IDA, the Interactive Disassembler, is well known tool. It also comes in Freeware version, however, there are several limitations. For example, it is known, that IDA Freeware doesn’t support IDA Python, scripting language which brings the best from the IDA and from the Python world. For scripting, IDA Freeware supports only IDC, a “toy” [2] C-like language. In past I was wondering if it is possible to run Python even from IDA Freeware, Recently I played little bit more with IDC and I found a way how to pass data from IDA to external Python, and get back results to the IDA.

Few weeks ago, I saw somewhere on the Internet question about IDA Freeware compatibility with the Fluorescence plugin. And because this plugin is written in IDAPython and IDAPython isn’t officially supported by IDA Freeware, also this plugin isn’t compatible. However, when I checked what this plugin does, it turns out that it is very simple - its purpose is to highlight call instructions. So as an exercise I re-created IDC script with similar feature, and moreover, I also created plugin version of IDC Fluorescence.

In June, LIFARS team worked on engagement related to FIN6 threat actor. FIN6 group was also detected and described in April and May, by various other forensics firms, including SentinelOne and FireEye Managed Defense (Mandiant), which described intrusion by FIN6 threat actor and their latest tactics, techniques, and procedures (TTPs). In particular, they used also LockerGoga and Ryuk ransomware families, and Cobalt Strike for initial compromise and lateral movement. Even three months after publishing their post, some of the URLs for Cobalt Strike stagers have been still active, so I decided to publish analysis of these Cobalt Strike stagers and payloads.

In my recent post about XMRig-based CoinMiners spread by Blue Mockingbird Group based mainly on Case Study by LIFARS I wrote about multi-stage attack performed by this threat actor. However, this case study doesn’t contain lot of IOCs (one reason could be to maintain privacy of the victims), and when I want to analyze these samples, first I have to find them somewhere. In this post I describe my process of searching for these samples using public services and how we can reconstruct the whole attack chain.

As I stated in the post about Synology in VirtualBox, I wondered about forensic analysis of Synology NAS, especially about memory acquisition. As a part of preparation phase, I had to figure out how to create a Synology VM, because I did not have access to real Synology HW. Then I found the way how to create a memory dump in DSM 6.1.7 (from May 2018), but I wanted to verify my approach also in real HW with up-to-date version of DSM.