Listen to this Post
[D25] Dissecting the Cicada – In the shadow of the Black Cat – Nicklas Keijser and Mattias Wåhlén
youtube.com
You Should Know:
This article dives into the process of analyzing the Cicada 3301 ransomware-as-a-service group, combining threat intelligence, reverse engineering, and OSINT (Open-Source Intelligence) techniques. Below are some practical steps, commands, and tools you can use to perform similar analyses:
1. Threat Intelligence Gathering
- Use tools like `Maltego` or `SpiderFoot` to map out threat actor infrastructure.
- Command to install SpiderFoot:
pip install spiderfoot
- Run SpiderFoot:
spiderfoot -l 127.0.0.1:5001
2. Reverse Engineering
- Use `Ghidra` or `IDA Pro` for reverse engineering malware samples.
- Command to install Ghidra:
sudo apt update && sudo apt install ghidra
- Analyze a binary file:
ghidraRun
3. OSINT Techniques
- Use `theHarvester` to gather email addresses, subdomains, and more:
theHarvester -d example.com -b all
- Install
theHarvester:sudo apt install theharvester
4. Ransomware Analysis
- Use `Cuckoo Sandbox` to analyze ransomware behavior:
cuckoo submit /path/to/ransomware.exe
- Install Cuckoo Sandbox:
sudo apt install cuckoo
5. Network Analysis
- Use `Wireshark` to capture and analyze network traffic:
sudo wireshark
- Filter for suspicious IPs:
ip.addr == <suspicious_ip>
6. YARA Rules for Detection
- Create YARA rules to detect Cicada 3301 ransomware:
rule Cicada_3301 { meta: description = "Detects Cicada 3301 ransomware" strings: $str1 = "Cicada 3301" $str2 = "BlackCat" condition: $str1 and $str2 } - Scan a file with YARA:
yara rule.yar suspicious_file.exe
What Undercode Say:
The analysis of Cicada 3301 ransomware highlights the importance of combining multiple techniques like threat intelligence, reverse engineering, and OSINT to understand advanced threat actors. By leveraging tools like Ghidra, SpiderFoot, and YARA, cybersecurity professionals can dissect and mitigate such threats effectively. Always stay updated with the latest threat intelligence feeds and practice these techniques in controlled environments to enhance your skills.
For further reading, check out:
References:
Reported By: Nicklas Keijser – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅



