Skip to main content


Incident response case study featuring Ryuk and Trickbot (part 2)

This is part 2 of our recent incident response study encountering a Trickbot infection.

Initial compromise Right after tricking a user into running the malicious Office macro on their machine, thus gaining code execution, the first stage Trickbot executable is downloaded and executed. The first stage payload is responsible for three things: First, Trickbot tries to disable Windows Defender by running these commands:    cmd.exe /c sc stop WinDefend
    cmd.exe /c sc delete WinDefend
    cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
The next step is to unpack itself to all users' AppData/Roaming directory under a less-than-suspicious folder name (such as WinDefrag, WinSocket, GPUDriver, msnet, etc.).Last, but not least, it creates persistence. As we have already mentioned in the first part of this series, Trickbot does not need advanced persistence mechanisms; creating Scheduled task, installing a Service or even a simple Run registry persistence is sufficien…

National Cyber Challenge

The 2019 Cyber 9/12 Student Challenge is a unique, world-wide table top exercise event that – for the 5th consecutive time – will be held in Switzerland in 2019. Its Hungarian “little brother” has been launched in 2017 – the National Cyber Challenge (“Nemzeti Kiberverseny”) that gives the opportunity to students from any Hungarian-speaking area to enter and play decision maker.

But what exactly is the National Cyber Challenge?

The students have been given different data snippets of an imaginary situation that includes several aspects of the decision makers’ fields – cyber, political and economic, but also the press. They have to decide what to take for granted, what to fact-check somehow and what to ignore – and based on these bits and pieces they have to come up with their own series of steps to contain, mitigate or solve the emerging crisis situation. This is the essence of a tabletop exercise; a fascinating idea – and what was even more fascinating was the way these young minds tackled the problems facing them. Thought-through solutions, brilliant ideas, confident presentation and witty but sophisticated answers to the jury’s questions – these were what it took to win, and from our outsider-ish point of view, it was a close one.

We at White Hat IT Security are fans of play pretend. We have to be – in order to build an effective and prepared blue team you have to teach them how to expect and handle worst case scenarios. Adversary removal means you have to view the system as infiltrated – and imagine all the creative ways this could have happened and can be remedied. Basically, IT security is exactly what the cyber challenge is about: make up complex but realistic scenarios, twist the possibilities beyond what would and could “normally” happen – and then find a way of averting and mitigating these events. This is one of the reasons why we had so much fun at the National Cyber Challenge of 2018, held on the 6th November. This, the fact that the organisers put in all their hearts and souls and created a vibrant yet comfortable atmosphere; the fact that the jury included the top experts of several related fields; and of course, the fact that the students and young people participating were bright and curious and evidently enjoyed themselves. The organising team had asked us to give a short presentation (thanks again, guys, it was an honour!), which we decided to do on the infamous NotPetya malware of 2017, as it is a perfect demonstration of how the governmental, non-profit organisations and non-governmental, for-profit companies handled the incident and communicated with the victims, the media and the IT security industry. Though it was in the afternoon, and right before the announcement of the winners, throughout our talk the audience was interactive and enquiring. It was tremendous fun, being there, and talking to these guys. Congratulations to the winning team, pw1234 for the great work, and we will definitely watch your performance in the 2019 Cyber 9/12 Student Challenge! Hopefully we will see you next year at the Hungarian National Cyber Challenge of 2019, where you will be there to tell us about your experiences and hopefully, victory – and we will be there to discuss another interesting topic with the next generation of players, or just to observe this amazing game of absolutely vital play pretend.