Thursday, 16 April 2015

Example Threat: Hellsing

Kaspersky recently released an article "The Chronicles of the Hellsing APT: the Empire Strikes Back" ( ) detailing the activities of groups they refer to as Naikon and Hellsing.

Below is a link to browse through some of the Hellsing artefacts on ThreatCrowd:

Wednesday, 15 April 2015

Tuesday, 14 April 2015

Investigating threats with ThreatCrowd - Tutorial

This post is a brief tutorial showing how to use ThreatCrowd to quickly find and pivot on threats, and how it can fit in with other tools.

Lets look at some Spearphishes
This table lists some of the malware listed in ThreatCrowd with a .doc or .pdf extension.

These serve as a good place to start looking for interesting themes.

Lets take a look at the potentially interesting sounding file "Secret nuclear reactor deal for Pakistan.doc" at

This refers us to the sandbox report . This is worth viewing for the detail - ThreatCrowd is designed to quickly find related entities like a search engine, and lacks the actual detailed information that is found on sites like

Here I've right clicked on the domain "alerymymail[.]com" to pivot. I could also zoom in by scrolling with the mouse.

The page for the domain looks like this:

At this point we could pivot through on domains, ip addresses, malware detections and whois data.

Further Tools
Sites such as Passive Total ( and VirusTotal ( can be used to add identify further information.
Tools such as Maltego ( can be used to build graphs of this activity - ThreatCrowd will only allow you to view it.