Pivoting from VirusTotal to Shodan and uncovering all threat actor infra (BRc4) 🎯
Let's grab this hash/badger implant (BRc4)
086d6f54b51a368d0a836ad8e24df659
Looks like the badger implant is connecting to this IP address -> 51.77.112.254
Now let's check IP with Shodan and
My last blog in 2022 💎
Adversaries Infrastructure-Ransomware Groups, APTs, and Red Teams 🎯
What you can learn from scanning adversaries' infra?
Happy Hunting and see you next year! 🤘
Sneak peek🔥
Already 42 pages on Hunting Lazarus Group🇰🇵 with practical examples/step-by-step walkthrough and is not finished yet.
In this module, you will learn cool pivoting techniques!
Cobalt Strike redirector technique used recently by Russian APT29/Nobellium ⚡️
This is a Red Team technique (T1090.002 External Proxy)
to hide C2 behind a legit website.
This could be very useful for Threat Hunters/Intel to set up a hypothesis/monitor
I mapped active Cobalt Strike servers in the wild (over 450). Some of them could be legit Red Team Ops. However, the majority probably belongs to APT/Ransomware groups.
cc
@cyb3rops
Hunting Havoc C2 🎯
Sometimes Threat Actors change certificates from defaults to custom ones, for example👇
165.227.106.175 <- Our hypothesis this could be Havoc C2
Looks like this IP is running with the LetsEncrypt certificate
Now let's investigate this case🕵️♂️
I just wonder if anyone would be interested in the course (not sure which format yet) about Hunting Malicious Infrastructure/C2.
I am thinking about step-by-step practical examples of how to hunt for C2/redirections and various Threat Actors infra (Lazarus Group, APT28, APT29,
Hunting Malicious Infrastructure using JARM and HTTP Response 🎯
I have described my processs and methodology you can apply when hunting malicious infrastructure with two practical examples 👇
QBot C2 Infrastructure
Brute Ratel C4
Hope you can find it
Last night APT10, APT28, APT29, APT41, and FIN7 DM me here on Twitter and said that my tweets revealed their poor opsec practices so now they will make a few changes:
Changes:
APT28 is not going to use Cobalt Strike anymore and they will use Koadic C3 from today.
APT29 Cobalt
Hunting Adversary Infrastructure Training update! 🔥
The training will start from the basics and the main objective will be to help you develop your own hunting methodologies.
If you are interested you can sign up here 👇
All details are in the slides.
I am thrilled to announce the launch of my new Training Platform focused on teaching you the essentials of Hunting and Tracking Adversarial Infrastructures, including Advanced Persistent Threats (APTs), Ransomware, and Criminal Groups 🔥
Stay tuned for
A few tips on how you can use Censys to hunt malicious infrastructure - opendirs 🎯
You can use just one query with a few changes.
For example, this is a good start 👇
(Directory listing for msf4) and .vendor=`Python Software Foundation`
I haven't finished this yet buy this my next step regarding Cobalt Strike Hunting/Detection research.
Collection of Cobalt Strike resources for Blue Teamers/Hunters.
Cybersecurity "experts" be like... APTs in 2024 will be using Artificial Intelligence to create undetectable malware, payloads, zero-day exploits, cyber weapons, and probably some cyber nuclear bombs too🥱
Meanwhile, APTs (Muddy Water 🇮🇷)in 2024 🙃
Additionaly you can also use
@shodanhq
for Hunting Sliver C2 Infrastructure
ssl:multiplayer ssl:operators
ssl:multiplayer ssl:operators ssl.jarm:"00000000000000000043d43d00043de2a97eabb398317329f027c66e4c1b01"
Threat Intel: Pivoting using Censys 🎯
A short blog on how can you pivot from one node to another and uncover a Threat Actor cluster/infra (Muddy Water 🇮🇷).
We recently added two new lessons to our course:
- Hunting ReverseSSH🎯
- Hunting BruteRatel C4🎯
Both lessons focus on teaching students how to hunt for malicious infrastructure that is not publicly detected and how to build effective hunt rules.
The IOCs from ReverseSSH and
Hunting Sliver C2 Infrastructure using Censys
(services.jarm.fingerprint: 00000000000000000043d43d00043de2a97eabb398317329f027c66e4c1b01) and services.port=`31337`
Apparently, one person is quite upset about my research. Well, dude if you are a red team and don't know how to hide and protect c2 then you are in the wrong job mate!😂
@cyb3rops
Hunting Responder 🎯
I guess this could be handy for Threat Intel (mapping TA infra) and Threat Hunters when looking for new hypothesis or when dealing with inexperienced pentesters (hardcoded string in the old version).
Responder hardcoded string/date you should look for (old
Hunting Adversary Infrastructure Training Update.
I am currently working on the syllabus for my upcoming training program, which will consist of approx 16 modules covering both theory and practical labs.
In this training, I will teach you how to hunt down Ransomware Groups,
Sneak peek🔥
Already 42 pages on Hunting Lazarus Group🇰🇵 with practical examples/step-by-step walkthrough and is not finished yet.
In this module, you will learn cool pivoting techniques!
A short article about how to manually extract C2, shellcode, and indicators of compromise from encoded Cobalt Strike PowerShell payload and perform basic analysis.
Thanks for some tips!
@reversinghub
Hunting Cobalt Strike Infra
Shodan filter product: "Cobalt Strike Beacon" is great but is not capturing all Cobalt Strike C2s and one of them is CS geacon_pro profile with foren.zik certificate.
So you can try below searches
Shodan ssl:foren.zik
Sometimes these ransomware Cobalt Strike gangs really crack me up like WTF? 😂🤦
18.217.142[.]56
Running cracked Cobalt Strike 4.0 on AWS with TS password as maga 😂🤦
@malwrhunterteam
Hunting Havoc C2 infra 🎯
If you are interested to hunt C2s I recommend reading the GitHub source code because all info is usually there.
Havoc generates a number of certificates you should look for: ACME, Partners, Tech, Cloud, Synergy, Test, Debug + prefixes
Recently
@josh_penny
and
@TLP_R3D
showed a few awesome examples of how to pivot SSH with Shodan to uncover Threat Actors infra and connect some dots 🕵️♂️
I will show you how you can do SSH pivoting with Censys and Havoc C2 as an example🤘
The goal is to uncover threat actors'
I have updated my blog on how to look for less known adversaries C2 Viper, ARL, and well-known Red Team tool Night Hawk C2
Hunting C2/Malicious infra 🎯
Cobalt Strike, MSF, Covenant, Deimos, Posh C2
BRC4, Mythic, Sliver, Evilgnix, Gophish, IcedID
New additions to my books collection
No Shortcus - Why States Struggle to Develop a Military Cyber Force.
Offensive Cyber Operations.
The Lazarus Heist.
Tracers in the Dark.
The Ransomware Hunting Team.
If it is Smart it's Vulnerable.
We have finished our investigation into last week's Mandiant X account takeover and determined it was likely a brute force password attack, limited to this single account.
Hunting Deimos C2 🎯
Threat Actors sometimes disable admin panels for some opsec for example, you can disable an obvious Deimos admin panel running on 7443 🤷♂️
However, you can still find Deimos C2 with a disabled admin panel 🤘
Just a few examples below and some hunting logic
Hunting Sliver C2 infra 🎯
Threat Actors when deploying Sliver C2 sometimes change default ports from 31337 to other ones for example 3000, 3306, 8089, and so on so scanning only 31337 is not always enough.
Censys filter below is checking Sliver default certificates also in
Hunting C2 redirections 🎯
Just with a few clicks, you can catch all of them nicely 🤝
Threat Actor infra⚡️
/weatherth.com [namcheap register fresh one 7 days old]
/www.weatherjps.com
119.42.149.2
119.42.149.3
119.42.149.4
119.42.149.5
119.42.149.6
All of them are
Quick tip on how to use
@Shodan
to hunt for Sliver C2
ssl.jarm:3fd21b20d00000021c43d21b21b43d41226dd5dfc615dd4a96265559485910 "HTTP/1.1 404 Not Found" "Cache-Control: no-store, no-cache, must-revalidate" "Content-Length: 0"
Example
APT29/Nobelium🇷🇺 Initial Access Attack Analysis
HTML (EnvyScout) dropper used by Russian APT29/Nobelium in recent campaigns ⚡️
EnvyScout uses a technique known as HTML smuggling to deliver an IMG/ISO file to the targeted systems (data block that can be
Hunting Mythic C2 🎯 when 7443 default port is turned off
Example 🤘
/44.213.147.172
/dental-delta.com
default Mythic port 7443 is turned off but threat actors still need to learn (or maybe not?) a bit about opsec xD
My hunting filter in Shodan
HTTP/1.1 404 Not Found Server:
Threat Actors from China 👀
114.116.55.107:8900
Bit of everything from Cobalt Strike C2, Xray, Jindi Exploits, Struts scan, Burp, some other stuff, and obviously Stowaway.
