valuable. But a CTI product should not be evaluated solely on the fraud information obtained. For a good CTI investment, the above issues should be evaluated.

Threat Hunting III – Pyramid of Pain

As we mentioned in the previous sessions, IoCs are crucial important for a proactive threat hunting process. Threat hunters should know most of the information of newly threats and implement them to their hunting processes. Pyramid of Pain classifies IoCs and helps us understand better the usefulness of them.

The pyramid of pain was created by David Bianco (Fireeye). He also has a Youtube video for presenting it.

Pyramid of Pain

This pyramid classifies the IoCs and with going up the pyramid, IoCs help us more to detect the suspicious. Also, as we go up, it is harder to obtain these IoCs. Now, lets check these IoC types shortly;

Hash Values: A hash value is a unique identifies of the data. In theory, the hash value of each data is expected to be unique to itself. So, it gets easier to identify a data, file with its hash value. As an example, you can see below the hash values (both md5 and sha256) of openvpn.exe.

Hash values of openvpn.exe

Hash values are at the bottom of the pyramid because it is very easy to change a file’s hash value and if you do not have the newly changed hash, that means you cannot detect this file anymore.

IP Addresses: IP blacklists still used by many different products, however it is also easy to change the IP address for an attacker. So, it is again does not help much to detect an adversary.

Domain Names: Everyday we can see that attackers can obtain new domain names very fast and can continue their attacks with ever changing domain names.

Network/Host Artifacts: These are the clues that adversaries left on the pc or network. These can be registery keys, processes, user agent strings, etc. Surely, to obtain such information, a forensic analysis need to be done in compromised pcs or networks.

Tools: Adversaries have their favorite tool to attacks, like pentesters have. It is important to know the tool that your enemy using and if you are good at detecting these tools, you can easily detect the attack or this situation forces the attackers use some other tools. This situation will slow down the attack and will save your time.

TTPs: Tactics, techniques and procedures are the patterns of activities or methods of a specific threat actor. As you all know, you can find all TTPs in the Mitre’s website and they are the most valuable data to identify an attack. If you know the TTPs of your enemy, it means you know what to check for a possible attack and mitigate.

Searching for IoC with Redline

Redline is a free tool for investigation malicious activity through memory and file analysis. It has a lot of features for investigation but in this post, we will only mention searching for IoCs in the endpoint with Redline.

In previous post, we created an IoC to detect WinSCP.exe. Now, we will search it with Redline as the example.

We will go on with “Create an IOC Search Collector” menu in the main page of Redline. For doing this, we browse the folder that including IoCs we want to search in the PC. We have only one IoC here but if you have more IoCs in the folder, you will see all of them in “Indicators” tab.

Then we create a folder for IoC Collector and after clicking “Next” button, we show this folder. Redline creates the IoC Collector in this folder. We will now use RunRedlineAudit.bat file with the command line. Once the bat file finishes running, it will create a folder called “Sessions” and save outputs to this folder in the same directory.

Just run the “RunRedlineAudit.bat” file and wait for finishing. Then, open the “Sessions” folder. Each IoC sweep placed in its own folder calle “AnalysisSessionX”. This was our first sweep, so we click on “AnalysisSession1” folder. Our IoC report will be in “AnalysisSession1.mans” file. So, we click on this file, and it will take some time it generates the report.

When IoC report generated, we can see it on Redline tool, “IOC Reports” tab. As you can see in the screenshot, our WinSCP Indicator IoC got hits. When we click on it, we can see why this IoC got hit. Here, our IoC catch the file with its MD5 hash value and file name. With clicking on “View Details” button, we can see more details about the hit.

Data Collection with Redline

As we discuss before, Redline is a great tool for investigating endpoints. In this post, we will explain how to collect memory data with Redline.

First, in the main page of Redline, we click on “Create a Standard Collector” button. In the opened window, we click on “Edit your script” label and be sure we choose all we need for memory analysis. Then we create a folder for analysis and show it with browsing in the Redline window.

This process will create the data collector in the folder we choose. Then we open a cmd and run “RunREdlineAudit.bat” script in this folder.

Once the script starts to run, you can see some analysis created in “Audit” folder. Sure, it will take some time to finish the analysis.

When it finishes, click on “AnalysisSessionX.mans” file in the “Audit” folder and this will open Redline again.

This file provides us all the information that we checked at the beginning (Edit your script).

Creating IoCs with Mandiant IOCe

In “Open Threat Exchange” post we mentioned that shared IoCs by other parties on Open Threat Exchange. Open IoCs are nice since they are manufacturer independent and can be used in a lot of different technologies for detecting threats.

