Bluepurple Pulse: week ending November 7th

Nov 6, 2021

Welcome to the weekly highlights and analysis of the blueteamsec subreddit.

Operationally I think it is fair to say everything is on 🔥 in most places with no signs of it abating in the world of cyber any time soon.

In the high-level it has been a complex week on multiple fronts.

First there was the article Democracies Should Not Let the Dream of the Open Internet Die which is a powerful if not slightly depressing view coming out of the Quadrilateral Security Dialogue which features Australia, India, Japan, and the United States. It challenges the direction the world is going in - basically distrust is breeding around technology which is driving sovereign behaviours:

The recent statements and actions at the Quad and beyond suggest that many long-standing supporters of a global Internet now have moved toward a new vision of technological development: a world fractured between competing national or ideological blocs, each relying on its own trusted hardware and software suppliers to defend against malign interference.

Next was the paper titled Cyber deterrence: A case study on Estonia’s policies and practice . A sobering conclusion which says that with regards to cyber deterrence it is hard to measure efficacy and may not work in practice, but we don’t know because it is hard to measure.

finding empirical evidence confirming that a specific cyberattack was prevented thanks to entanglement and norms, denial or punishment measures is challenging for scholars and practitioners alike. In the last decade, the number of cyber incidents in the Estonian networks has not decreased; on the contrary, in 2020 and 2021, serious cyber intrusions occurred, which were not deterred and have not been publicly attributed. Empirical evidence from other countries shows that despite implementing a deterrence strategy and imposing meaningful costs, the socio-economic impact of cyberattacks has increased globally (for example, between 2019 and 2021 ransomware payouts have increased).

There was also:

  • The US State Department announced the formation of a new department - the Bureau of Cyberspace and Digital Policy . Which looks like a soft-power play given it will focus on three key areas: international cyberspace security, international digital policy, and digital freedom.

  • The US added a number of companies to its entities list due to malicious cyber activities including NSO Group (yes, that one - Israel), Candiru (Israel), Positive Technologies (Russia) and COSEINC (Singapore). This means US companies will not be able to supply these firms.

  • FBI released a note on actor targeting methodology - “The FBI assesses ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections. Prior to an attack, ransomware actors research publicly available information, such as a victim’s stock valuation, as well as material nonpublic information.”

  • A core member of REvil was identified - some excellent open source and blockchain analysis here. Well done to the journalists involved. Hopefully no Bothan’s died to bring any information.

  • Ukrainian intelligence brought the 😂 this week by releasing telephone intercepts from FSB hackers who undertook 5,000 cyberattacks against state bodies. Office chit chat happens between intelligence cyber operatives it turns out..

Finally on the reading front I really enjoyed Conscious Capitalism: Liberating the Heroic Spirit of Business. I’ve been thinking about how we could do some real good in the private sector with regards to cyber and what the business model would/could look like. This book is really inspiring and educational on this front with some great insights. Especially when compared to some of the high-growth cyber unicorns that don’t actually appear to have long term viable business models under the hood.

Enjoying this? don’t get via e-mail? then subscribe:

Think someone else would benefit? Share:


Have a lovely Friday


Who is doing what to whom and how.

q-logger Skimmer keeps Magecart attacks going

Jérôme Segura documents a JavaScript logger used to siphon credit card details on hacked webstores which the Magecart attacks made famous. The sheer scale and the fact there isn’t more tracking shows how the fraud industry is being fed here.

Case in point, one particular skimmer identified as q-logger, has been active for several months. But it wasn’t until we started digging further that we realized how much bigger it was.

Credit card skimmer evades Virtual Machines

Jérôme Segura documents how a particular skimmer has VM detection to avoid itself being discovered by the cyber defence industry. Again shows a level of technical sophistication and investment which puts the O in organised crime.

In this blog post we show how a Magecart threat actor distributing a digital skimmer is avoiding researchers and possibly sandboxes by ensuring users are running genuine computers and not virtual ones.

APT41’s Stealth loader and ScrambleCross backdoor

Korean reporting on the actor from China known as APT 41, TG-2633, Bronze Atlas, Red Kelpie, Blackfly, Earth Baku , SparklingGoblin and Grayfly. This reporting states that were responsible for the SITA hacks and this is a breakdown of some of their latest technical capabilities. It is by no means shabby and again shows what a nation state capability looks like.

