[SANS ISC] Powershell Dropping a REvil Ransomware

I published the following diary on isc.sans.edu: “Powershell Dropping a REvil Ransomware“: I spotted a piece of Powershell code that deserved some investigations because it makes use of RunSpaces. The file (SHA256:e1e19d637e6744fedb76a9008952e01ee6dabaecbc6ad2701dfac6aab149cecf) has a very low VT score: only 1/59!. The technique behind RunSpaces is helpful to create new threads on the existing Powershell

[SANS ISC] Malicious Word Document Delivering an Octopus Backdoor

I published the following diary on isc.sans.edu: “Malicious Word Document Delivering an Octopus Backdoor“: Here is an interesting malicious Word document that I spotted yesterday. This time, it does not contain a macro but two embedded objects that the victim must “activate” (click on one of them) to perform the malicious activities.

[SANS ISC] PowerShell Dropper Delivering Formbook

I published the following diary on isc.sans.edu: “PowerShell Dropper Delivering Formbook“: Here is an interesting PowerShell dropper that is nicely obfuscated and has anti-VM detection. I spotted this file yesterday, called ‘ad.jpg’ (SHA256:b243e807ed22359a3940ab16539ba59910714f051034a8a155cc2aff28a85088). Of course, it’s not a picture but a huge text file with Base64-encoded data. The VT score is therefore

[SANS ISC] Old Worm But New Obfuscation Technique

I published the following diary on isc.sans.edu: “Old Worm But New Obfuscation Technique“: Yesterday I found an interesting JavaSvript script delivered through a regular phishing campaign (SHA256:70c0b9d1c88f082bad6ae01fef653da6266d0693b24e08dcb04156a629dd6f81) and has a VT score of 17/61. The script obfuscation is simple but effective: the malicious code is decoded and passed to an eval()

1 8 9 10 11 12 36