MBuchus Lab

In March 2024, the security team at a mid-sized investment advisory firm noticed a wave of support tickets from employees reporting system slowdowns and suspicious pop-ups after searching for financial recovery tools online. Internal traffic logs showed multiple connections to an unfamiliar domain, treasurybanks.org, shortly before endpoints began exhibiting abnormal behavior. Preliminary threat intelligence suggests this domain is part of a broader infrastructure serving malicious content under the guise of legitimate financial assistance. Your task is to investigate artifacts from one of the compromised endpoints to uncover the attack chain. Determine how the initial access was gained, what was downloaded,...