Viewing Existing IoCs

In this post, we will mention on Mandiant IOC Editor. First of all, Mandiant IOCe could be used to view open IoCs which you downloaded from different sources. Here, we will show a simple example to view an existing IoC. So, as example, we download an IoC from Open Threat Exchange. This is the IoCs of malicious files found on Pulse Connect Secure devices. This is an xml file downloaded and has 108 IoCs containing 36 MD5, 36 SHA1, and 36 SHA256 hash values. You know, IoCs are not only hashes. They can contain a lot of different attributes about the attack, but in this example, we only have hash values. Later in this post, we will create IoC with different attributes also.

After we download the IoCs as xml file, from File > New > Indicator From File menu and choose the xml file. Here, we can see all the IoCs we downloaded and if we want we can change, delete or add IoCs in that file.

Output of the xml file

Create an IoC

It is also so easy to create IoC with Mandiant IOCe. We start from File > New > Indicator menu. Firstly, IOCe provides us to give a name and description for the IoC. As the example, we will create IoC for detecting WinSCP file. Let’s check hash values of WinSCP.exe file first. MD5 and SHA256 is enough for us now.

MD5 and SHA256 values of WinSCP.exe file

From Item > File Item menu, we choose File MD5 and paste the MD5 value of the file. Let’s do the same for File sha256 menu. Additionally, we add File Name in OR logic.

Then, we can add more attributes from hundreds of items in IOCe. We tried to show some of them in the screenshot below.

Creating IoC with Mandiant IOCe

Do not forget that attributes you choose should be unique to the file, so it can be detectable and less false positives occur. Description is important while creating an IoC, since open IoC is developed to be used by everyone, and if you create an IoC, it is better to write enough description to understand by others.

Open Threat Exchange

Open Threat Exchange is a threat intelligence platform from Alien Vault. It is not limited to use this platform to get intel information.

When you register and log in to OTX, you can easily see the summary of the threats in “Subscribed Pulses” section.

Let’s choose a threat, called “Wiper luring the Olympic Games”. When we click, we can see details of the threat like a brief description, reference, tags for searching easily later, and TTP Id for Att&ck.

In the same page, in Indicator of Compromise section, we see IoCs of this threat. For this example, we have an MD5, a SHA1 and a SHA256 hash values as IoC. These IoCs have more details and you can easily see the details with blue “go to details” button at the right of the IoC.

We have more details here like file type, size, different hash values, metadata information, and VirusTotal check.

In the main page of the pulse, you can download the IoCs in different forms. You can easily download and use these IoCs to detect the threats.

In the Browse tab of OTX, it is classified by pulses, groups, indicators, malware families, industries and adversaries. It is valuable to search for specific threat actors and their TTPs, and IoCs to detect them.

OTX also provides to create pulses and API connection. It has a simple user interface so do not want to touch all menus here.

The Newest Ransomware: Epsilon Red

Sophos announced that analysts uncovered a new ransomware – called Epsilon Red – that developed in Go programming language. The code is placed in PowerShell script.

This malicious file is written in Go programming language and a 64-bit executable file. It is said that spreading in systems by exploiting security vulnerabilities in Microsoft Exchange servers. It is using vulnerabilities like CVE-2020-1472, CVE-2021-26855 and CVE-2021-27065 that recently discovered Microsoft Exchange servers vulnerabilities. Epsilon Red ransomware scans files and encrypts for ransom when it reach to the target systems. It seems like still there are more than three thousand exchange servers that including these vulnerabilities and this shows us Epsilon Red attacks would be more painful.

According to Sophos, Epsilon Red has been seen in hospitality industry in USA mostly, and it seems like one of their victims paid 4.29 BTC after being affected.

For not being affected, organizations should keep the applications up to date and detect these IoCs below to prevent this attack. Also you can read our short post about prevention agains ransomwares.























Virtual Machines Roles in Growing Number of Ransomware Attacks

Symantec Threat Hunter Team published a post about evidence that an increasing number of ransomware attackers are using virtual machines (VMs) in order to run their ransomware payloads on compromised computers. The purpose of using VMs on ransomware attacks is thought to hide the malicious activities. It is stated that this method is used in order to bypass the security solutions in virtual machines and to ensure that malicious codes can be hidden in the virtual machine.

In the past, a similar attack was seen on Windows XP machines by RagnarLocker ransomware. The same method now is used in Windows 7 machines.

It is important to prevent the installation of unauthorized virtual machines in corporate networks and implement NDR solutions to capture the anomalies in the network. In addition, Symantec published these IoCs to detect;

  • 2eae8e1c2e59527b8b4bb454a51b65f0ea1b0b7476e1c80b385f579328752836 – Installer
  • 9f801a8d6b4801b8f120be9e5a157b0d1fc3bbf6ba11a7d202a9060e60b707d8 – runner.exe
  • e5291bae18b0fa3239503ab676cacb12f58a69eb2ec1fd3d0c0702b5a29246cb – VirtualBox
  • d89bd47fb457908e8d65f705f091372251bae3603f5ff59afb2436abfcf976d8 – Mountlocker
  • 8f247e4149742532b8a0258afd31466f968af7b5ac01fdb7960ac8c0643d2499 – Mountlocker