Elastic Security Labs exposes an attempt by the DPRK to infect blockchain engineers with novel macOS malware.

Preamble

Key takeaways

Execution flow

Stage 0 Initial compromise: Watcher.py

Stage 1 droppers testSpeed.py and FinderTools

Stage 2 payload .sld and .log: SUGARLOADER

Obfuscation

Execution

Stage 3 loader Discord: HLOADER

Persistence

Stage 4 Payload: KANDYKORN

Command and control

Command 0xD1

Command 0xD2

Command 0xD3

Command 0xD4

Command 0xD5

Command 0xD6

Command 0xD7

Command 0xD8

Command 0xD9

Command 0xDA

Command 0xDB

Command 0xDC

Command 0xDD

Command 0xDE

Command 0xDF

Command 0xE0

Summary

Network protocol

Network infrastructure

tp-globa[.]xyz

23.254.226[.]90

Campaign intersections

The Diamond Model

[Malware] and MITRE ATT&CK

Tactics

Techniques

Malware prevention capabilities

Malware detection capabilities

Hunting queries

EQL queries

YARA

Observations

References

Elastic catches DPRK passing out KANDYKORN

Watch out! We’ve recently discovered a variant of RUSTBUCKET. Read this article to understand the new capabilities we’ve observed, as well as how to identify it in your own network.

RUSTBUCKET code analysis

Overview

Stage 1

Stage 2

Stage 3

Command ID 0x31

Command ID 0x30

The undetected version of RUSTBUCKET

RUSTBUCKET and REF9135 analysis

Networking infrastructure

Defense evasion

Victimology

Observed adversary tactics and techniques

Diamond model

Detection logic

Prevention

A DPRK campaign using a new variant of the RUSTBUCKET malware is underway with updated capabilities and reduced signature detection.

The DPRK strikes using a new variant of RUSTBUCKET

In this research publication, we'll explore our analysis of the QBOT attack pattern — a full-featured and prolific malware family.

Key Takeaways

Analysis Environment

Execution Chain

Initial Execution

Manually Advancing Execution

Defense Evasion

Privilege Escalation

Network Events

Analyzing Network Events

QBOT Configuration Extractor

Observed Adversary Tactics and Techniques

Techniques / Sub Techniques

Detections

Artifacts

QBOT attack pattern and malware observations

Exploring the QBOT Attack Pattern

Learn about the recent campaign of a Russia-based threat group known as Gamaredon Group.  This post will review these details and provide detection strategies.

Campaign Details

Document metadata analysis

Macro code analysis

Pteranodon update

Detection crafting

Dynamic DNS

Template Injection

Malicious registry configuration

Persistence startup

Conclusion

Indicators of Compromise (IOCs)

Playing defense against Gamaredon Group

The latest organization under the microscope of the LAPSUS$ group is Okta. Threat hunt for the recent breach targeting Okta users using these simple steps in Elastic

The LAPSUS$ group

The latest target: Okta

Threat hunting Okta logs in Elastic

event.module:"okta" AND event.action:"user.mfa.factor.reset_all"

event.module:"okta" AND event.action:"user.account.update_primary_email"

event.module:"okta" AND event.action:"user.account.privilege.grant"

event.module:okta AND (event.action:user.session.impersonation.grant OR event.action:user.session.impersonation.initiate)

Earlier events: Microsoft, Nvidia, Samsung, Ubisoft

Okta and LAPSUS$: What you need to know

Activity group