During a recent incident response engagement, FortiGuard IR services (FGIR) responded to a ransomware attack where the threat actor heavily used anti forensic techniques to cover their tracks and to avoid their malware getting into the hands of researchers.
They attempted to achieve this by deleting files and folders they had created, clearing logs and obfuscating malware. While analyzing a disk image of a compromised Windows Server 2016 system, FGIR was able to identify historical evidence of deleted malware and tools used by the threat actor, inside an obscure ETL file called AutoLogger-Diagtrack-Listener.etl. ETL files are generated by the Windows ETW (Event Tracing for Windows) infrastructure.
Read more…
Source: Fortinet
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Host-based logs, container-based threats: How to tell where an attack began
June 3, 2025
Although containers provide an isolated runtime environment for applications, this isolation is often overestimated. While containers encapsulate dependencies and ensure consistency, the fact that they share the host system’s kernel introduces security risks. Based on Kaspersky security researchers experience providing Compromise Assessment, SOC Consulting, and Incident Response services to Kaspersky customers, the researchers have repeatedly seen ...
- Cybertruck driver used ChatGPT to plan Las Vegas attack
January 7, 2025
Police found a six-page manifesto on Matthew Livelsberger’s phone and said he used ChatGPT to plan his New Year’s Day bombing at the Trump International Hotel in Las Vegas, Sheriff Kevin McMahill said at a news conference Tuesday. A few of the entries posted in the application included “How much Tannerite is equivalent to 1 pound ...
- FBI: An APT Group Exploiting a 0-day in FatPipe WARP, MPVPN, and IPVPN Software
November 17, 2021
As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN® device software1 going back to at least May 2021. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and ...
- Incident response analyst report 2020
September 13, 2021
The Incident response analyst report provides insights into incident investigation services conducted by Kaspersky in 2020. We deliver a range of services to help organizations when they are in need: incident response, digital forensics and malware analysis. Data in the report comes from our daily practices with organizations seeking assistance with full-blown incident response or ...
- Malware Makers Using ‘Exotic’ Programming Languages
July 26, 2021
Malware authors are increasingly using rarely spotted programming languages such as Go, Rust, Nim and DLang in order to create new tools and to hinder analysis, researchers have found. Use of those four languages is escalating in the number of malware families being identified, according to a report published on Monday by BlackBerry Research and Intelligence ...
- Report: Aussie biz Azimuth cracked San Bernardino shooter’s iPhone, ending Apple-FBI privacy standoff
April 14, 2021
Australian security firm Azimuth has been identified as the experts who managed to crack a mass shooter’s iPhone that was at the center of an encryption standoff between the FBI and Apple. Until this week it had largely been assumed that Israeli outfit Cellebrite was hired to forcibly unlock an encrypted iPhone 5C used by Syed ...