Robert Giczewski
@lazy_daemon
Followers
732
Following
7K
Media
101
Statuses
2K
Interested in CTI/Malware Analysis/RE, DFIR and windows exploitation. I like video games & tech as well 🙂. CTI @ Deutsche Telekom Security. Tweets are my own.
Bonn
Joined August 2009
🔎Our CERT is releasing a new technical report on 🇰🇵Operation #DreamJob, focusing on recent evolution in its tooling. Following an IR engagement at a large manufacturing client based in 🇪🇺, we investigated artefacts we attribute to #UNC2970. ➡️Full blog: https://t.co/o8px0jZmfc
1
51
194
So, @tmechen_ looked at the above and wrote a lot of details about it: https://t.co/O9FPmtz6Zf Maybe @certbund too could be interested in checking this... 🤷♂️
4
3
9
🚨 ALERT: Cybercriminals are sending out fake Telekom invoices via phishing emails to deliver multiple malicious RAT payloads. The activity originates from an attack cluster tracked by Telekom Security under the name "Rodent Weed". 🧵1/6
3
24
74
this part is brutal.
🛡️ Then read the next blog post to learn how to defend:
17
69
476
Some folks took my post as “detection > TI” or assumed I believe TI is just IOCs. Let’s clarify. I wrote that post after being called a threat intel company four times this month. We’re not. We do detection engineering - and yes, that often integrates TI, but it produces a
Threat intel analysts produce threat intelligence. Detection engineers produce detection intelligence. Big difference. Gartner doesn’t list the second one yet. TI is about indicators tied to a known threat. DI is about rules that catch malicious behavior across threats. One
4
35
161
Reading Microsoft’s new Void Blizzard report, one thing stands out (again): Everything is about credential theft, phishing, and tokens. Initial access comes from buying or stealing creds - often through low-effort phishing. All the real action happens in the cloud, not on
Microsoft has discovered worldwide cloud abuse activity by new Russia-affiliated threat actor Void Blizzard (LAUNDRY BEAR), whose cyberespionage activity targets gov't, defense, transportation, media, NGO, and healthcare in Europe and North America.
21
147
637
Fraudsters have now started using EPC QR codes in fake invoices that can be opened by many banking apps. These codes already contain all the necessary transfer information for the app to start a simple transfer action for the victim. (1/3)
2
22
79
This is a great summary. We (and by we I mean mostly @willoram) have been using variants of this diagram to describe the inversion of attack paths to identity-based intrusions - a major trend in our incident response cases over the past year.
In the past, you had to: phish a user, drop malware, escalate privileges, pivot to servers, evade EDR, dump creds, move laterally, exfiltrate quietly, clean up, leave a backdoor. Today, you just: phish a user, steal an OAuth token, access everything from anywhere. Cloud
4
33
134
Microsoft Threat Intelligence observed a new and notable method used by the threat actor Storm-0249 for distributing the Latrodectus trojan, a malware loader designed to facilitate multi-stage attacks by downloading and installing additional payloads onto compromised devices.
4
100
259
I interviewed 57 security leaders to answer one question: What sucks in security right now? The answers were fascinating, frustrating, and occasionally funny 🧵
8
38
169
At this year's #DEATHCon I was fortunate enough to present my workshop on #Kusto graph semantics. Now I release it for free to everybody. #KQL #Security #Kraph
https://t.co/vGiUvF4d57
cloudbrothers.info
Ho, ho, ho… In Germany on the 6th of December we celebrate “Nikolaus”. Kids put out one shoe the night before in the hopes that, in the morning, it is filled with nuts, mandarin oranges, chocolate or...
2
18
53
We have also detected this campaign. It starts with an email 📧 containing an SVG file which, when opened, drops an HTML file. The HTML file displays a spoofed PDF file and tricks the victim into clicking the "Open" button 🧵1/4
2
69
199
Had fun presenting #WARMCOOKIE research at #VB2024. The malware was recently updated with new handlers. Our team wrote some tooling to simulate the C2 server to help organizations build better detections. Tooling:
1
10
52
🚨🔥 LOLRMM IS LIVE! 🔥🚨 The wait is over, folks! 🥳🎉 We’re thrilled to announce the official release of LOLRMM — your new go-to tool to detect and counter RMM abuse! 🕵️♂️💻 👉 Check it out NOW at https://t.co/hYZrJW3l9V 👈 This couldn’t have been possible without our amazing
8
112
242
What's new in IDA 9.0? https://t.co/FfafKARWXP - No more IDA 32 - IDA as a library (for C++ and Python headless development) - New and updated signatures (for FLIRT) - Legacy 'structs' and 'enums' windows and APIs are gone - Plugin binaries not compatible with 9.0; need to
3
46
120
Bellingcat’s Online Open Source Investigation Toolkit bellingcat.gitbook[.]io/toolkit
0
63
230
#Latrodectus Infection lead to #BruteRatel🕷️🦫 #MalwareAnalysis & #TTPs Several unpacking routine (VirtualAlloc & VirtualProtect) lead to 2 DLLs [+] Rundll32.exe T1218.011 Internal name: badger_x64_stealth_rtl.bin.packed.dll Export Func: DllMain StartW https://t.co/JaJGlnuwtz
#Latrodectus - #BruteRatel - .pdf > url > .js > .msi > .dll 18.09.2024 👇 wscript.exe Document-21-29-08.js msiexec.exe /V MSI152A.tmp /DontWait rundll32.exe C:\Users\Admin\AppData\Roaming\x64_stealth.dll, clBuildProgram (1/3) 👇 IOC's https://t.co/n6EQNtxxiB
2
55
167
#Latrodectus - #BruteRatel - .pdf > url > .js > .msi > .dll 18.09.2024 👇 wscript.exe Document-21-29-08.js msiexec.exe /V MSI152A.tmp /DontWait rundll32.exe C:\Users\Admin\AppData\Roaming\x64_stealth.dll, clBuildProgram (1/3) 👇 IOC's https://t.co/n6EQNtxxiB
2
43
130
The people who claimed the ‘EU version of iOS is the most fun version of iOS’ are awful quiet today
1K
2K
30K