Doing Intelligence Right!
TL;DR — Insight and recommendations (Necurs & Op: GhostSecret)on threats in a small form factor (no one reads long posts anymore)
Origin
Knowing the methods, sophistication and modus operandi of cybercriminals is fascinating! Especially when we can take actions, to detect and deny these threats. This is the first instalment in an ongoing series of short assessments (<5 min read). I’m enabling you to further assess your risk and be more equipped against cybercriminals.
The Felonious Actors
I will always focus on cybercriminals that have covered new, interesting or unique malicious activity. This month I’m focusing on two (short and sweet) primary cybercriminal operations.
- Necurs botnet — Leverage internet shortcut or “.URL” files for bypassing detection.
- Operation GhostSecret — Proliferate use of malicious implants, tools, and malware to persist in victim networks.
Distinguishing Threats
Information on its own may be of utility to the commander, but when related to other information about the operational environment and considered in the light of past experience, it gives rise to a new understanding of the information, which may be termed intelligence
There is real value in identifying adversary tools, techniques, procedures (TTPs). TTP’s are the threat actors’ intentions, actions and behaviours which in turn allows security teams to install improved security.
- The Necurs botnet and malware spread by Necurs, is loosely (.ini files not defined in MITRE) leveraging the “scripting” technique. This attack technique is effective at subverting the human psyche.
- Operation GhostSecret leverages the “Remote access tool” technique. This persistence, collection and exfiltration technique is effective if victims have inadequate host based defences.
Victimology
Necurs current targets seem to be “targets of opportunity” with no unique targeting profiles. Operation Ghost Secret modus operandi is targeting critical infrastructure, entertainment, finance, healthcare, and telecommunications. Collective intelligence suggests that imbeded sustained data exfiltration are the current focus for cybercriminals.
Actionable Intelligence
Most, if not all intelligence reporting provides information to make decisions. I will give you “the differentiator”. I have operated in both red and blue teams and these efficient recommendations (bite sized) will help you combat cybercriminals.
Necurs is changing it up!:
- Track or block outgoing simple message block (SMB) connections to external services.
The Secret Ghost:
- Threat intelligence (TI) teams create ja3 SSL signatures for indentifed operation — GhostSecret signatures (hashes for dynamic analysis provided by — trendmicro, malwarebytes and malware-traffic-analysis.net).
- Said TI team, track internal and external network segments for ja3 signatures.
Life
- 17+ years attacking and defending networks
- Distinctive, reliable, trustworthy and honest.
Contact
If you have further questions about tools, techniques, processes or collected intelligence please contact me @grotezinfosec.
