During a recent incident response engagement, FortiGuard IR services (FGIR) responded to a ransomware attack where the threat actor heavily used anti forensic techniques to cover their tracks and to avoid their malware getting into the hands of researchers.
They attempted to achieve this by deleting files and folders they had created, clearing logs and obfuscating malware. While analyzing a disk image of a compromised Windows Server 2016 system, FGIR was able to identify historical evidence of deleted malware and tools used by the threat actor, inside an obscure ETL file called AutoLogger-Diagtrack-Listener.etl. ETL files are generated by the Windows ETW (Event Tracing for Windows) infrastructure.
Read more…
Source: Fortinet
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Researchers use ‘fingerprints’ to track Windows exploit developers
October 2, 2020
More to the point, Check Point security researchers Itay Cohen and Eyal Itkin were able to track 16 Windows Kernel Local Privilege Escalation (LPE) exploits to two different exploit developers known as Volodya (or BuggiCorp) and PlayBit (or luxor2008). 15 of the exploits Check Point successfully matched to a known exploit dev were created between 2015 ...
- Targeted Ransomware Attack Hits Taiwanese Organizations
May 6, 2020
A new targeted attack has infected several organizations in Taiwan with a new ransomware family, which we have dubbed ColdLock. This attack is potentially destructive as the ransomware appears to target databases and email servers for encryption. The information we gathered indicates that this attack started hitting organizations in early May. Analysis of the malware points ...
- FakeNet Genie: Improving Dynamic Malware Analysis with Cheat Codes for FakeNet-NG
April 2, 2020
As developers of the network simulation tool FakeNet-NG, reverse engineers on the FireEye FLARE team, and malware analysis instructors, we get to see how different analysts use FakeNet-NG and the challenges they face. We have learned that FakeNet-NG provides many useful features and solutions of which our users are often unaware. In this blog post, ...
- Burn, drown, or smash your phone: Forensics can extract data anyway
January 31, 2020
Damaged mobile phones are still filled with plenty of useful data, according to researchers at the National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce. NIST published the results of a recent study on forensic methods for getting data from mobile damaged mobile phones. It tested the tools that ...
- Security Analysis of Devices That Support SCPI and VISA Protocols
January 28, 2020
When a legacy protocol is connected via Ethernet, and subsequently to the internet, security issues arise. Standard Commands for Programmable Instruments (SCPI) is a legacy protocol that many advanced measurement instruments support. It can be issued via General Purpose Interface Bus (GPIB), Universal Asynchronous Receiver/Transmitter (UART), Universal Serial Bus (USB), or Ethernet. However, it is ...
- New Bug Found in NSA’s Ghidra Tool
September 30, 2019
A medium severity bug reported on Saturday impacts Ghidra, a free, open-source software reverse-engineering tool released by the National Security Agency earlier this year. The vulnerability allows a remote attacker to compromise exposed systems, according to a NIST National Vulnerability Database description. No fix is currently available. Despite the warning, researchers are downplaying the impact of the bug. ...