I published the following diary on isc.sans.edu: “Malware Dropping a Local Node.js Instance“: Yesterday, I wrote a diary about misused Microsoft tools[1]. I just found another interesting piece of code. This time the malware is using Node.js[2]. The malware is a JScript (SHA256:1007e49218a4c2b6f502e5255535a9efedda9c03a1016bc3ea93e3a7a9cf739c)… [Read more]
I published the following diary on isc.sans.edu: “Malware Samples Compiling Their Next Stage on Premise“: I would like to cover today two different malware samples I spotted two days ago. They have one interesting behaviour in common: they compile their next stage on the fly directly on the victim’s computer. At
I published the following diary on isc.sans.edu: “Simple Mimikatz & RDPWrapper Dropper“: Let’s review a malware sample that I spotted a few days ago. I found it interesting because it’s not using deep techniques to infect its victims. The initial sample is a malicious VBScript. For a few weeks, I started
I published the following diary on isc.sans.edu: “Interesting JavaScript Obfuscation Example“: Last Friday, one of our reader (thanks Mickael!) reported to us a phishing campaign based on a simple HTML page. He asked us how to properly extract the malicious code within the page. I did an analysis of the
I published the following diary on isc.sans.edu: “Behavioural Malware Analysis with Microsoft ASA“: When you need to quickly analyze a piece of malware (or just a suspicious program), your goal is to determine as quickly as possible what’s the impact. In many cases, we don’t have time to dive very
I published the following diary on isc.sans.edu: “From Phishing To Ransomware?“: On Friday, one of our readers reported a phishing attempt to us (thanks to him!). Usually, those emails are simply part of classic phishing waves and try to steal credentials from victims but, this time, it was not a
I published the following diary on isc.sans.edu: “Another Day, Another Suspicious UDF File“: In my last diary, I explained that I found a malcious UDF image used to deliver a piece of malware. After this, I created a YARA rule on VT to try to spot more UDF files in
I published the following diary on isc.sans.edu: “Malware Sample Delivered Through UDF Image“: I found an interesting phishing email which was delivered with a malicious attachment: an UDF image (.img). UDF means “Universal Disk Format†and, as said by Wikipedia], is an open vendor-neutral file system for computer data storage. It
I published the following diary on isc.sans.edu: “Simple Powershell Keyloggers are Back”: Powershell is a very nice language in Windows environments. With only a few lines of code, we can implement nice features… for the good or the bad! While hunting, I found a bunch of malicious Powershell scripts that
I published the following diary on isc.sans.edu: “Old H-Worm Delivered Through GitHub”: Another piece of malicious code spotted on GitHub this time. By the way, this is the perfect example to demonstrate that protecting users via a proxy with web-categorization is useless… Event sites from the Alexa Top-1M may deliver