APT-C-59 (Wuqiongdong) organized the 2021 attack to reveal the secret

Chinese analysis on this threat actor who seems to have a regional interest not involving any western targets. They have Internet Explore zero days and aren’t afraid to use them - there is cross overs with the zero days used by Lazarus (North Korea). These type of regional insight is always fascinating..

Through a comprehensive analysis of the attack data, we can see that the organization's target areas are mainly East Asia and Southeast Asia, involving governments, think tanks, media, and medical industries

How a Phishing Campaign Targeting Indian Banking Users is Distributing an SMS Stealer

Mitesh Wani details an involved operation showing again that criminals will go to extraordinary lengths to bypass multi factor authentication. It obviously does work or they won’t continue to invest. Worth considering if your user population is of interest to organised crime groups.

recently discovered a sophisticated phishing campaign targeting customers of top Indian banks like State Bank of India, Punjab National Bank, Union Bank, HDFC, and Canara. The well-designed phishing pages are difficult to distinguish from legitimate sites and aim to collect all the customer’s banking credentials including account holder name, registered mobile number, account number/card number, ATM pin, IFSC code, and expiry date. The end goal of capturing this information is to install a malicious SMS stealer that monitors the messages on the infected mobile/tablet, and communicates with a C2 server whenever the customer receives an SMS.

Spook Ransomware | Prometheus Derivative Names Those That Pay, Shames Those That Don’t

Vendor uses Halloween theme for marketing ploy shocker. Jim Walter does however detail a threat actor who has an interesting model in that they publish the stolen data if you pay or not. Where is the incentive?

Spook Ransomware is an emerging player first seen in late September 2021

The operators publish details of all victims regardless of whether they pay or not

Targets range across several industries with an emphasis on manufacturing

Analysis shows a significant degree of code sharing between Spook and the Prometheus and Thanos ransomware families

BlackMatter: New Data Exfiltration Tool Used in Attacks

Specific targeted theft of useful / sensitive documents data formats. The most interesting aspect here is that CAD documents, web application source code and Outlook e-mail are included in the target set.

At least one affiliate of the BlackMatter ransomware operation has begun using a custom data exfiltration tool in its attacks. Exmatter is designed to steal specific file types from a number of selected directories and upload them to an attacker-controlled server prior to deployment of the ransomware itself on the victim’s network.

Suspected Donot APT organization uses the latest domain name assets for attack activity analysis

Chinese reporting on this actor from an unknown country known as Donot Team, APT-C-35 and SectorE02, suspected of being an Indian commercial outfit. Nothing new other than specific infrastructure, as they say:

The attack techniques shown in this sample are basically the same as the XLS sample mentioned in the article "Analysis of Attack Activities by the Donot APT Organization Against Military Personnel" published by Hunting Shadow Lab

Chaos Ransomware Variant in Fake Minecraft Alt List Brings Destruction to Japanese Gamers

Shunichi Imano and Fred Gutierrez document a Japanese regional campaign being distributed via forums. Second example this week where paying money to criminals doesn’t result in 🌈and 🦄.

We recently discovered a variant of the Chaos ransomware that appears to target Minecraft gamers in Japan. This variant not only encrypts certain files but also destroys others, rendering them unrecoverable. If gamers fall prey to the attack, choosing to pay the ransom may still lead to a loss of data. In this report we will take a look at how this new ransomware variant works.

From Zero to Domain Admin

DFIR reporting looking back into the annals of the 2021 to find this report from the summer. Novelty factor is the distribution platform used for the Word document i.e. wasn’t an attachment.

This report will go through an intrusion from July that began with an email, which included a link to Google’s Feed Proxy service that was used to download a malicious Word document. Upon the user enabling macros, a Hancitor dll was executed, which called the usual suspect, Cobalt Strike.

Various different enumeration and lateral movement tactics were observed on the network, along with the exploitation of Zerologon to elevate to domain administrator and gain full control over the domain. The threat actor was able to go from zero access to domain admin, in just under one hour.

Advanced IP Scanner: the preferred scanner in the A(P)T toolbox

Krijn de Mik details a tool used by a variety of actors including how to detect and what artefacts it leaves behind on the hosts it is run from.

Groups that have (had) used Advanced IP Scanner include:

  • Conti2

  • Darkside/UNC24653

  • Egregor4

  • Hades/ Evilcorp5

  • REvil6

  • Ryuk/ UNC18787

  • UNC24477

  • UNC Iranian actor8

  • Dharma9

Tactics, Techniques, and Indicators of Compromise Associated with Hello Kitty/FiveHands Ransomware

FBI reporting here on the TTPs used by this threat actor. No great novelty but the insights are welcome.