Hunting Responder and pivoting with certificates🎯
Starting point 👇
Responder running on -> 167.172.44.218
Pivoting on certs ⚡️
services.tls.certificates.leaf_data.issuer_dn="CN=PenTeraCA"
Threat Actor/Red Team infra running Pentera Red Team tools and Responder🔥
Sliver C2 infra in one tweet 😆
263 IPs most of them run Sliver on 31337 but there are also quite a lot of unusual ones
There is also overlap with Cobalt Strike, Mythic, Deimos, and so on as TA runs multiple C2 on the servers 🤷♂️
1.13.174.161
3.8.115.155
3.128.135.199
In February, we'll release modules/lessons on👇
A comprehensive guide about tracking Sliver C2 🔥
Hunting Cobalt Strike redirectors ⚡️ (APT29 style)
Using the Diamond Model of Intrusion Analysis 💎
Hunting APT38 and APT43 part 2 🇰🇵
Magecart 🧙♂️
Tips for open directories 🕵️
and
I have scanned (again) malicious infrastructure and I was able to find out (again) an open directory with a bunch of interesting files (malicious DLLs and Sliver implants)
I picked up one DLL and tried to understand how is connected back to the C2.
🇰🇵Lazarus (APT38) is active again, this time impersonating
@NGC_Ventures
and one of its employees.
Peonie Elis is a fake profile (the person from this picture is Wei Hao Partner from Sky9Capital).
@Intel_Ops_io
has noticed this behavior for a while. Lazarus typically starts by
I just had a nice conversation with the Threat Actor😅
Anyway, guys please don't fall into such lame social engineering traps.
Threat Actor TTPs 👇
Social Engineering via X
Impersonation of Calendly
calendsly[.]cc
Arranging meetings or granting access
Threat actors be like ...
"Yo, let’s hide our Cobalt Strike C2 behind Cloudflare and register a domain that looks like Cloudflare ..."
No one will ever find us😌
/cioudfiear.com😅
/18.222.126.236
Next week, we're excited to add several new modules/lessons, bringing our March total to around 37 lessons.
Want to access this training for free?
Simply repost, like, and share in the comments how this training could benefit your career or day-to-day
Hunting Muddy Water 🇮🇷 with
@ValidinLLC
DNS records host mshta.exe/command line queries in TXT records🎯
@Intel_Ops_io
Come and join and we will teach you how to hunt adversaries!
/mason.burton.onionmail.org and linked Muddy Water domains
#RedTeamTips
when choosing your password for Cobalt Strike Team Server make sure to include also special characters to make it password uncrackable
for example, this is a very good password! 👌
ABC
@123123
@#
MuddyWater confirmed:
1f0b9aed4b2c8d958a9b396852a62c9d
a.storyblok[.]com/f/259791/x/94f59e378f/questionnaire.zip
This time it is SimpleHelp
065f0871b6025b8e61f35a188bca1d5c
146.70.149[.]61:8008
@KseProso
@Israel_Cyber
Let's continue with Brute Ratel C4 Hunting 🎯
Last time we started from VT/hash attributed to badger implant, we grabbed one JARM from BRc4 C2 51.77.112.254 and combined with the HTTP Response hash.
Today we will pivot from another Brute Ratel C4 JARM and we will find more
Pivoting from VirusTotal to Shodan and uncovering all threat actor infra (BRc4) 🎯
Let's grab this hash/badger implant (BRc4)
086d6f54b51a368d0a836ad8e24df659
Looks like the badger implant is connecting to this IP address -> 51.77.112.254
Now let's check IP with Shodan and
I had a look at Conti Ransomware Group Cobalt Strike C2 Infrastructure and analyzed the beacons.
Short summary:
All Cobalt Strike servers C2 were exposed to the internet.
🇰🇵Lazarus/APT38 impersonating/targeting RyzeLabs (Blockchain company).
/meet.ryzelabs.net
/ryzelabs.net
/104.168.165.173
TTPs/How it works.
The threat actor creates impersonated subdomains and then sets up fake LinkedIn employer profiles. They use these profiles to carry out
Interesting how TA is switching from Cobalt Strike to Sliver
In 2021 Cobalt Strike and now in 2022 Sliver C2
23.224.135.138
23.224.135.139
23.224.135.140
23.224.135.141
23.224.135.142
Here’s a classic example of a Cobalt Strike redirector🎯
🍫amazonchocolate[.]com
🔐Let's Encrypt
The threat actor purchased an old, 14-year-old expired/categorized domain to bypass proxy filters and redirected🔁the traffic to the legitimate Amazon[.]com site.
However, the
Update on Adversary Infrastructure Hunting Course.
We've finished the first phase of our course content, covering 28 modules on tracking APTs, criminal groups, and C2 frameworks. The feedback from our students has been positive and helpful. Our students come from a wide range of