Denis Kuvshinov Head of Threat Intelligence department Positive Technologies
2 Hi! My name is Denis Security Analyst Summit 2024 Positive Technologies employee since 2017 TI & MA Regular speaker https://twitter.com/WaChinYu1
3 Security Analyst Summit 2024 Active since 2017 - ? Attacks Russian entities Main goal is espionage
4 Security Analyst Summit 2024 https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/
5 Security Analyst Summit 2024
6 Security Analyst Summit 2024 Initial vector Phishing from @yandex.ru, @mail.ru Execution RAR, LNK, HTML, PS, VBS, SLK Persistence Scheduler Credential access Kerberoasting Discovery (Reconnaissance) Each decoy contains profiling through remote images Collection %USR%, ( docx?|xlsx?| rtf|pdf ) C&C 3 rd level domains. Second level in 90% linked to 86.104.15.60 Exfiltration Email and Yandex disk
7 Security Analyst Summit 2024 Phishing Malicious attachment RAR+LNK+Decoy Powershell script Persistence in scheduler In memory payload from c2
8 Security Analyst Summit 2024
9 Security Analyst Summit 2024 C:\Windows\System32\cmd.exe / v:on /c findstr " ::::::::::::. *" " резюме. lnk " > "% tmp %\honor.vbs" & cscript.exe "% tmp %\honor.vbs" & del "% tmp %\honor.vbs" - “ резюме. lnk ”
10 Security Analyst Summit 2024 Metadata in LNK for hunting LNK command line Creator’s machine_id Creator’s volume_id Description Creation and accessed time
11 Security Analyst Summit 2024 LNK command line Shell32.DLL,ShellExec_RunDLL % comspec %| cmd ; / v:on /c findstr "::::: Creator’s machine_id Always different Creator’s volume_id Always different Description Device Removal Creation and accessed time Always different
12 Security Analyst Summit 2024
13 Security Analyst Summit 2024 Document collection Kerberoasting Exfiltration through Yandex disc and email
14 Security Analyst Summit 2024 Initial PS script C2 _1
15 Security Analyst Summit 2024 Initial PS script C2 _1 PS stager
16 Security Analyst Summit 2024 Initial PS script C2 _1 PS stager C2 _ 2 PS stager, data collector and persist provider
17 Security Analyst Summit 2024 Initial PS script C2 _1 PS stager C2 _ 2 PS stager, data collector and persist provider C2 _ 3_1 C2 _ 3_2 Persisted PS downloader
18 Security Analyst Summit 2024 Initial PS script C2 _1 PS stager C2 _ 2 PS stager, data collector and persist provider C2 _ 3_1 C2 _ 3_2 Persisted PS downloader Yandex Disk PowerBroker
19 Security Analyst Summit 2024
20 Security Analyst Summit 2024
21 Security Analyst Summit 2024
22 Security Analyst Summit 2024
23 Security Analyst Summit 2024 … games. britishnewsmedia.com stats. thebigwideword.com images. newsgoodies.com rloj. rebugetel.com maint. addonsvile.com list. nottoolost.com …
24 Security Analyst Summit 2024 Powerpool IamTheKing SongXY - https://www.ptsecurity.com/ru-ru/research/analytics/cybersecurity-threatscape-2017-q4/ Dr.WEB - https://st.drweb.com/static/new-www/news/2020/september/tek_rf_article_en.pdf SongXY Attacks on Russian fuel and energy industry
25 Security Analyst Summit 2024 Quiet, attentive APT group Interested in confidential information Group tries return access to infrastructure after kicking out
Denis Kuvshinov Positive Technologies Let’s Talk?
