Intelligence Technology and Tradecraft in 2015

With 2015 wrapped up, I wanted to reflect on some of the changes I noticed in the cyber threat intelligence (CTI) field over the course of the year. I originally had (overly) ambitious plans for this post, hoping to offer a sweeping and comprehensive review on threat intelligence. But alas. Time has expired–it’s already 2016! Instead, I decided to focus on two aspects of CTI that I’m passionate about: technology and tradecraft.  Continue reading →

A Quick Look at A Likely NewPOSThings Sample

Executive Summary

  • Nick Hoffman identified what is likely a new variant of NewPOSThings (MD5: 761d23e1e2f496f1a6a2385808afc6eb).
  • Based on static analysis, the malware likely conducts the same activity observed in earlier NewPOSThings variants wherein it searches for and dumps passwords associated with VNC applications (e.g., RealVNC, UltraVNC). The malware also contains the hard-coded C2 domain flowerstick[.]net.
  • An actor using the alias You Chung and email address brian45345[at] registered nine domains–including flowerstick[.]net–between August 1 and September 13, 2015. These sites are almost certainly used as C2 nodes for POS and/or other malware. For example, one additional NewPOSThings sample (MD5 b6c1d46e25a43d9ae24c85c38c52d6a4) communicates to chiproses[.]net, which was registered to Chung on August 17.
  • It is assumed that actors using the malware are targeting small- to medium-sized businesses given the malware’s focus on VNC applications. Small businesses are generally more likely to use remote administration software for their POS terminals so that 3rd parties can manage the terminals.

Below is a Maltego graph showing the identified links between the malware, actor, and infrastructure.

Screen Shot 2015-10-25 at 2.59.58 PM

Continue reading →

Write It, Or It Didn’t Happen

BLUF: As intelligence analysts, our customers demand that we know a lot about a lot. However, research from Chris Sanders shows that humans’ working memories are very limited; we can only juggles small volumes of information at once. Even long-term memory can be stressed by the volume of knowledge that analysts must maintain. These cognitive limitations highlight the fundamental importance of capturing knowledge in written reports. If no one writes it down, does the knowledge really exist? Playing on the expression “PCAP, or it didn’t happen,” I offer the expression “write it, or it didn’t happen.

Continue reading →

Using threat_note To Track Campaigns: Returning to PIVY and PlugX Infrastructure

BLUF: I’m starting to find the sweet spot for threat_note in my at-home research workflow. By taking advantage of threat_note’s VirusTotal integration, I was able to discover some new infrastructure associated with the the activity I documented in my August 8 post on Poison Ivy.

Continue reading →

What Analysts Can Learn From Shadowserver’s “Italian Connection” Report

BLUF: The  “Italian Connection” report from The Shadowserver Foundation is exemplary for its adherence to solid analytic tradecraft. The tradecraft is evident in the authors’ writing style, transparent methodologies, and use of structured analytic techniques. As analysts, we can learn from this report by similarly following the analytic standards that it demonstrates.

Continue reading →

Threat Analysis: Poison Ivy and Links to an Extended PlugX Campaign

Key Points & Assessment:

  • Japan CERT identified a new Poison Ivy RAT variant (SHA1 44073031790e5ba419374dc55f6ac1cba688b06c) with updated C2 functionality.
  • The malware was created in September 2014 and uploaded to Virus Total in January 2015. It uses the dynamic DNS-provided C2 getstrings[.]jumpingcrab[.]com. This domain has resolved to at least 3 IP addresses:,, and
  • I identified several decoy documents (see Maltego graph) that deliver the PlugX malware and call-out to one of two IP addresses mentioned above. These documents were reportedly used in a campaign identified by SOPHOS that spanned from September 2014 to February 2015. India was one target of the campaign.
  • Given the infrastructure and timing overlaps, the Poison Ivy sample discussed in this post was likely just one payload involved in a broader campaign targeting India, the Tibetan community, and others, that spanned from approximately September 2014 to February 2015.
  • The Poison Ivy sample in this case thus appears to be tied to attacks by one or more adversaries acting on behalf of Chinese interests.

Continue reading →

It’s a Great Week for Threat Intel Reporting

The week hasn’t even come to a close yet, and there has been a flood of highly interesting reporting that has been released. Some of this reporting may be relevant to your organization and information needs. Here are the reports I’ve come across:

Any one of these reports could take a while to process as analysts work to answer several important questions: is this threat relevant to my organization? If so, how to I action the information in this report? What detection logic can my teams develop for this threat?

With so much great reporting coming out, prioritizing analytic resources to exploit the information becomes really important (especially in smaller shops).

I’ve personally managed to tackle a couple of these, but it looks like I’ve got a great reading list for the weekend : )