Saturday, July 21, 2012
Red Sky weekly - FR12-016 details second non-public trojan
Red Sky Analysts released Fusion Report 16 this week. FR12-016 detailed a newly observed web-based Remote Access Tool (RAT) which was used in the same campaign as Trojan.Eclipse (named Eclipse by Red Sky analysts) from FR12-015. FR12-016 offered a custom C2 decoding script, Snort signatures, and a number of new indicators that may be used to detect and proactively mitigate the intrusion attempt.
When preparing this week’s blog entry, I miscounted, thinking this was six months in operation. In fact it’s five, with our corporate one-year anniversary coming up at the end of August. Regardless, five or six, the numbers are still pretty exciting.
· Our Advisory Board is currently looking at one more company for membership. The company is one of the five largest law firms in the country, boasting 1750 attorneys and 27 global offices. We currently have four companies being vetted by our Advisory board, and if all are offered membership, we’ll have 16 top companies in nine of the US’s critical infrastructures. Our ranks have grown 36.5% in the last two months!
· We're actively tracking on at least eight groups. Two groups were both known in one sector, but not widely known in others. The cross sector participation of Red Sky has produced (as I read it) two cases where a group moves from one industry sector to another.
· In five months we’ve profiled a bad ISP, analyzed two 0-days, at least three newly discovered pieces of code, named two new TTPs and published over 2000 indicators in Kill Chain format. Over 500 threads are tracking with over 9000 comments and page views generated.
Five months in, results like this are the tip of the iceberg. The conversational format of the social environment can be rough getting used to, but the richness of the information is FAR better than the format we used in report driven portals that I’ve participated in in my past. (Report driven portals are easy to parse but the data is generally light.) Cross sector and international participation has been huge! The ability to contact members in Japan directly, or analyze malware captured on members’ global networks is a luxury I’ve not been accustomed to. I like it.
Bottom line is this. I'm happy it's working. Not without growing pains, but nothing good ever comes without a few bumps/bruises. Five months. It’s working.
See you at Black Hat!