Operational CTI: Lessons from the Attacks That Didn’t Target You
Watch the recording from this event here ⬇️ Many organizations overlook vulnerabilities and attack campaigns that don’t directly impact them. While this makes sense for risk prioritization, studying these threats can reveal valuable insights that improve your defensive posture and technical skills. In this webinar, we’ll take you through a technical analysis of a recent malicious campaign and explore how analyzing adversary techniques — even those that haven’t targeted your organization — can uncover hidden gaps in your security strategy and enhance your ability to detect and mitigate future threats. Key Takeaways Threat Awareness Beyond Your Scope – Understanding attack campaigns that don’t directly affect your organization can still provide critical insights into evolving threat landscapes. Improving Defensive Posture – Learning from other attacks helps identify weaknesses in your own security strategy before they become exploited. Expanding Technical Knowledge – Deep-diving into attack techniques and vulnerabilities sharpens your ability to detect and mitigate sophisticated threats. Proactive Security Mindset – Adopting a proactive rather than reactive approach can help organizations stay ahead of adversaries, even if they’re not immediate targets. Applying Lessons Practically – Insights from external threats can shape better incident response plans, detection rules, and security skills.Operational CTI: How Immersive Builds Labs for Real-World Threat Preparedness
This event has now ended. You can watch the recording here. --- 📢 Today's the day! Our exclusive Community webinar 'Operational CTI: How Immersive Builds Labs for Real-World Threat Preparedness' will be live at 3pm GMT (10am EST). Here's a few tips to help you get the most from your experience: 🚀 This is a live, interactive session. Make sure you join the session promptly in order to get the full experience. 🔗 To join today's session, visit the event page or simply use the Zoom link. ❓You’ll also have the opportunity to participate in a Q&A with our expert panel so you can leave with an action plan to turn your ideas into reality! You can pre-submit questions here. Event Description Have you ever wondered how Immersive Labs can release CTI labs on the latest threats so quickly? Come backstage with us on this ✨ Community Exclusive ✨ event to learn just how we do it. BenMcCarthy and benhopkins, two of the experts from the CTI team will reveal what it takes to make a lab, some of their favourites from 2024 and what is to come from the CTI team. Agenda What are CTI labs and how do we select labs to build? Build Stage 1 - Research Build Stage 2 - "Labified" Build Stage 3 - Content Build Stage 4 - QA Some of our favourite labs Examples of speedy launches of labs C2 research What next for our Threat Research and CTI Labs You’ll also have the opportunity to pre-submit questions here so you can ensure that you leave with all of the information you need! This is a Community Exclusive event: Hit the attend button to register. This webinar will be live at 3pm GMT and will be recorded.Labs Live
This event has now ended. You can watch the recording here. Ever felt totally stuck with a lab? Getting frustrated? Maybe you could have used the helpful guidance of an expert? Introducing Labs Live, a groundbreaking community webinar series from Immersive! For the first time, we're bringing you live, interactive lab sessions led by seasoned professionals. In each Labs Live webinar, you'll collaborate directly with an expert as they navigate a challenging lab. They'll share their techniques, answer your questions, and together, you might even discover new insights. This isn't just a demonstration; it's a hands-on learning experience.Don't miss out on this unique opportunity to elevate your cyber skills. Our very first Labs Live session will be hosted by KevBreen Senior Director of Cyber Threat Research, as he tackles the latest Cyber Threat Intelligence Lab. Join him on April 25th to solve it together!Cozy Bear? Not So Cozy…
When you think of a “cozy bear”, you might think of Winnie the Pooh or a faux fur throw by the fire, not a criminal hacker group that’s been active since 2008. There was an intrusion to TeamViewer, the most popular remote access software, on 26 June 2024. Evidence points accountability towards Russia’s Midnight Blizzard group, also known as APT29, the Dukes, and the Cozy Bear group. Not exactly the type of behavior you’d expect from a cozy bear, right? The Cozy Bear group has been observed using tools and techniques that target groups like government, healthcare and energy organizations. Its most common techniques include scanning (T1595.002) and exploitation (T1190) against vulnerable systems. It’s also associated with the notorious SolarWinds incident in 2021 that resulted in the first ever SEC charges against a CISO. It’s safe to say this bear isn’t hibernating, it’s on the prowl. All honey pots aside, Immersive Labs has a dedicated Threat Actor Lab for APT29 and a wealth of content around other attack types perpetuated by this malicious threat group. Ensure your teams aren’t caught in a bear trap by exploring or revisiting content designed specifically around this cyber espionage group: APT29: Threat Hunting with Elasticsearch Successful cyber threat hunting relies on a combination of information from cyber threat intelligence to detailed event logs via endpoints, network devices, and security tools. This lab collection gives you an opportunity to explore some of these concepts through the lens of an emulated APT29 attack scenario. APT29: Threat Hunting with Splunk These labs follow the same attack path as the above collection, but with different tactical and system focuses, providing an opportunity to explore concepts through the lens of an emulated APT29 attack scenario with Splunk. Brute Ratel: Extracting Indicators of Compromise Brute Ratel C4 is a commercial command and control (C2) framework for adversary simulation and red team engagements. This tool has been observed in the wild being used by nation-state actors, specifically APT29. The following labs are also based on this threat group’s known tactics, techniques, and procedures (TTPs) and exploits. Check them out: CVE-2019-19781 (Citrix RCE) – Defensive CVE-2019-19781 (Citrix RCE) – Offensive CVE-2020-5902 (F5 BIG-IP) – Defensive CVE-2020-5902 (F5 BIG-IP) – Offensive We may be having fun here, but your cyber readiness is no joke. Make sure your teams are up to date on the newest CVEs and that they’re well versed on established threat actors and attack vectors – so your organization stays out of the news 🙅♀️🐻📰 Share your thoughts! Do you like bear-themed articles? Do you plan to assign or bookmark these recommended labs? We’re beary eager for your feedback in the comments below!New CTI Lab: Xworm: Analysis
Xworm is a piece of malware that was first discovered in 2022 being used by threat actors like NullBulge and TA558. Xworm is a remote access trojan (RAT). Attackers deploy it onto compromised machines to steal data, facilitate remote code execution through shell access, and tamper with native security solutions like Microsoft Windows Defender, ready for other malware to be dropped and executed on a machine. Why have we created this content? Xworm is a commodity piece of malware that has been observed in the wild and has previously been observed being sold on hacker forums to opportunistic cybercriminals. Recently, cracked versions of this malware have been leaked to VirusTotal, GitHub, and other repositories. This content provides a unique look into commodity malware, how it's designed, and what to look out for when coming across it. What are we publishing? All customers on a CyberPro License have immediate access to a new lab. Xworm: Analysis Who is this content for? This lab is focused on upskilling and increasing the defensive capabilities of the following roles: Incident Responders Malware Analysts Reverse Engineers SOC Analysts Cyber Threat Intelligence Analysts We are also hosting a webinar! Come and see what we do as a CTI team and how we help cyber teams with their real-world threat preparedness!Reverse Engineering SmokeLoader: An In-Depth Analysis (Stage 1)
At our recent event, Operational CTI: Lessons from the Attacks that Didn't Target You, we shared that we would releasing reverse engineering blogs on SmokeLoader. Here is part 1! SmokeLoader is a malware strain that’s been seen in the wild since at least 2014. It’s a backdoor that can be expanded by adding modules. This versatility makes the malware a bit harder to signature, but it's common practice among malware like this. One notable aspect of SmokeLoader is its attempt to hide its C2 activity by generating requests from legitimate sites as well as domains that the attackers control. Understanding the modules used as add-ons to each build can provide insight around the malware strain and the attack’s objectives. This first blog entry covers the more contextual information around SmokeLoader, including the campaign associated with it. We’ll also cover how we set up our analysis environment, and the considerations we had when analysing the preliminary stages. The campaign The 7Zip campaign saw the exploitation of the CVE-2025-0411 vulnerability. Exploiting this vuln increased an attacker’s chances of successfully infiltrating a company’s workstations by bypassing the Mark of The Web (MoTW) security controls. (We created a lab on the 7Zip campaign. Check it out here.) Once bypassed, the SmokeLoader executable stopped Windows SmartScreen from opening a warning window to the user. This blog picks up where our webinar left off. We’ll cover the SmokeLoader executable and analyze it to show you how it executes itself – there are many layers! The malware we’ll analyze in this blog is the last stage in the Trend Micro report. You can also have a read of VirusTotal’s report here. Let’s get to it! This malware gets downloaded as part of the attack chain with the extension .pdf.exe. In some workstations, file extensions aren’t visible, so in this case, the malicious file looks like it ends with “.pdf”. This is a social engineering tactic that tricks the workstation user into double-clicking the malware, thinking it will open a PDF instead of actual malware. According to VirusTotal, SmokeLoader is a 32-bit executable written using Microsoft Visual Studio and is 249.50 KB in size. This is really useful information you can use to start understanding what sort of instructions and patterns can be added to the binary from the Visual Studio compiler. Analysis setup Don’t forget! As with any malware, it’s important to place it in a sandboxed environment when you analyze it. You don’t know what it’s going to do yet! When doing deep analysis, you’ll need to use a debugger and a disassembler or decompiler. Here, we’re using x32dbg and Ghidra – both incredibly powerful tools. We took the following steps when analyzing the malware: We looked at the decompiler to see what code was coming up and made a hypothesis of what the code was doing. We opened the malware in a debugger and executed the code we analyzed in Step 1, going no further than what we already knew. We replaced any variable names or information in the decompiler to provide further context to the code. We repeated Steps 1–3 until the malware acted on its objectives. Reverse engineering This malware deliberately has many stages to slow down reverse engineers’ analysis. It goes through multiple stages of shellcode extraction and execution, multiple dynamic API resolutions, memory page protection changes, and process injection. The first thing we did was find main(), where the malware author's code is written. Ghidra is really helpful for this! We found the entry point, followed __tmainCRTStartup, double-clicked it, and found the code pattern ___tmainCRTStartup ();. This will help when we start looking for main() in the debugger. We now knew that the main function was the one with 0x7c80 as the last four hex digits of the address. We used this information to set a nice breakpoint on main() in the debugger. This can be confusing when starting out on your reverse engineering journey, so check out our lab on finding main() here.Once we had a breakpoint set at main() in the debugger, we started investigating what happened from there in Ghidra. Two function calls happened: one is a longer function, and the other is a few instructions followed by jmp EAX. Given that EAX has a memory address populated by the data address DAT_00512C44, which is initialized elsewhere in the program, we guessed that there’s some deobfuscation of instructions somewhere, and the jump instruction takes the code to that location. We could have set a breakpoint at jmp EAX in the debugger and executed the code until then. However, some malicious activity might have occurred before the jmp call in the previous function, so it was worth investigating. The first function, shown below, had many do-while loops, meaning that the code will execute the loop at least once. However, we inspected the code inside the loops and found there wasn’t much going on. There was a check at a certain data address, DAT_00512DFC, and actions were taken based on that – though exactly what actions were taken is unclear, given that it doesn’t execute. When checking, we reviewed the memory location of DAT_00512DFC in the debugger and found that it didn’t hold anything meaningful to make those checks occur. This shows that this code is likely kept in the malware, regardless of whether it’s used or not, and will only execute if a certain type of build is created. Another thing to note is that the Windows APIs that get called didn’t really do much anyway, and currently didn’t indicate much malicious activity. Some of the strings in this function might have seemed useful, but if the code doesn’t execute instructions associated with them or doesn’t directly manipulate them, they’re useless to our investigation. So we skipped over the loops in the debugger by finding the instructions after the loop, setting a breakpoint, and running the program until it hits that breakpoint. The third lab in the Foundational Binary Dynamic Analysis collection covers this technique in more detail. Scrolling down, you can see a function that’s outside the if statements and do-while loops: This is FUN_00417440(void). Inside this function is a call to LocalAlloc where the size is stored in DAT_00512dfc and the memory address location is stored in DAT_00512c44. Keen-eyed investigators will notice DAT_00512C44 is the memory location of the jmp EAX in the second function called from main(). This proves that our hypothesis from the beginning was correct: This function sets up a memory location with instructions that get executed later. It’s important to keep track of the value stored in DAT_00512DFC from the debugger because it’ll determine the size of the memory dump we’ll be making later for the shellcode! Finally, when looking at the bottom of the large function, we found a number of function calls: LoadLibraryA was followed by two function calls. This is interesting because the majority of the time, LoadLibraryA in malware is followed by GetProcAddress (which happens to be what’s inside FUN_00417470). Weirdly, though, the return from LoadLibraryA("msimg32.dll") wasn’t used. GetProcAddress in the next function was simply called statically instead of dynamically, finding it with LoadLibraryA. In this function, VirtualProtect was called to change the heap memory to executable! This technique, and how to analyze it, is covered in detail in the fifth lab in the Foundational Dynamic Analysis collection. The function after that holds a lot of XOR and array manipulation, so we assumed this is deobfuscation. The location being written confirmed this, starting at the location of our heap, which was just changed to executable. This technique