Blog Post

The Human Connection Blog
2 MIN READ

New CTI Labs: Zero-day Behaviour: PDF Samples & UAC-0063 Intrusion: SIEM Analysis

BenMcCarthy's avatar
BenMcCarthy
Icon for Immerser rankImmerser
15 days ago

Today, we’ve released two brand-new labs focusing on attack chain analysis of UAC-0063 activities and analyzing a discovered issue in PDF which allows exfiltration of NTLM information.

Based on the report released by NCSC's CTO, a number of important cyber security developments occurred throughout the past week. We have created two labs on what we thought were interesting parts of the report to align with what NCSC is seeing out in the wild.

Zero-day Behaviour: PDF Samples

PDFs are used by everyone, and a researcher has found that you can embed commands that will communicate out to attacker-controlled servers – depending on which PDF reader a company has, you can exfiltrate NTLM data to aid in further attacks. PDFs can be used to initial access an attack, such as sending a malicious one via email. Therefore, we have created a lab for defensive teams to analyze what these PDFs look like under the hood and how to identify this newly found behavior.

UAC-0063 Intrusion: SIEM Analysis

It has been observed that the threat group UAC-0063 has been sending malicious documents around the world, targeting Asia and Eastern Europe in their latest operation. Their aim is cyber espionage and to gather information about governments, NGOs, defense, and academia. With their malware dubbed HATVIBE, they have been seen to use legitimate diplomatic documents with their malicious code embedded inside them. The lab provides an analysis of the attack chain, where our customers will understand what happens when one of the malicious documents is clicked on and what detections can be put in place to detect the attack.

Why should our customers care?

These two labs are based on information that the NCSC has thought the industry needs to know. Understanding the updated attack techniques of threat groups and new ways to execute commands in PDFs is incredibly important because social engineering is still one of the highest methods of initial access. Therefore, our customers will be able to analyze both these threats to develop detections early or to gain familiarity with how these threats work.

Who is it for?

  • Incident responders
  • SOC analyst
  • Malware reverse engineers
  • CTI Analysts
  • Threat Hunters

Here is the link to the PDF lab: https://immersivelabs.online/labs/zero-day-behaviour-pdf-samples

Here is the link to the UAC-0063 lab: https://immersivelabs.online/labs/uac-0063-siem-analysis

Updated 15 days ago
Version 2.0
content updates
cyber pro
cyber threat intelligence
BenMcCarthy's avatar
Icon for Immerser rankImmerser
Joined May 30, 2024
View Profile
Node avatar for The Human Connection Blog
The Human Connection Blog
Learn from our passionate experts on a wide range of subjects from Cyber Threat Research to maximizing value with Immersive Labs, plus, hear from our outstanding customers who are keen to share their experiences.
No CommentsBe the first to comment