TekDefense PCAP Challenge Write-Up

Earlier this week TekDefense posted a cool network challenge. The instructions were basic: investigate an IDS alert by analyzing the provided PCAP, determine what happened, and share the findings.

I’ve done a couple of PCAP exercises from Brad Duncan here and here. Those analyses were related to incidents dealing with exploit kits so I thought this challenge would be a fun opportunity to practice analyzing other kinds of threats.

Overall, I feel confident with the high-level findings. But I struggled to piece together some (probably key) details, even after a lot of research. Also, I didn’t author any Yara or Snort rules. (This was a second part of TekDefense’s challenge; I ended up grabbing a Yara rule from an Akamai report.)

Any feedback or tips are welcome : )

So here here’s my write-up!

Continue reading →

Intelligence Technology and Tradecraft in 2015

With 2015 wrapped up, I wanted to reflect on some of the changes I noticed in the cyber threat intelligence (CTI) field over the course of the year. I originally had (overly) ambitious plans for this post, hoping to offer a sweeping and comprehensive review on threat intelligence. But alas. Time has expired–it’s already 2016! Instead, I decided to focus on two aspects of CTI that I’m passionate about: technology and tradecraft.  Continue reading →

A Quick Look at A Likely NewPOSThings Sample

Executive Summary

  • Nick Hoffman identified what is likely a new variant of NewPOSThings (MD5: 761d23e1e2f496f1a6a2385808afc6eb).
  • Based on static analysis, the malware likely conducts the same activity observed in earlier NewPOSThings variants wherein it searches for and dumps passwords associated with VNC applications (e.g., RealVNC, UltraVNC). The malware also contains the hard-coded C2 domain flowerstick[.]net.
  • An actor using the alias You Chung and email address brian45345[at]safe-mail.net registered nine domains–including flowerstick[.]net–between August 1 and September 13, 2015. These sites are almost certainly used as C2 nodes for POS and/or other malware. For example, one additional NewPOSThings sample (MD5 b6c1d46e25a43d9ae24c85c38c52d6a4) communicates to chiproses[.]net, which was registered to Chung on August 17.
  • It is assumed that actors using the malware are targeting small- to medium-sized businesses given the malware’s focus on VNC applications. Small businesses are generally more likely to use remote administration software for their POS terminals so that 3rd parties can manage the terminals.

Below is a Maltego graph showing the identified links between the malware, actor, and infrastructure.

Screen Shot 2015-10-25 at 2.59.58 PM

Continue reading →

Write It, Or It Didn’t Happen

BLUF: As intelligence analysts, our customers demand that we know a lot about a lot. However, research from Chris Sanders shows that humans’ working memories are very limited; we can only juggles small volumes of information at once. Even long-term memory can be stressed by the volume of knowledge that analysts must maintain. These cognitive limitations highlight the fundamental importance of capturing knowledge in written reports. If no one writes it down, does the knowledge really exist? Playing on the expression “PCAP, or it didn’t happen,” I offer the expression “write it, or it didn’t happen.

Continue reading →

Threat Analysis: Poison Ivy and Links to an Extended PlugX Campaign

Key Points & Assessment:

  • Japan CERT identified a new Poison Ivy RAT variant (SHA1 44073031790e5ba419374dc55f6ac1cba688b06c) with updated C2 functionality.
  • The malware was created in September 2014 and uploaded to Virus Total in January 2015. It uses the dynamic DNS-provided C2 getstrings[.]jumpingcrab[.]com. This domain has resolved to at least 3 IP addresses:,, and
  • I identified several decoy documents (see Maltego graph) that deliver the PlugX malware and call-out to one of two IP addresses mentioned above. These documents were reportedly used in a campaign identified by SOPHOS that spanned from September 2014 to February 2015. India was one target of the campaign.
  • Given the infrastructure and timing overlaps, the Poison Ivy sample discussed in this post was likely just one payload involved in a broader campaign targeting India, the Tibetan community, and others, that spanned from approximately September 2014 to February 2015.
  • The Poison Ivy sample in this case thus appears to be tied to attacks by one or more adversaries acting on behalf of Chinese interests.

Continue reading →

A Simple Model For Cyber Threat Targeting

BLUF: There are too many threats, and not enough time. Analysts must therefore prioritize their time on threats that are relevant to their organizations — they must be deliberate about targeting, the process of identifying and focusing on the threats that matter. While many analysts intuitively know what are and are not relevant threats, it’s still helpful to have a simple model to guide such targeting and serve as a repeatable and transparent methodology. Models presented in both a Carnegie Mellon report  (page 8) and a talk from Rick Holland (slide 23) can be adapted as simple frameworks to aid in Cyber Threat Targeting.

Continue reading →

PCAP Analysis Practice

BLUF: I downloaded a PCAP from this exercise provided by @malware_traffic.  I’m a Wireshark and PCAP n00b, but wanted to see how far I could get with an analysis I’m not used to doing. I think I did pretty well (I was pleased I was able to get one of the Level 3 questions), but got hung up on identifying the exact infection chain and series of redirects.

Continue reading →