Clik here to view.
Malicious email campaign mimicking Swiss Financial Institutions: Retefe again.
Yesterday, while I was investigating something else I ended up with some malicious email impersonating a Swiss bank. The email with the subject "Von Ihrem Konto ist 78 Franken abgebucht" contains a...
View ArticleClik here to view.
Malicious email campaign mimicking Swiss Financial Institutions: Retefe again...
A few days ago when I took a look to the latest Retefe campaign affecting Swiss financial Institutions, I did not have the time to take a deeper look to the malicious JS embedded in the .docx file. So...
View ArticleClik here to view.
Malicious email campaign mimicking Swiss Financial Institutions: Retefe again...
Following last two posts, this is a quick update as I have detected that some new Swiss banks have been added to the list of victims of Retefe (since last time I checked some weeks ago)These are:...
View ArticleClik here to view.
Hunting malicious behaviour abusing PowerShell with Sysmon and Splunk
Sysmon is a monitoring tool which combined with Splunk makes an excellent tandem for threat hunting. A good example was presented by Tom Ueltschi at Botconf 2016.Windows PowerShell is a command shell...
View ArticleClik here to view.
Detecting Mimikatz launched by PowerShell
Following my last post about how to hunt for malicious PowerShell commands, I'm interested to detect Mimikatz once it is launched through PowerShell, like for example with PowerShellEmpire framework....
View ArticleClik here to view.
Hunting Retefe with Splunk - some interesting points
While I was creating some Splunk use cases to detect malware (together with Sysmon) I was doing some test with malware Refete which I wrote quite a bit in this blog about it. There are a couple of...
View ArticleClik here to view.
Retefe hitting MacOSX - Some interesting points
A few weeks ago Checkpoint posted about a malware in MacOSX OSX/Dok which it is the version of Retefe ported to Mac OS.Most of the technical aspects of this specimen behaviour are described in the blog...
View ArticleClik here to view.
Malspam campaign exploiting CVE-2017-0199: a hunting approach
In the last days I have seen a few malspam emails with RTF files attached.The content of the mails is fake Shipping order with a ZIP attachment, containing the malicious RTF file. An example of this...
View ArticleClik here to view.
Analysis of a malicious DOC used by Turla APT group; hunting persistence via...
Yesterday, John Lambert (@JohnLaTwC), from Microsoft Threat Intelligence Center twitted about some malicious document used by Turla ATP group. The malicious document was in VT since a few hours...
View ArticleClik here to view.
Hunting FIN7 malicious documents
A few days ago I read an interesting post about some new technique that FIN7 Threat Actors are using to deliver malicious payloads in RTF and DOC files. The ratio of detection was in the best case only...
View ArticleClik here to view.
Hunting APT28 CVE-2017-11292 Flash Vulnerability
Proofpoint made public a couple of days ago that APT28 is using the last flash 0-day CVE-2017-11292 via some malicious weaponized DOC files; APT28 racing to exploit CVE-2017-11292 Flash vulnerability...
View ArticleClik here to view.
Detecting Adwin malware weaponized in MS office documents
In a daily basis I see lot of Adwin malware trying to infect end usersAdwin is a multiplatform Remote Access Trojan (RAT) which has been in the wild for some time. In this Kasperky Blog post there is a...
View ArticleClik here to view.
Hunting for Microsoft Equation Vulnerability - CVE-2017-11882
Since Microsoft released November patches last week where CVE-2017-11882 was addressed, I've been trying to get a sample in order to perform some checks for the vulnerability. Today thanks to Corsin...
View ArticleClik here to view.
Qrypter Java RAT using Tor
Since the 16th of December, almost in a daily basis, I'm seeing a particular family of Java Remote Access using Tor. The samples I took a look are rarely detected by...
View ArticleClik here to view.
Analysis of Adwind embedded in a MS-DOS file
A few days ago there was a malspam campaign mimicking one bank and delivering a PDF file and some DOC files exploiting CVE-2017-11882The PDF file contains several images and and two interesting URLsThe...
View ArticleClik here to view.
Inside Qarallax / Adwind / Qrypter leading to Tesla / HawkEye (part 1)
A few months ago I wrote about some Java RAT named QRypter (aka QRat or Qarallax) which is basically Adwind with some layers of obfuscation. The post is here.Usually, this RAT is used as first stage of...
View ArticleClik here to view.
qthelegend: the new Qrypter for Adwind
Since last December, when I blogged the first time about Qrypter, I've been tracking Adwind malware using this service. @abuse.ch wrote a very interesting post about the providers hosting the C2...
View ArticleClik here to view.
Gozi malspam campaign mimicking Swisscom on 30th July 2018
A few days ago GovCERT.ch informed via twitter about a malspam campaign mimicking Swisscom invoices.The malware delivered in the latest stage was Gozi / Ursnif. But let's analyse a bit this...
View ArticleClik here to view.
Hunting malware in memory. A Gozi case.
Some of the actors using Gozi / Ursnif take advantage of compromised emails (BEC) to deliver weaponised Microsoft Office documents. This is not new at all, however in the last week I've seen an...
View ArticleClik here to view.
Knowing your adversaries and their TTPs. The Gozi case
Gozi (aka Ursnif), as many other financial malware, is used by several different actors operating world-wide. In a daily basis I see Gozi campaigns trying to infect users, however each campaign has...
View ArticleClik here to view.
Fudcrypt: the service to crypt Java RAT through VBS scripts and Houdini malware
The existence of services to encrypt and obfuscate malware in order to avoid antivirus detection is nothing new at all. In this blog I wrote about a couple of services, qthelegend and qrypter, that...
View ArticleClik here to view.
Unknowncrypter, the crypter twin of Fudcrypt: another Crypter-as-a-Service...
Last week I wrote about a Crypter-as-a-Service named Fudcrypt which obfuscates Java RATs in VBS scripts. However, this is not the only service being used by threat actors to deliver encrypted Java...
View ArticleClik here to view.
WSH RAT and the link to unknowcrypter and Fudcrypt
There are plenty of malspam campaigns using the the code "MT103" from SWIFT to claim some kind of payments. However, recently there was one in particular using some...
View ArticleClik here to view.
WSH RAT - Analysis of the code
Analysis of the code - capabilities of WSH RATIn previous post I wrote about the link between WSH RAT and some other crypter services so in this post I'm going to dig a bit in the analysis on the...
View ArticleClik here to view.
Fudcrypt using H-Worm from WSH RAT
Fudcrypt builder, like WSH RAT builder uses HWorm. The last version of the builder from 24th of September provides some interesting insight: In the case of Fudcrypt, compared with WSHRAT, the HWorm...
View Article