L'Espion (OSINT)

https://cyberdefenders.org/labs/73

You have been tasked by a client whose network was compromised and brought offline to investigate the incident and determine the attacker’s identity.

Incident responders and digital forensic investigators are currently on the scene and have conducted a preliminary investigation. Their findings show that the attack originated from a single user account, probably, an insider.

Investigate the incident, find the insider, and uncover the attack actions.

The Github.txt file links to a user page: https://github.com/EMarseille99

The first thing I’ll do is take a look around. If they have a large number of repos with a large number of files, I might have to download it all and do some searching, or try some automated tools. But maybe I’ll get lucky.

And I do. Top repo, top file:

/img/cyberdefenders-lespion-00.png

aJFRaLHjMXvYZgLPwiJkroYLGRkNBW

This isn’t much harder. Search for pass, and the same file gives:

/img/cyberdefenders-lespion-01.png

CyberChef can handle the rest.

PicassoBaguette99

Not login related, so it doesn’t look the be the same file. What other repos does the user have?

/img/cyberdefenders-lespion-02.png

One of the most popular pieces of malware out there right now!

xmrig

The first thing I did is start Googling.

/img/cyberdefenders-lespion-03.png

First, the GitHub username, EMarseille99, but it returned nothing useful. The password found above is no better. The email gives nothing either, nor does the company/job. I tried some other search engines but they were no better.

I next tried a username search tool, https://namechk.com/, which checks dozens of websites for that username. Nothing.

Next the GitHub profile image. exiftool provides nothing useful either! Google reverse image gives:

/img/cyberdefenders-lespion-04.png

O…kay. And TinEye gives a load of stock images.

The first hint suggested LinkedIn. This took my a while, but a combination of the job title (although written differently) and the surname (which apparently is not a pseudonym) gave me the answer.

/img/cyberdefenders-lespion-05.png

Sorbonne

The name checking website above gave us this one. We know it’s right as it uses the same photo.

Also, her LinkedIn profile mentions it.

Also, the QR code on her Instagram (below) takes you to her page.

Steam

Same format as GitHub, and searching the full name provided by LinkedIn also returns the same.

/img/cyberdefenders-lespion-06.png

https://www.instagram.com/emarseille99/

Insta tells all.

/img/cyberdefenders-lespion-07.png

I know where this is, but if you don’t, I’m sure you can Google “ship on top of building” or something.

Singapore

Good old Insta.

/img/cyberdefenders-lespion-08.png

Reverse image searches (Google, TinEye) give nothing.

That flag looks Arabic (as does the architecture), but I’m not sure which (I did memorise them all once, but I’ve forgotten them now). I was going to look through images of all the world flags myself, but then I thought, I’m sure there’s a tool for that! And I found http://www.flag-finder.com. Play the game and it turns out the it’s the flag of the UAE (United Arab Emirates).

Now, the question wants the city, not the country. We know it’s five letters and beings with D, but even without that, the population of the UAE is 10 million, and 1/3 of those live in Dubai, so that wouldn’t be a bad guess.

Dubai

Easy one again. Look at the photo, Google a few of the places on the street sign.

Birmingham

It looks to me like a US college, so that limits it to over… 5000.

/img/cyberdefenders-lespion-09.png

My first thought was to do a reverse image search to see if there were any similar images.

Google seems to try to determine what the image is and generally return images matching that (in this case, cityscape and urban area). Not very useful.

TinEye is much better as it tries to find the exam image. Searching the whole image returned one result but with no info. So, I cropped the image to remove the border and it returned one other result:

/img/cyberdefenders-lespion-010.png

Indiana

Feel free to comment on my LinkedIn post