Hello Kitty/FiveHands ransomware uses compromised credentials or known vulnerabilities in SonicWall products (CVE-2021-20016, CVE-2021-20021, CVE-2021- 20022, CVE-2021-20023). Once inside the network, the threat actor will use publicly available penetration tool suites such as Cobalt Strike, Mandiant’s Commando, or PowerShell Empire preloaded with publicly available tools like Bloodhound and Mimikatz to map the network and escalate privileges before exfiltration and encryption.

Analysis of phishing attacks against countries such as my country and the South Asian subcontinent

Comprehensive Chinese reporting on Indian originating phishing campaigns for alleged APT activity. Again the scale of the operation is the thing of note here.

This activity involves a large number of network nodes. The main targets are China, Nepal, Pakistan, Sri Lanka, Bangladesh, Afghanistan, and The government, defense and military, and state-owned enterprises of the Maldives and other countries.

New cybercriminal group: Lockean

French government reporting which is quite frankly excellent at showing the cross overs between various ransomware families with a definitely French focus.

Lockean’s targeting is opportunistic and dependent on the distribution services it employs (Emotet, TA551). Nevertheless, Lockean has a propensity to target French entities under a Big Game Hunting 17 [1, 4, 2] rationale and therefore represents a threat to watch out for.

DirtyMoe: Deployment

Martin Chlumecký details the deployment process of DirtyMoe.

The DirtyMoe’s MSI installer abuses the Windows System Event Notification Service (SENS) to deploy DirtyMoe. The main goal of the MSI installer is to replace the system DLL file of SENS with a malicious payload and execute the payload as a legitimate service. Another essential point is configuring the anti-detection methods to keep DirtyMoe under the radar.

CARBON SPIDER Embraces Big Game Hunting, Part 2

Eric Loui and Josh Reynolds provide some insights in to what happens when you cause a national response due to hacking a pipeline.

This blog discusses the Darkside ransomware incident at U.S. oil pipeline system Colonial Pipeline in May 2021 and how CARBON SPIDER responded to fallout from this event. Despite the termination of the Darkside program, the adversary continued malware distribution campaigns and subsequently introduced the BlackMatter RaaS. Due to numerous technical overlaps with Darkside, BlackMatter is attributed to CARBON SPIDER.

Uncovering Confucius' Espionage Campaigns

Who disables cut and paste on websites in 2021? This company does. Anyway this is an Indian APT who is reusing TTPs from August 2021 in September. Tradecraft is basic i.e. maldocs and .NET downloaders/loaders.

How we find and understand the latent compromises within our environments.

Plugx as used by Mustang Panada Yara

Nice rule to help detect this threat actor showing some of the more complex / expensive features of Yara rule writing.


Windows Domain level scanning with Yara rules enabled through this GUI wrapper.

Desktop GUI application that either performs YARA scan locally or prepares the scan in a domain environment with a few clicks.

A Kubeconfig Canarytoken

Dev Dua documents a new free Canarytoken in the guise of a Kubeconfig. For those not familiar with the CanaryToken the concept is simple. You sprinkle them around, threat actors find them when they break in, try and use them and 💥 it fires. A high signal source.

How we proactively defend our environments.

Writing AppArmor Profile from Scratch

Gurkirat Singh provides a lovely end to end walk through on how to write AppArmor profiles for Linux. AppArmor is seriously powerful to lock down Linux environments but can also be very intimidating. Defence in depth tools such as AppArmor really can make grown researchers cry.

In this post, I will teach you how to write a program profile for the cat program which will prevent it from reading the contents of /etc/passwd and /etc/group file but can read any other file in /tmp directory and home directory.


Beau Bullock drops this tool to find the edges where MFA is not present on those nice Azure/Office365 deployments. A wonderful proactive innovation - couple this with continuous scanning and some Slack/Teams integrations as you will be doing SecOps before you know it.

MFASweep is a PowerShell script that attempts to log in to various Microsoft services using a provided set of credentials and will attempt to identify if MFA is enabled. Depending on how conditional access policies and other multi-factor authentication settings are configured some protocols may end up being left single factor.

adalanche Active Directory ACL analyser

New release, from Lars Karlslund:

adalanche is my ACL analyzer for Active Directory, and I just wanted to let you know that I've released a major new version yesterday, which brings months of development to a (fairly) stable status.

