Malware Analysis Tools, Part 2

In the second part of our overview we continue with the selection of the most used and most usable malware analysis tools. Moreover, we select the tools which are freely available. This time, we focus on tools for analysis other types of the files instead of the native binaries from the previous blog.
Read more →

Malware Analysis Tools, Part 1

In this overview we introduce the selection of the most used and most usable malware analysis tools. Moreover, we select the tools which are freely available.
Read more →

Revil Ransomware used in Kaseya

Attackers compromised up to 1500 companies during massive ransomware attack, which is now reported as one of the largest cyber attacks ever. Victims have been infected with REvil ransomware, which is similar to DarkSide ransomware used recently in Colonial Pipeline attack. However, this time, the deployed REvil ransomware was more obfuscated than versions observed in beginning of 2021. In this article, we will discuss the obfuscation techniques used by REvil in Kaseya incident.
Read more →

DarkSide Ransomware

DarkSide Ransomware is a very hot topic now, especially after the Compromise of Colonial Pipeline networks, which has been investigated by FBI, too. It caused so serious problems that even hackers said that they “didn’t mean to create problems”. However, DarkSide ransomware is not something completely new, and it is similar to the infamous Revil/Sodinokibi ransomware. In this post, I would like to highlight some significant similarities between newer samples of both ransomwares with insights about DarkSide victims based on custom ransom notes.
Read more →

Cobalt Strike stagers used by FIN6

In June, LIFARS team worked on engagement related to FIN6 threat actor. FIN6 group was also detected and described in April and May, by various other forensics firms, including SentinelOne and FireEye Managed Defense (Mandiant), which described intrusion by FIN6 threat actor and their latest tactics, techniques, and procedures (TTPs). In particular, they used also LockerGoga and Ryuk ransomware families, and Cobalt Strike for initial compromise and lateral movement. Even three months after publishing their post, some of the URLs for Cobalt Strike stagers have been still active, so I decided to publish analysis of these Cobalt Strike stagers and payloads.
Read more →