100 Days of YARA – Day 27: LOKI2

LOKI2 is an old backdoor released in Phrack Magazine in 1997. This tool is still somewhat novel even in 2021, providing a shell over the ICMP protocol. http://phrack.org/issues/49/6.htmlhttp://phrack.org/issues/51/6.html A few years ago, I read an article that highlighted this tool's use by the Turla group that piqued my interest. Due to this tool running over …

Continue reading 100 Days of YARA – Day 27: LOKI2

100 Days of YARA – Day 26: Merlin C2

Merlin is a cross-platform post-exploitation Command & Control server and agent written in Go. This C2 software offers some unique features such as operating over the QUIC protocol and compatibility with the Mythic Framework.https://github.com/Ne0nd0g/merlin I encountered this C2 while playing Pros versus Joes CTF. rule merlin { meta: description = "https://github.com/Ne0nd0g/merlin" strings: $a = "github.com/Ne0nd0g/merlin" …

Continue reading 100 Days of YARA – Day 26: Merlin C2

100 Days of YARA – Day 18: Yanluowang Ransomware

Another ransomware strain is known as Yanluowang. Here are some of my bookmarks that I've tagged as Yanluowang: https://pinboard.in/u:droberson/t:yanluowang/ This blog post by Symantec was very interesting to me, as it presented a lot of generic examples of post-exploitation activity that was observed by the operators of this ransomware: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue Particularly, this article mentions the …

Continue reading 100 Days of YARA – Day 18: Yanluowang Ransomware

100 Days of YARA – Day 16: Public Services

Malware authors often abuse free or public services to distribute malicious content. They may host payloads on DropBox or Discord, Google Drive, PasteBin, or a number of services. Searching for the domains used by these services can uncover malware in surprising places. Ngrok ngrok is used to tunnel traffic through HTTP. Despite being a legitimate …

Continue reading 100 Days of YARA – Day 16: Public Services