Clik here to view.
Mazar BOT: When malware authors do not hide their intentions
Two days ago I read a new about some Android malware which was writen to avoid the infection on devices which are set up with Russian language. The new is here:...
View ArticleClik here to view.
System, Memory and Network Forensic Analysis with Log2timeline and Splunk
In order to understand an intrusion chain sometimes it is necessary to deal with a a lot of information from different sources at the same time. This can be really a challenge process. One of the key...
View ArticleClik here to view.
System, Memory and Network Forensic Analysis with Log2timeline and Splunk...
In my last post, "System, Memory and Network Forensic Analysis with Log2timeline and Splunk" I explained the steps to create a supertimeline from a system timeline, memory timeline and network traffic....
View ArticleClik here to view.
Acercard Mobile Trojan: its root exploits and its debugging messages
A few days ago Kaspersky wrote in its blog about the evolution of a bank trojan for Android named Acerard (https://blog.kaspersky.com/acecard-android-trojan/11368/) As per Kasperky newit seems that...
View ArticleClik here to view.
Hunting Exploit Kits Abusing Domain Generator Algorithm
Exploit Kits (EK) are not something new at all. This set of malicious tools are being investigated intensively by many security researchers at the moment on account that Threat Actors are using them...
View ArticleClik here to view.
Triada malware: hitting the android core system (part I)
Kaspersky announced that its researchers have found the most sophisticated Android malware which can be compared to Windows malware in terms of complexity.In a post from SecureList there is already...
View ArticleClik here to view.
Triada malware: hitting the android core system (part II)
Following my previous post I took a look to another sample from this same malware family. This second sample was reported the same day I performed the analysis and it has quite significative...
View ArticleClik here to view.
Petya Ransomware: Threat Actors ready since December 2015
A few days ago TrendMicro made public in his blog that they found a new family of Crypto-Ransomware which is able to overwrite the MBR. This means that the system can't boot normally until the MBR is...
View ArticleClik here to view.
Solution to Google CTF Mobile Challenge III Intentions
I do not usually play CTF challenges, but they are indeed a very good way to challenge your skills and and learn a lot.A few days ago there was the Google Capture The Flag Challenge. I did not...
View ArticleClik here to view.
Locky campaign hitting hard - same threat actors than Dridex
Locky is a Ransomware which become active a few months ago. The threat actors behind this malware seems to be the same than Dridex (1 and 2)The 12th of May there was a huge campaign of Locky hitting...
View ArticleClik here to view.
Dridex campaign on the 23rd and 24rd of May - using fake PKCS#12 files
Dridex has been very active in the last 2 days. I have seen more than 40k emails sent during a window frame of 36 hour and I have identified around 300 different samples. The samples size are between...
View ArticleClik here to view.
Malicious Excel documents with macros running shellcodes
Some weeks ago I got a very interesting MS Office Excel document.The file is in VT also since a couple of weeks and it has a very low detection rateThe document is blank and it requieres to enable...
View ArticleClik here to view.
Neutrino EK and the abuse of .TOP domains ramping up
A few days ago there were several news that some threat actors were switching from Angler EK to Neutrino EK. The blog "Malware don't need Coffee" made public some analysis about the dropping of Angler....
View ArticleClik here to view.
Cyber Criminal Campaign in Switzerland using Spam SMS
Swiss CERT (GovCERT.ch) informed yesterday about a new cyber criminal campaign against Android users in Swizterland. This campaign is part of a larger cybercrime operation already identified by...
View ArticleClik here to view.
SPAM / SCAM campaign to steal Credit Card Details (I)
In the last weeks I have looked to several SPAM / SCAM campaigns targeting endusers and business. In some cases the intention was to fool the users to steal their credit cards details, but it was not...
View ArticleClik here to view.
Threat Intelligence Feeds Part I. - Using Security Onion and Snort
Currently there many companies offering Threat Intelligence feeds which can be integrated easily in SEAM platforms like Splunk, Arcsight or similar. Some of this companies uses Open Source Intelligence...
View ArticleClik here to view.
Threat Intelligence Feeds Part II - Bro, SecurityOnion and CriticalStack
In my previous post Threat Intelligence Feeds Part I. - Using Security Onion and Snort I described the process to use OSINT IP indicators to detect malicious traffic as part of an Incident Response,...
View ArticleClik here to view.
Anatomy of a Real Linux Intrusion Part I: Running a MiTM SSH honeypot
During the coming 4 or 5 post I'm going to write about some interesting Linux attacks and intrusions I've been recently investigating. I will share some of the tools I've analysed, including several...
View ArticleClik here to view.
Anatomy of a Real Linux Intrusion Part II: OpenSSH trojanized toolkit
In my previous post I introduced my current Honeypots setup with Raspberry Pi 3 running HonSSH and performing SSH MiTM. There are lot of attacks against the honeypots: SSH scans, user and password...
View ArticleClik here to view.
Anatomy of a Real Linux Intrusion Part II (B): OpenSSH trojanized toolkit -...
This is a short post to add some additional information to previous post.The default backdoor password that I analysed from the trojanized OpenSSH source code (PRtestD) is different depending on the OS...
View Article