I published the following diary on isc.sans.edu: “Crypto Mining in a Windows Headless Browser“: Crypto miners in the browser are not new. Delivery through malicious or compromised piece of javascript code is common these days (see my previous diary about this topic). This time, it’s another way to deliver the
Category: SANS Internet Storm Center
[SANS ISC] Malicious PowerShell Compiling C# Code on the Fly
I published the following diary on isc.sans.edu: “Malicious PowerShell Compiling C# Code on the Fly“: What I like when hunting is to discover how attackers are creative to find new ways to infect their victim’s computers. I came across a Powershell sample that looked new and interesting to me. First,
[SANS ISC] Crypto Mining Is More Popular Than Ever!
I published the following diary on isc.sans.edu: “Crypto Mining Is More Popular Than Ever!“: We already wrote some diaries about crypto miners and they remain more popular than ever. Based on my daily hunting statistics, we can see that malicious scripts performing crypto mining operations remain on top of the
[SANS ISC] 3D Printers in The Wild, What Can Go Wrong?
I published the following diary on isc.sans.edu: “3D Printers in The Wild, What Can Go Wrong?“: Richard wrote a quick diary yesterday about an interesting information that we received from one of our readers. It’s about a huge amount of OctoPrint interfaces that are publicly facing the Internet. Octoprint is
[SANS ISC] Microsoft Publisher Files Delivering Malware
I published the following diary on isc.sans.org: “Microsoft Publisher Files Delivering Malware“: Attackers are always searching for new ways to deliver malicious content to their victims. A few days ago, Microsoft Publisher malicious files were spotted by security researchers[1]. Publisher is a low-level desktop publishing application offered by Microsoft in
[SANS ISC] Simple Phishing Through formcrafts.com
I published the following diary on isc.sans.org: “Simple Phishing Through formcrafts.com“: For a long time, moving services to the cloud has been a major trend. Many organizations jumped into the cloud because it’s much easier and cost less money (in terms of maintenance, licence, electricity, etc). If so, why should bad
[SANS ISC] Malicious DLL Loaded Through AutoIT
I published the following diary on isc.sans.org: “Malicious DLL Loaded Through AutoIT“: Here is an interesting sample that I found while hunting. It started with the following URL: hxxp://200[.]98[.]170[.]29/uiferuisdfj/W5UsPk.php?Q8T3=OQlLg3rUFVE740gn1T3LjoPCQKxAL1i6WoY34y2o73Ap3C80lvTr9FM5 The value of the parameter (‘OQlLg3rUFVE740gn1T3LjoPCQKxAL1i6WoY34y2o73Ap3C80lvTr9FM5’) is used as the key to decode the first stage. If you don’t specify it,
[SANS ISC] Truncating Payloads and Anonymizing PCAP files
I published the following diary on isc.sans.org: “Truncating Payloads and Anonymizing PCAP files“: Sometimes, you may need to provide PCAP files to third-party organizations like a vendor support team to investigate a problem with your network. I was looking for a small tool to anonymize network traffic but also to
[SANS ISC] Exploiting the Power of Curl
I published the following diary on isc.sans.org: “Exploiting the Power of Curl“: Didier explained in a recent diary that it is possible to analyze malicious documents with standard Linux tools. I’m using Linux for more than 20 years and, regularly, I find new commands or new switches that help me
[SANS ISC] Windows Batch File Deobfuscation
I published the following diary on isc.sans.org: “Windows Batch File Deobfuscation“: Last Thursday, Brad published a diary about a new ongoing campaign delivering the Emotet malware. I found another sample that looked the same. My sample was called ‘Order-42167322776.doc’ (SHA256:4d600ae3bbdc846727c2922485f9f7ec548a3dd031fc206dbb49bd91536a56e3 and looked the same as the one analyzed Brad. The