Nick Carr Profile picture
Aug 1, 2018 8 tweets 11 min read Twitter logo Read on Twitter
In light of the #FIN7 "Combi Security" DOJ indictment, we've released our massive technical post and indicator release: fireeye.com/blog/threat-re…

We reveal new information from @Mandiant IRs about the extent of FIN7's crimes, their innovative techniques, & how to find them today.
#FIN7 targeted other financial data when they encountered encryption in POS networks. New information today - and certainly helped stack up the charges against Combi Security.

Also @BarryV @stvemillertime first shared SEC filing targeting in March 2017: fireeye.com/blog/threat-re…
Crime doesn't pay. Unless you worked for Combi Security, in which case it paid a pretty decent wage for Russian/Ukrainian "pen testers" 😄

Sidenote: @FireEye's red team is hiring but their operations *are* authorized and the only payment card hijinks is over who expenses dinner.
Does the #FIN7 news mean the #BATELEUR document graphic designer is looking for work?

I've been a fan of their graphics and they are obviously a fan of @FireEye since most of their phishing docs also included our Managed Defense landing page language.
#FINdigestion is the best #DFIR hashtag of all times and that's why it's in our blog: fireeye.com/blog/threat-re…

Shout out @RealParisi & long-time #FIN7 tummy trouble trackers:

@stvemillertime's hunting tips today are way better than
This indictment is without question the most significant financial takedown since Monday when infosec twitter teased me for only offering up $10 for interesting tradecraft. 😄
@subTee @SwiftOnSecurity @NotMedic

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nick Carr

Nick Carr Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ItsReallyNick

Dec 22, 2017
Fresh APT loader technique for today's #DailyScriptlet:

cs=Array(#,#,#,#,...): cmd="": For each c in cs: cmd=cmd&Chr(c): Next: cmd=cmd&vbcrlf: Execute(cmd)

This is remotely loaded into memory from source phishing doc that uses renamed wscript & pubprn.vbs to load COM Scriptlet.
@bwithnell and I shared an earlier version of this #APT32 phish technique:
Relevant slide screenshots attached.

They are continually improving each phase of their dynamic, multi-stage infection chain.
@bwithnell SPOILER: the VBScript *still* doesn't properly convert temperatures as promised, but it *will* load good tidings of great Cobalt Strike 🎅🏽
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(