Blue Team News Weekly – 2023-04-23

General Justin today23 April 2023 108

Background
share close

Blue Team News (BTN) Weekly is a digest of news, articles, intelligence and reports on the latest threats and industry trends that are most relevant to information security defenders, aka the Blue Team. Get links to the most relevant information out there along with an analysis by an actual Blue Team.

BTN is sent every Sunday straight to your inbox, and is also available at roguesecurity.ca.


Hackers abuse Google Command and Control red team tool in attacks - Bleeping Computer

An open source Red Teaming tool is seen being utilised by hacking group, APT41, a Chinese, state-sponsored, group known to target industries in the USA, Asia and Europe.

Google Command and Control (GC2) is written in Go and utilises Google domains and services (Google Sheets and Google Drive) to manage command and control (C2) commands and data exfiltration.

Once connected, GC2 is used to deploy a wide variety of malware and tools on the compromised system to further actions on objectives.

This is another example of threat actors embracing red teaming tools other than Cobalt Strike (e.g. Brute Ratel and Sliver), making it harder for the Blue Team to defend.

Who Else Is Talking About It?



Subscribe

Weekly articles and intelligence for the Blue Team, by the Blue Team

Get Blue Team News (BTN) delivered straight to your inbox every Sunday!


Threat Actors Rapidly Adopt Web3 IPFS Technology - Unit42

InterPlanetary File System (IPFS) is a “Web3” technology that decentralise’s the storage of data across a peer-to-peer network.

Threat actors are taking advantage of this decentralisation to make it much hard to remove malicious content such as hosted malware and phishing websites.

IPFS allows data to be requested via simple HTTP requests, however, making them easier to find in DNS logs.

Unit42 researchers have identified the following malware families being pushed via this method:

– OriginLogger
– XLoader
– XMRig
– Metasploit
– IPStorm
– Dark Utilities

Who Else Is Talking About It?



'AuKill' Malware Hunts & Kills EDR Processes - Dark Reading

AuKill is a custom tool being used by threat actors to bypass endpoint detection and response (EDR) tooling using a Bring Your Own Vulnerable Driver (BYOVD) model.

AuKill takes advantage of a legitimate, but outdated and exploitable, version of a driver used by Microsoft Process Explorer 16.32.

The tool also allows a threat actor to obtain detailed information on running processes, executables, and performance metrics among other details.

Who Else Is Talking About It?



EvilExtractor – All-in-One Stealer - FortiGuard Labs

First seen in October 2022, EvilExtractor is an information stealer, and remote access tool that has been observed being used as a malicious tool to infiltrate target hosts via phishing campaigns.

EvilExtractor features various mechanisms to prevent it from being detected including UAC Bypass, Windows Defender Bypass, and an Anti-VM/Anti-VirusTotal feature.

Once executed, EvilExtractor uses both Python and PowerShell packages that perform various anti-host checks, as well as load additional capabilities.

Who Else Is Talking About It?



Written by: Justin

Tagged as: .

Rate it
Previous post

Similar posts

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *