Discover and read the best of Twitter Threads about #RainDrop

Most recents (3)

***BIG NEWS***
We couldn’t be more delighted with this #RareDiseaseDay announcement of a new Rare Disease Clinical Trial Network, from @hrbireland. And we're very proud to be part of it.
Full press release 👉 bit.ly/3ssuejN
A thread 🧵 (1/6)...
Congratulations to Prof Rachel Crowley (@rachsail) & Prof Cormac McCarthy, of @UCDMedicine, for their drive to make a difference to the rare disease patients that they see in their clinics & people living with rare diseases all across the country.
#RareDiseaseDay (2/6)
Kudos to @hrbireland for getting behind their vision and for making such a big commitment to rare diseases, beyond their already significant commitments through the HRCI-HRB Joint Funding Scheme & other schemes.
@DonnellyStephen welcomed the announcement.
#RareDiseaseDay (3/6)
Read 7 tweets
#GoldMax (aka #SUNSHUTTLE) is a new and capable backdoor written in Go/Golang. It is typically used as a late-stage (e.g. 3+) backdoor brought into an environment using access enabled via #TEARDROP, #RainDrop and other related malware deployed by #NOBELIUM/UNC2452.
#GoldMax creates & maintains a config file (name unique to each implant). The config file is AES-256 encrypted (unique-to-each-implant key) & then Base64 encoded (custom alphabet, '=' replaced with null). A handy C2 command allows the operators to update certain config fields.
Read 17 tweets
As part of our commitment to keeping our customers/community protected & informed, we are releasing a blog that shines light on transition between Stage 1 and 2 of #Solorigate/#SUNBURST campaign, custom Cobalt Strike loaders, post-exploit. artifacts, IOCs: microsoft.com/security/blog/…
Here are some highlights:
The missing link between the Solorigate backdoor and the custom #CobaltStrike loaders observed during the #Solorigate is an Image File Execution Options (IFEO) Debugger registry value created for the legitimate process dllhost.exe (ATT&CK ID: T1546.012).
Once the registry value is created, the attackers wait for the occasional execution of dllhost.exe, which might happen naturally on a system. This execution triggers a process launch of wscript.exe configured to run the VBScript file dropped by the SolarWinds backdoor (Stage 1).
Read 21 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!