Welcome to ThreatPursuit VM: A Threat Intelligence and Hunting Virtual Machine
Skilled adversaries can deceive detection and often employ new measures in their tradecraft. Keeping a stringent focus on the lifecycle and evolution of adversaries allows analysts to devise new...
New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452
Executive Summary
In August 2020, a U.S.-based entity uploaded a new backdoor that we have named SUNSHUTTLE to a public malware repository.
SUNSHUTTLE is a second-stage backdoor written in GoLang that...
Using Speakeasy Emulation Framework Programmatically to Unpack Malware
Andrew Davis recently announced the public release of his new Windows emulation framework named Speakeasy. While the introductory blog post focused on using Speakeasy as an automated malware sandbox...
Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
Beginning in January 2021, Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment. The observed activity included creation of web...
Release the Kraken: Fileless injection into Windows Error Reporting service
We discovered a new attack that injected its payload—dubbed "Kraken—into the Windows Error Reporting (WER) service as a defense evasion mechanism.
This blog post was authored by Hossein Jazi...
Fuzzing Image Parsing in Windows, Part One: Color Profiles
Image parsing and rendering are basic features of any modern operating system (OS). Image parsing is an easily accessible attack surface, and a vulnerability that may lead to remote code...
Microsoft looks to expose espionage groups targeting Us Politics and NGO’s
Written by Sean Lyngaas
Foreign espionage groups, including those bent on undermining the U.S. political process, have targeted non-government organizations and think tanks more than any other sector in a bid to gather intelligence,...
FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft
Mandiant Threat Intelligence recently promoted a threat cluster to a named FIN (or financially motivated) threat group for the first time since 2017. We have detailed FIN11's various tactics, techniques...
Training Transformers for Cyber Security Tasks: A Case Study on Malicious URL Prediction
Highlights
Perform a case study on using Transformer models to solve cyber security problems
Train a Transformer model to detect malicious URLs under multiple training regimes
Compare our model...
Cleaning up after Emotet: the law enforcement file
Following global law enforcement action to take over the Emotet botnet, a special update is being sent to clean up infected machines.
This blog post was authored by Hasherezade...
