Introduction As I have so creatively named this blog post, we are starting with a ZIP/LNK payload and, with some luck, we will end up identifying the infostealer that is being dropped and its source code. Starting with the zip file shown below. Analysis Using the VT link to get the…

Introduction I was analyzing this sample from the Malware Hunter Team and ran into hours of trouble trying to parse the full payload out of the LNK file because it is unusually long. I will go through my troubleshooting process and showcase how I managed to finally pull the whole payload…

Introduction LNK files are Windows shortcut files that are common during initial access. The Malware Hunter Team recently tweeted about a sample. …

Introduction This post aims to provide a core set of ideas for threat hunting — particularly in an intel-driven fashion. The intended audiences are detection engineers, threat hunters, and those aspiring to be one of the two. It will also examine the traditional nomenclature of TTPs (Tactics, Techniques, and Procedures) and…

This is an account of how I stumbled across a proxy tool that has seen some (ab)use using Google Trends. In retrospect, I realized that examining Google Trends data could yield insight into popular software for a given region, which then can be hunted for. What is Popular? So, out of curiosity, I…

Introduction This aims to serve as a repo of procedures attributed to Lazarus Group activity that can immediately be actioned on by threat hunters given the right logs. Along with each TTP is at least one potential way to hunt for the activity. Let me be clear, you can run all…

Methodology In an effort to proactively identify phishing pages on the internet, I took to Shodan and started crafting queries to identify pages targeting Microsoft and Google. As with everything else in security, there is no sliver bullet. …