is also covered in the third lab of the Foundational Dynamic Analysis collection. The final function in the block simply added 0x2310 onto the heap starting address: ` if (iVar4== 0xd606b) FUN_00417460();` So, we learned that everything in the function has been pointless! Attackers do this deliberately to slow down reverse engineers. And it works, but it’s still crucial to take these steps so we can confirm it’s pointless, not just assume that it is. Finally, we set a breakpoint in the debugger at the jmp EAX instruction, ran the program, then dumped the memory. Conclusion This first blog post covered the SmokeLoader malware’s campaign details and some initial analysis considerations, including how to identify and dump the first layer of shellcode. This is just the beginning! Stay tuned for more SmokeLoader analysis, including a look at what anti-analysis and obfuscation techniques are employed.Patch Tuesday February 2025
CVE-2025-21418 - 7.8 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Top of the list for things to patch this month is a local privilege escalation that threat actors are actively exploiting in the wild. No information is provided on which threat actors or how they are using it, but what we do know is that an attacker exploiting this vulnerability will be able to gain SYSTEM-level permissions on the affected host. As this is a local exploit, it does mean that an attacker or malicious insider must already have access to the target machine, typically through a phishing attack, malicious document, or another remote code execution vulnerability. Despite its relatively low score of 7.8 compared to a Critical 9.8, local privilege escalation vulnerabilities are valuable to attackers as they allow them to disable security tooling, dump credentials, or move laterally across the network to exploit the increased access. CVE-2025-21377 - 6.5 - NTLM Hash Disclosure Spoofing Vulnerability Another CVE to patch sooner rather than later is a zero-day that was discovered and disclosed in December 2024, with Microsoft announcing at the time that patches would not be available until 2025. Tracked as CVE-2025-21377, this vulnerability allows a threat actor to steal a victim's NTLM credentials by sending them a malicious file. The user doesn't have to open or run the executable, but simply viewing the file in Explorer could be enough to trigger the vulnerability. This specific vulnerability is known as an NTLM relay or pass-the-hash attack, and threat actors love this style of attack as it allows them to impersonate users in the network. If an attacker can collect your NTLM hash, they effectively have the encoded version of your password and can log in to workstations, servers, or other Microsoft servers as if they had your username and password. Preventing outbound SMB traffic can help limit the exposure, as this is such a prevalent technique Microsoft has specific guidance available on their website on Mitigating Pass-the-Hash (PtH) attacks CVE-2025-21400 - 8.0 - Microsoft SharePoint Server Remote Code Execution Vulnerability Microsoft SharePoint is a web-based platform that integrates with Microsoft Office, used to store, organize, and share information from any device. Details around this remote code execution vulnerability in SharePoint suggest that an attacker needs to be authenticated to exploit it. Exploiting this vulnerability requires a client to connect to a malicious, attacker-controlled server, and with this access, an attacker could achieve code execution on the client. In a network-based attack, if the attacker has access to a client that belongs to the “Site Owners” group, meaning they have full control of the client system, they can write injectable code to send to the SharePoint server that amounts to code execution. CVE-2025-21408 - 8.8 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability refers to a potential security issue that, if exploited, could allow an attacker to execute arbitrary code in the context of the current user. Vulnerabilities such as these are often attributed to the way Microsoft Edge (Chromium-based) handles objects in memory. In relation to this specific vulnerability, successful exploitation requires a victim user to click on a malicious link so that the attacker can initiate remote code execution (RCE) on Edge’s renderer process – which is part of a multi-process architecture that handles much of the code that runs on a webpage, including JavaScript, HTML, and CSS. The idea is that sites and sessions are isolated so the misbehavior of one site doesn’t affect another in the same browser session. An attacker could potentially do a number of things after exploiting this vulnerability, including injecting malicious scripts into the running browser session, exploiting cross-site-scripting (XSS) vulnerabilities, stealing credentials from browser sessions, or deploying script-based malware that can be used to gain access to the user's machine. Microsoft has released a patch for this vulnerability, which users are encouraged to download. CVE-2025-21391 - 7.1 - Windows Storage Elevation of Privilege Vulnerability In today’s Patch Tuesday release by Microsoft, we see two vulnerabilities listed as ‘exploited in the wild.’ One is a Windows Storage Elevation of Privilege Vulnerability, given the Common Vulnerabilities and Exposure ID number CVE-2025-21391. With a CVSS score of 7.1, the CVSS metrics outline that this vulnerability doesn't affect confidentiality, so no sensitive data can be accessed. However, it can severely affect data integrity and availability. The impact of this vulnerability is classified as an Escalation of Privilege, indicating that the successful exploitation could allow an attacker to assume higher privileges on the compromised system. However, Microsoft has outlined that if the attacker successfully exploited this vulnerability, they could only delete targeted files on a system. Microsoft has released patches to mitigate this vulnerability. It's recommended for administrators to apply these immediately. CVE-2025-21376 - 8.1 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability LDAP (Lightweight Directory Access Protocol) is a critical component of Windows environments, serving as the backbone for authentication, directory services, and centralized identity management. A recently disclosed critical vulnerability in Microsoft’s LDAP implementation poses a severe risk, allowing remote code execution due to a combination of race conditions, integer underflow, and heap-based buffer overflows. Exploiting this flaw requires an attacker to chain these exploits together by sending specially crafted requests to a vulnerable LDAP server, potentially gaining full control over the system. A compromise could lead to lateral movement, privilege escalation, and widespread network breaches because LDAP is integral to Active Directory, which underpins authentication and access control in enterprise environments. This vulnerability follows a history of LDAP-related exploits, such as privilege escalation flaws and buffer overflow attacks, reinforcing the importance of securing directory services. Organizations must prioritize patching and hardening LDAP configurations to mitigate exploitation risks and protect their Windows infrastructure from potential attacks. This vulnerability represents a serious security risk to systems running vulnerable Microsoft LDAP servers. Due to its high value, attackers will spend more time creating an exploit for this vulnerability, which is an echoed theory by Microsoft, as it has been stated that this vulnerability is more likely to be exploited. Administrators are strongly urged to promptly apply the available security patches and implement recommended mitigation steps to protect against exploitation. CVE-2025-21379 - 7.1 - DHCP Client Service Remote Code Execution Vulnerability The DHCP Client Service is a crucial component in Windows environments, responsible for dynamically assigning IP addresses and network configurations to devices. A newly identified critical vulnerability in this service allows for remote code execution due to a Use After Free flaw, which can lead to memory corruption and arbitrary code execution. While the attack complexity is high, exploitation requires the attacker to position themselves in the network path between the target and its requested resource, executing a machine-in-the-middle (MITM) attack to intercept or manipulate DHCP responses. Additionally, the attack vector is classified as adjacent, meaning the attacker must be on the same local network segment, such as a shared Wi-Fi or Ethernet switch, making remote exploitation over a WAN infeasible. While this brings the criticality of the vulnerability down, it is still feasible for attackers to want to put this in their attacker's toolkit, and given DHCP’s fundamental role in network connectivity, a successful attack could compromise endpoint security, facilitate lateral movement, and enable further network exploitation. This vulnerability underscores the importance of securing DHCP communications through network segmentation, encryption, and prompt patching to mitigate potential threats. CVE-2025-21381 - 7.8 - Microsoft Excel Remote Code Execution Vulnerability Microsoft Excel is a widely used productivity tool in enterprise environments, making vulnerabilities within it highly valuable for attackers, especially for phishing and malware distribution. A newly disclosed critical vulnerability, CVE-2025-21381, allows for remote code execution due to an Untrusted Pointer Dereference flaw. This flaw occurs when a program accesses a memory location using a pointer that has not been properly validated and can be attacker-controlled. It can lead to memory corruption and arbitrary code execution when processing maliciously crafted Excel files. Exploiting this vulnerability would enable an attacker to execute malicious code on a victim’s system simply by convincing them to open a compromised document. This method is often used in spear-phishing campaigns and malware distribution, such as Emotet and Dridex. Excel vulnerabilities are particularly dangerous because Excel macros and embedded scripts have historically been a significant attack vector for APT groups, ransomware operators, and financial fraud campaigns, often bypassing traditional security defenses. Given its widespread use in corporate environments, this vulnerability highlights the ongoing risk posed by weaponized office documents, reinforcing the need for patching, disabling macros by default, and implementing advanced email filtering to prevent exploitation.
