Intrusions and Malware - Case studies

This topic would deserve a full encyclopedia and is close to impossible to maintain. Just very few examples below, selected mainly for the clarity of description.

Almost every article indicated below include IoC (indicators of compromise) and TTP (techniques, tactics and procedures described in terms of MITRE ATT&CK).

Also look at the "Automated Attacks" section in the Defense - Resources page of this website (Wannacry, Petya).

Ransomware

• The five-day job: A BlackByte ransomware intrusion case study We found that the threat actor progressed through the full attack chain, from initial access to impact, in less than five days, causing significant business disruption for the victim organization (Microsoft).
• Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor
• Clop We take a closer look at the operations of Clop, a prolific ransomware family that has gained notoriety for its high-profile attacks. We review this ransomware group’s constantly changing schemes and infection chains.
• IcedID Macro Ends in Nokoyawa Ransomware An incident taking place during Q4 of 2022 consisting of threat actors targeting Italian organizations with Excel maldocs that deploy IcedID.
• REvil/Sodinokibi Ransomware. The REvil (also known as Sodinokibi) ransomware was first identified on April 17, 2019. It is used by the financially motivated GOLD SOUTHFIELD threat group, which distributes ransomware via exploit kits, scan-and-exploit techniques, RDP servers, and backdoored software installers. The ransomware group REvil was itself hacked and forced offline by a multi-country operation (see Governments turn tables on ransomware gang REvil by pushing it offline) .

Exfiltration

• Public Opinion Survey Results: You’re Pwned I observed an intrusion that originated from the direct distribution of a Cobalt Strike beacon via phishing email. Although I have seen phishing campaigns delivering Cobalt Strike directly in the past, they are generally not as common. This short blog will highlight the hands-on-keyboard activity of the threat actors five hours after the initial infection.
• A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion This post explores some of the TTPs employed by a threat actor who was observed deploying ShadowPad during an incident response engagement. ShadowPad is a modular remote access trojan (RAT) which is thought to be used almost exclusively by China-Based threat actors.
• A Truly Graceful Wipe Out In this intrusion, dated May 2023, we observed Truebot. Exfiltration of data and the deployment of the MBR Killer wiper. The threat actors deployed the wiper within 29 hours of initial access.

Command and Control (C&C)

• Joint report on publicly available hacking tools Research provided by the cyber security authorities of five nations: Australia, Canada, New Zealand, the UK and USA (the so called "five eyes"). It mentions HTRAN "a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location" (HTRAN sources on Github).

Initial Access: Backdoor or Vulnerability?

• CVE-2021-44529 A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited permissions. "why this is added to the code? It is a left-over from testing or more likely, a backdoor to get access to the appliances? I do know the answer...". If it is a backdoor, its usage would correspond to "Supply chain compromise" in MITRE ATT&CK; if it is a vulnerability, its usage would instead correspond to "Exploit Public-Facing Application". The author of that analysis seems to believe it is a backdoor. Very interesting from a technical point of view (PHP commands encoded in cookie values).

Botnets

• Keeping Up with the Emotets: Tracking a Multi-Infrastructure Botnet Emotet is arguably one of the most notorious advanced persistent threats. Fantastic analysis.
• Understanding the Mirai Botnet The Mirai botnet, composed primarily of embedded and IoT devices, took the Internet by storm in late 2016 when it overwhelmed several high-profile targets with massive distributed denial-of-service (DDoS) attacks. Still an active menace in 2023: Mirai botnet loves exploiting your unpatched TP-Link routers, CISA warns.
• Analysis of a Botnet Takeover A fascinating in-depth description of a botnet takeover: for 10 days, a group of researchers managed to take control of Torpig, one of the early large scale botnets.
• Top Zeus Botnet Suspect “Tank” Arrested in Geneva The "author note" at the end is quite interesting from an economic point of view: it makes it evident why ransomware is a much more attractive business model for criminals than bot rentals and alike.
• Botnet of Thousands of MikroTik Routers Abused in Glupteba, TrickBot Campaigns Just one of the many botnets still out there.
• FBI-led Operation Duck Hunt shoots down Qakbot In August 2023, an operation led by the FBI and that involved six more countries led to dismantling Qakbot, a botnet and malware loader responsible for more than $8.6 million losses (more than 700.000 infected computers worldwide).
• • Deobfuscating Emotet v4 Downloader This is a tutorial on the usage of Cyberchef as a support for infosec analyses. The "medium" example illustrates in detail the deobfuscation of a Powershell command hidden within a Microsoft Word macro. The corresponding Microsoft Word document was sent as an email attachment in Emotet campaigns.

Clickjacking

A very lucrative usage of botnets is clickjacking, i.e., fraudulent clicks by bots on ads published by criminals. At 10 cents per click, it is easy to imagine the amount of money involved in this kind of frauds. Botnets specialized on this activity are thus particularly sophisticated.

• How 3ve’s BGP hijackers eluded the Internet—and made $29M Perhaps the most sophisticated botnet ever developed.
• The Hunt for 3ve> Taking down a major ad fraud operation through industry collaboration The full technical report. Have a look at the infohgraphic on one of the first pages to have an idea of its size.
• The ZeroAccess Auto-Clicking and Search-Hijacking Click Fraud Modules An older yet very sophisticated and dangerous botnet specialized in clickjacking.
• Operation: Disruption of the ZeroAccess botnet A short summary by the United Nations Office on Drugs and Crime summarizing the (partly) successful efforts for disrupting the ZeroAccess botnet.