I published the following diary on isc.sans.edu: “Credentials Leaks on VirusTotal“: A few weeks ago, researchers published some information about stolen credentials that were posted on Virustotal. I’m keeping an eye on VT for my customers and searching for data related to them. For example, I looking for their domain name(s)
Category: SANS Internet Storm Center
[SANS ISC] Infostealer in a Batch File
I published the following diary on isc.sans.edu: “Infostealer in a Batch File“: It’s pretty common to see malicious content delivered as email attachments. Every day, my mailboxes are flooded with malicious content… which is great from a research point of view. Am I the only one to be happy when I see
[SANS ISC] Ukraine & Russia Situation From a Domain Names Perspective
I published the following diary on isc.sans.edu: “Ukraine & Russia Situation From a Domain Names Perspective“: For a few days, the eyes of the world are on the situation between Russia and Ukraine. Today, operations are also organized in the “cyber” dimension (besides the classic ones – land, air, sea,
[SANS ISC] A Good Old Equation Editor Vulnerability Delivering Malware
I published the following diary on isc.sans.edu: “A Good Old Equation Editor Vulnerability Delivering Malware“: Here is another sample demonstrating how attackers still rely on good old vulnerabilities… In 2017, Microsoft Office suffered from a critical vulnerability that affected its Equation Editor tool, known as CVE-2017-11882. It’s a memory corruption
[SANS ISC] Remcos RAT Delivered Through Double Compressed Archive
I published the following diary on isc.sans.edu: “Remcos RAT Delivered Through Double Compressed Archive“: One of our readers shared an interesting sample received via email. Like him, if you get access to interesting/suspicious data, please share it with us (if you’re authorized of course). We are always looking for fresh
[SANS ISC] Who Are Those Bots?
I published the following diary on isc.sans.edu: “Who Are Those Bots?“: I’m operating a mail server for multiple domains. This server is regularly targeted by bots that launch brute-force attacks to try to steal credentials. They try a list of common usernames but they also try targeted ones based on
[SANS ISC] CinaRAT Delivered Through HTML ID Attributes
I published the following diary on isc.sans.edu: “CinaRAT Delivered Through HTML ID Attributes“: A few days ago, I wrote a diary about a malicious ISO file being dropped via a simple HTML file. I found another sample that again drops a malicious ISO file but this time, it is much
[SANS ISC] Obscure Wininet.dll Feature?
I published the following diary on isc.sans.edu: “Obscure Wininet.dll Feature?“: The Internet Storm Center relies on a group of Handlers who are volunteers and offer some free time to the community besides our daily job. Sometimes, we share information between us about an incident or a problem that we are facing and
[SANS ISC] RedLine Stealer Delivered Through FTP
I published the following diary on isc.sans.edu: “RedLine Stealer Delivered Through FTP“: Here is a piece of malicious Python script that injects a RedLine stealer into its own process. Process injection is a common attacker’s technique these days (for a long time already). The difference, in this case, is that
[SANS ISC] Custom Python RAT Builder
I published the following diary on isc.sans.edu: “Custom Python RAT Builder“: This week I already wrote a diary about “code reuse” in the malware landscape but attackers also have plenty of tools to generate new samples on the fly. When you received a malicious Word documents, it has not been