signalblur
commented
3 years ago This was great! Thanks so much. Updated the master branch.
Closed SwitHak closed 3 years ago
signalblur
commented
3 years ago This was great! Thanks so much. Updated the master branch.
Hi, as I told you, here's my list on Ryuk/Bazar/Trickbot Choose what you want to add to yours. Thanks for your work, David and much thanks to all the companies / individuals sharing intel on these. S.H.
List: FireEye o https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html o https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html o https://www.youtube.com/watch?v=CgDtm05qApE o https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456 o https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html
RedCanary o https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
McAfee o https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91844/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryukv6.pdf
Giovanni Mellini o https://github.com/gmellini/Microsoft-Defender-Security-Center-Hunting-Queries
Telsy o https://github.com/telsy-cyberops/research/blob/master/coronavirus/sigma/Ryuk.yaml
Unit42 o https://unit42.paloaltonetworks.com/ryuk-ransomware/ o https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/ o https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/ o https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/ o https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/ o https://unit42.paloaltonetworks.com/unit42-malware-team-malspam-pushing-emotet-trickbot/ o https://unit42.paloaltonetworks.com/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/
• Sentinel Labs o https://labs.sentinelone.com/anchor-project-for-trickbot-adds-icmp/ o https://labs.sentinelone.com/trickbot-update-brief-analysis-of-a-recent-trickbot-payload/ o https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/ o https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/ o https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/ o https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/ o https://assets.sentinelone.com/labs/sentinel-one-mexec-r o https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/ o https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/ o https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/
Cybereason o https://www.cybereason.com/blog/ryuk-ransomware-mitigation-and-defense
RiskIQ o https://community.riskiq.com/article/0bcefe76
Sophos o https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/ o https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/ o https://twitter.com/SophosLabs/status/1321844306970251265
Sekoia.io o https://github.com/SEKOIA-IO/Community/blob/main/IOCs/2020-10-29%20C2%20Ryuk.csv o https://twitter.com/sekoia_io/status/1322162909015920640
Crowdstrike o https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/ o https://www.crowdstrike.com/blog/wizard-spider-adversary-update/ o https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/
THE DFIR REPORT o https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ o https://thedfirreport.com/2020/10/08/ryuks-return/
Justin Warner o https://twitter.com/sixdub/status/1321979928389275654 o https://threadreaderapp.com/thread/1321979928389275654.html
Netscout ASERT o https://www.netscout.com/blog/asert/dropping-anchor
Kaspersky o https://twitter.com/k_sec/status/1321948200534761473 o https://ics-cert.kaspersky.com/tag/ryuk/ o https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/
MISP CIRCL LU o https://www.circl.lu/doc/misp/feed-osint/cd8b9093-e319-4719-81b3-04a275b2f048.json