Threat intelligence is one of the most critical weapons we can use in cyber defense. I often use Threat intelligence for enhancing my daily tasks in LIFARS such as incident response, threat hunting, forensics and malware analysis. And because the automation is the key for many tasks, I decided to design a new tool which helps us to speedup our processes. Our great R&D team then developed this tool and we recently released under Open Source MIT License as our gift to the community.

In my recent post about XMRig-based CoinMiners spread by Blue Mockingbird Group based mainly on Case Study by LIFARS I wrote about multi-stage attack performed by this threat actor. However, this case study doesn’t contain lot of IOCs (one reason could be to maintain privacy of the victims), and when I want to analyze these samples, first I have to find them somewhere. In this post I describe my process of searching for these samples using public services and how we can reconstruct the whole attack chain.