Introduction​

We have all watched Albania's response to the recent cyber attacks on the country after they are attributed to Iranian actors by the public and private sectors. The answer itself was very big and bold, I guess it is one of a kind.

But it isn't the start of the conflict, especially the Arabian Peninsula didn't settle down, and it seems that it isn't going to be soon. And the Albanian case isn't the single attack we can discuss. There are many more attacks with various objectives, from hacktivism to espionage and destruction. Even one that causes physical damage.

I want to deepen more about what is happening physically and digitally and their cause-and-effect relation. The timeline of recent years might help to answer these and, of course, create new ones.

Introduction​

During the development of the ATLAS, even though I believed it would be something, I didn't have any clue that proves this statement. I started to write as much as possible ATLAS rules afterward, and the experience has convinced me that ATLAS helps us to store and share malware analysis details in an actionable way.

Introduction​

For so long, Microsoft Office's macro capability has been to go option for initial access by threat actors. The community has seen a great variety of samples of this technology. But things are changing by Microsoft's decisions from last year. VBA macros are blocked if the origin of the document is the internet. Although in the middle, they retrieved but then by overwhelming responses, they returned to their initial decision. On the other hand, EXCEL 4.0 macros are restricted by default.

After these game-changing decisions, threat actors started to adopt new techniques for initial access, and the community responded to this movement with an appropriate answer. The trends show us that ISO and LNK file formats are at their peak. LNK files are Windows shortcuts, and recently SentinelOne shared excellent research around them. The post inspired me to do similar research on ISO files.

Introduction​

When I saw the attack vector for the first time, I realized that it is an excellent case to demonstrate the potential of the ATLAS. So, after finishing the analysis and the ATLAS rule, I've decided to write a blog post with a detailed explanation of creating the ATLAS rule.

Introduction​

I am passionate about developing a standalone version of the distinct capabilities of the malware, attack vector that I analyze. It helps me to understand the specimen much more deeply. The other advantage is that your code breaks when the actor updates the capability. That means I can track them. In one of my other blog posts, I described how I tracked two highly active malware families, Remcos and Emotet, for months. It is for fun and profit.

Introduction​

In a world full of threats that target indiscriminately every bit and byte of our society, it is curial to have decent intelligence and respond accordingly. These threats often use specialized tools, named malicious software or malware, to achieve from cybercrime to espionage and destructive purposes. In this cat and mouse game, VirusTotal, which was created in 2004, has become the source of malware intelligence, and it provides myriads of information. By the platform's maturation, it has gained advanced capabilities that the analyst uses to enlighten the knowledge gaps.

Introduction​

Albert Lamorisse invented Risk game in 1957. According to Wikipedia,

Risk is a strategy board game of diplomacy, conflict and conquest for two to six players. The standard version is played on a board depicting a political map of Earth, divided into forty-two territories, which are grouped into six continents. Turn rotates among players who control armies of playing pieces with which they attempt to capture territories from other players, with results determined by dice rolls. Players may form and dissolve alliances during the course of the game. The goal of the game is to occupy every territory on the board and in doing so, eliminate the other players.

Introduction​

Agent.Tesla​

Agent.Tesla is a piece of malware that is active since 2014. According to an article that is published on 'krebsonsecurity.com', access right is acquired by paying subscription fee via bitcoin and by the time of the article, it had more than 6,300 customers. 7/24 technical support via Discord channel is also included.

The tag "Late Night Show" because, the attack origins at the end of 2018 and apparently the Show is very late.

Introduction​

APT28​

The group, also known as FancyBear, Sofacy Group, Sednit..., starts its activity in the mid-2000s. They target government, military and security organizations especially NATO-aligned states.

APT28 is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.