The UI was given an overhaul, and I've both switched the CSS engine and the layout. It brings moving and resizable windows so you can have information about multiple objects on the screen at the same time.

Graph handling and loading in the browser is way faster. Previously my browser would totally die if more than 1000 objects was loaded, now that's up to around 3000 objects (you still have to use the "force" option to get it displayed


Nice attack surface reduction tool for Windows if not a little extreme in places. Wouldn’t run this across the estate without detailed testing.

Hardentools is a collection of simple utilities designed to disable a number of "features" exposed by operating systems (Microsoft Windows, for now), and primary consumer applications. These features, commonly thought for enterprise customers, are generally useless to regular users and rather pose as dangers as they are very commonly abused by attackers to execute malicious code on a victim's computer.


Bear in mind, after running Hardentools you won't be able, for example, to do complex calculations with Microsoft Office Excel or use the Command-line terminal,

Common misconceptions about Windows EventLogs

Joachim Metz drops the wisdom here with very useful insights for anyone dealing with Windows from the blue perspective. A strong recommendation here on the read:

Common misconceptions I come across regularly:

  • EventID is globally unique.

  • EventIDs directly map to event messages.

  • All event strings are used in the message.

  • All the event message information is in the template string.

  • Template strings remain the same.

  • Event XML is proper XML 1.0.

  • Data element names in Event XML are unique.

  • EventLogs and ETW are equivalent.

DarkSide BlackMatter Config Extractor

Christiaan Beek and team have released a config extractor to facilitate victim tracking etc.

Network Capture with Process Name and PID on macOS

Steve Vigneau provides a wickedly useful post on how to capture the process name and PID and work around some macOS oddities. Doing this has a variety of defence and research use cases.

Attack capability, techniques and tradecraft.

Binary Exfil via HTTP version

As ridiculous as it sounds this work by Ricardo Ruiz just provides further evidence on the novel covert communications options available for exfil.

Use the HTTP protocol version to send a file bit by bit ("HTTP/1.0" is a 0 and "HTTP/1.1" is a 1).

Spear phishing with Slackbot for fun and profit

Eric Bailey shows how if you can get into a Slack you can pretend to be a bot and then start to phish users. Interesting threat scenario for those firms that have customer support/success Slacks or where a user gets breached.

Create a proxy DLL with artifact kit

More offensive innovation from the authors of CobaltStrike. Bringing DLL attacks (hijacking and proxying) headaches for those that use anomalous DLL loading as a detection. This capability will facilitate blending in with the noise and thus aid attackers.

CookieMonster: a tool for breaking stateless authentication

Ian Carroll has released a very powerful and useful tool for identifying stateless cryptography session weaknesses. This tool has real potential to do damage and good in equal measure due to the previously underexplored attack surface.

Using stateless cryptography like this is precarious and requires care from developers that they do not expect. Many frameworks require developers to specify a secret key before they will work correctly, and many developers then pick quick, unsafe values like changeme to unblock themselves. Unfortunately, this key is critical to the security of these applications.

What is being exploited.


The following were exploited this week at pwn2own in Austin - various routers, various printers, Samsung handsets, Sonos etc.

We (NCC Group) entered and popped a Western Digital NAS and a Lexmark Printer.

Don’t forget the teams really only had 6 weeks and managed to do some real damage.


An interesting initative to aggregate in the wild exploited vulnerability information. I’d be interested to hear if this changes or influences the decision or prioritisation processes for anyone.

Our attack surface.

Pre-Auth Takeover of Build Pipelines in GoCD

We discussed CI/CD security last week - this vulnerability is the stuff nightmares are made of. Interestingly Simon Scannell doesn’t mention the CVE this is tracked under which means some operations may miss it.

The vulnerability discussed in this blog post is related to broken authentication and allows an unauthenticated attacker to view highly sensitive information and read arbitrary files on a GoCD server instance. We will discuss how attackers might abuse this vulnerability to gain access to authenticated attack surface. In a follow-up blog post, we are going to detail how attackers can abuse authenticated attack surfaces to gain RCE impact on a GoCD Server instance by exploiting other vulnerabilities we discovered.

The vendor doesn’t seem to track under a CVE either:

Some other small bits and bobs which might be of interest.

  • McAfee Enterprise FireEye 2022 Threat Predictions

  • On the Integration of Course of Action Playbooks into Shareable Cyber Threat Intelligence - academic paper

  • Kaspersky had an API key stolen which resulted in phishing e-mails being sent as them.

That’s all folks.. until next week..

Related Posts