When I saw the attack vector for the first time, I realized that it is an excellent case to demonstrate the potential of the ATLAS. So, after finishing the analysis and the ATLAS rule, I've decided to write a blog post with a detailed explanation of creating the ATLAS rule.
I am passionate about developing a standalone version of the distinct capabilities of the malware, attack vector that I analyze. It helps me to understand the specimen much more deeply. The other advantage is that your code breaks when the actor updates the capability. That means I can track them. In one of my other blog posts, I described how I tracked two highly active malware families, Remcos and Emotet, for months. It is for fun and profit.
In a world full of threats that target indiscriminately every bit and byte of our society, it is curial to have decent intelligence and respond accordingly. These threats often use specialized tools, named malicious software or malware, to achieve from cybercrime to espionage and destructive purposes. In this cat and mouse game, VirusTotal, which was created in 2004, has become the source of malware intelligence, and it provides myriads of information. By the platform's maturation, it has gained advanced capabilities that the analyst uses to enlighten the knowledge gaps.
Albert Lamorisse invented Risk game in 1957. According to Wikipedia,
Risk is a strategy board game of diplomacy, conflict and conquest for two to six players. The standard version is played on a board depicting a political map of Earth, divided into forty-two territories, which are grouped into six continents. Turn rotates among players who control armies of playing pieces with which they attempt to capture territories from other players, with results determined by dice rolls. Players may form and dissolve alliances during the course of the game. The goal of the game is to occupy every territory on the board and in doing so, eliminate the other players.
Agent.Tesla is a piece of malware that is active since 2014. According to an article that is published on 'krebsonsecurity.com', access right is acquired by paying subscription fee via bitcoin and by the time of the article, it had more than 6,300 customers. 7/24 technical support via Discord channel is also included.
The tag "Late Night Show" because, the attack origins at the end of 2018 and apparently the Show is very late.
The group, also known as FancyBear, Sofacy Group, Sednit..., starts its activity in the mid-2000s. They target government, military and security organizations especially NATO-aligned states.
APT28 is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.