I published the following diary on isc.sans.org: “Malware Distributed via .slk Files“: Attackers are always trying to find new ways to infect computers by luring not only potential victims but also security controls like anti-virus products. Do you know what SYLK files are? SYmbolic LinK files (they use the .slk
I published the following diary on isc.sans.org: “Malicious Powershell Targeting UK Bank Customers”: I found a very interesting sample thanks to my hunting rules… It is a PowerShell script that was uploaded on VT for the first time on the 16th of May from UK. The current VT score is still
I published the following diary on isc.sans.org: “Nice Phishing Sample Delivering Trickbot“: Users have to deal with phishing for a very long time. Today, most of them remain dumb messages quickly redacted with a simple attached file and a message like “Click on me, it’s urgent!â€. Yesterday, I put my
I published the following diary on isc.sans.org: “Adding Persistence Via Scheduled Tasks“: Once a computer has been infected by a malware, one of the next steps to perform is to keep persistence. Usually, endpoints (workstations) are primary infection vectors due to the use made of it by people: they browse
The number of malicious documents generated every day keeps growing for a while. To produce this huge amount of files, the process must be automated. I found on Pastebin a Python script to generate malicious Office documents. Let’s have a look at it… [Read more]
I published the following diary on isc.sans.org: “Malicious Network Traffic From /bin/bash“: One of our readers from Germany sent me a malicious shell script captured by our honeypot running on his Raspberry. It’s a simple UNIX Bash script that performs a bunch of malicious tasks: Kills existing crypto miner processes
I published the following diary on isc.sans.org: “The real value of an IOC?“: When a new malware sample is analysed by a security researcher, details are usually posted online with details of the behaviour and, based on this, a list of IOCs or “Indicators of Compromise†is published. Those indicators
I published the following diary on isc.sans.org: “Webshell looking for interesting files“: Yesterday, I found on Pastebin a bunch of samples of a webshell that integrates an interesting feature: It provides a console mode that you can use to execute commands on the victim host. The look and feel of the
I published the following diary on isc.sans.org: “A Suspicious Use of certutil.exe“: The Microsoft operating system is full of command line tools that help to perform administrative tasks. Some can be easily installed, like the SysInternal suite[1] and psexec.exe, others are builtin in Windows and available to everybody. The presence of
I published the following diary on isc.sans.org: “How are Your Vulnerabilities?“: Scanning assets for known vulnerabilities is a mandatory process in many organisations. This topic comes in the third position of the CIS Top-20. The major issue with a vulnerability scanning process is not on the technical side but more
