Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Nick Carr Profile picture
@ItsReallyNick
Aug 1, 2018 8 tweets 11 min read Read on X
In light of the #FIN7 "Combi Security" DOJ indictment, we've released our massive technical post and indicator release: fireeye.com/blog/threat-re…

We reveal new information from @Mandiant IRs about the extent of FIN7's crimes, their innovative techniques, & how to find them today.
#FIN7 targeted other financial data when they encountered encryption in POS networks. New information today - and certainly helped stack up the charges against Combi Security.

Also @BarryV @stvemillertime first shared SEC filing targeting in March 2017: fireeye.com/blog/threat-re…
Crime doesn't pay. Unless you worked for Combi Security, in which case it paid a pretty decent wage for Russian/Ukrainian "pen testers" 😄

Sidenote: @FireEye's red team is hiring but their operations *are* authorized and the only payment card hijinks is over who expenses dinner.
Does the #FIN7 news mean the #BATELEUR document graphic designer is looking for work?

I've been a fan of their graphics and they are obviously a fan of @FireEye since most of their phishing docs also included our Managed Defense landing page language.
#FINdigestion is the best #DFIR hashtag of all times and that's why it's in our blog: fireeye.com/blog/threat-re…

Shout out @RealParisi & long-time #FIN7 tummy trouble trackers:

@stvemillertime's hunting tips today are way better than
Early #FF for awesome #FIN7 people!

Blog co-authors: @BarryV @tiskimber @stvemillertime - fireeye.com/blog/threat-re…

FireEye: @mykill @jtbennettjr @SElovitz @cglyer @DavidPany @danielhbohannon @DJPalombo @MrDanPerez @bwithnell

Industry: @darienhuss @mesa_matt @sixdub @RealParisi
This indictment is without question the most significant financial takedown since Monday when infosec twitter teased me for only offering up $10 for interesting tradecraft. 😄
@subTee @SwiftOnSecurity @NotMedic
Nice chatting with @brbarrett from @WIRED:

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nick Carr

Nick Carr Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ItsReallyNick

Nick Carr Profile picture
Dec 22, 2017
Fresh APT loader technique for today's #DailyScriptlet:

cs=Array(#,#,#,#,...): cmd="": For each c in cs: cmd=cmd&Chr(c): Next: cmd=cmd&vbcrlf: Execute(cmd)

This is remotely loaded into memory from source phishing doc that uses renamed wscript & pubprn.vbs to load COM Scriptlet.
@bwithnell and I shared an earlier version of this #APT32 phish technique:
Relevant slide screenshots attached.

They are continually improving each phase of their dynamic, multi-stage infection chain.
@bwithnell SPOILER: the VBScript *still* doesn't properly convert temperatures as promised, but it *will* load good tidings of great Cobalt Strike 🎅🏽
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(