Nick Carr Profile picture
☁️ Investigations / 🎯 Threat Intel / Security Research ➡️@Microsoft Previous: Director, Tradecraft 🦅 & #DFIR ➡️@Mandiant/@FireEye Co-host #StateOfTheHack 🎥
Aug 1, 2018 8 tweets 11 min read
In light of the #FIN7 "Combi Security" DOJ indictment, we've released our massive technical post and indicator release:…

We reveal new information from @Mandiant IRs about the extent of FIN7's crimes, their innovative techniques, & how to find them today. #FIN7 targeted other financial data when they encountered encryption in POS networks. New information today - and certainly helped stack up the charges against Combi Security.

Also @BarryV @stvemillertime first shared SEC filing targeting in March 2017:…
Dec 22, 2017 6 tweets 5 min read
Fresh APT loader technique for today's #DailyScriptlet:

cs=Array(#,#,#,#,...): cmd="": For each c in cs: cmd=cmd&Chr(c): Next: cmd=cmd&vbcrlf: Execute(cmd)

This is remotely loaded into memory from source phishing doc that uses renamed wscript & pubprn.vbs to load COM Scriptlet. @bwithnell and I shared an earlier version of this #APT32 phish technique:
Relevant slide screenshots attached.

They are continually improving each phase of their dynamic, multi-stage infection chain.