ninfo malware

NasaPaul Botnet: A Need for Speed

Updated: 2021-02-28 - Update detection section to explain why v.py might not be flagged by AV. Updated: 2021-03-03 - Divide article by LM Kill Chain phases instead of MITRE ATT&CK framework. Case Summary I collect live malware samples from honeypots running on public cloud servers. This case examines a repeated security event following a successful bruteforce attack against SSH where malware payloads ninfo and v.py are dropped from nasapaul[.]com. The samples examined in this post were captured on February 23rd, 2021....

February 27, 2021 · 16 min
Image from Blog - String Table

Using BigQuery CLI for Honeypot Log Analysis

Curious about BigQuery? This super quick tutorial will help you get started. BigQuery is a Google Cloud Platform service that provides serverless, scalable data analysis fast. This tutorial will discuss the basics of working with BigQuery including how to create datasets and tables, upload information to them, and how to make queries using the BigQuery command-line interface tool bq. Pre-Config In order to follow along, you’ll need to have done the following:...

February 9, 2021 · 5 min
Honeypot Logs

A Botnet's Search for MikroTik Routers

Last Updated: 2021-02-04 Last month, I wrote a post about setting up honeypots on GCP where I stood up a low-interaction SSH honeypot. Since then, I’ve been able to log a few megabytes worth of unauthorized behavior. This post will report on a repeated security event targeting misconfigured MikroTik routers. Event Behavior The attacker logs into the honeypot using admin/password and then sends the commands seen below into the honeypot terminal....

February 2, 2021 · 8 min
Colored Visual Glitch

Malware Labs and Machines

This post is geared towards beginners and documents the general steps I took to build a home malware lab. Malware Lab Plans The malware lab must meet the following requirements: Malware environment must not connect to prod/shared networks. Dedicated physical workstation to host malware lab. (i.e. an old laptop) Quickly restore host in the event of malware escape. Include both static and dynamic analysis features. WARNING: Conduct all security research on an isolated network seperate from shared/personal devices....

January 28, 2021 · 4 min
HoneyTrap Logs

HoneyTraps in the Cloud 101

Updated 2021-03-01: Give the reader a heads up that restarting SSH will kick them from their current session. Overview Honeypots are useful tools for collecting unauthorized interactions as logs. These logs can be digested to identify new attacking techniques or observe active username/password patterns. In the context of a security team, it could provide actionable information to pre-emptively secure the studied environment. This tutorial will discuss general SSH honeypot pre-configuration, HoneyTrap installation, logging, and analysis....

January 25, 2021 · 5 min