I published the following diary on isc.sans.edu: “Suspicious PDF Connecting to a Remote SMB Share”: Yesterday I stumbled upon a PDF file that was flagged as suspicious by a customer’s anti-malware solution and placed in the quarantine. Later, the recipient contacted the team in charge of emails to access his document because
I published the following diary on isc.sans.edu: “Malicious Script Leaking Data via FTP”: The last day of 2018, I found an interesting Windows cmd script which was uploaded from India (SHA256: dff5fe50aae9268ae43b76729e7bb966ff4ab2be1bd940515cbfc0f0ac6b65ef) with a very low VT score. The script is not obfuscated and contains a long list of commands based on
I published the following diary on isc.sans.edu: “More obfuscated shell scripts: Fake MacOS Flash update”: Yesterday, I wrote a diary about a nice obfuscated shell script. Today, I found another example of a malicious shell script embedded in an Apple .dmg file (an Apple Disk Image). The file was delivered through
I published the following diary on isc.sans.edu: “Obfuscated bash script targeting QNap boxes“: One of our readers, Nathaniel Vos, shared an interesting shell script with us and thanks to him! He found it on an embedded Linux device, more precisely, a QNap NAS running QTS 4.3. After some quick investigations,
I published the following diary on isc.sans.edu: “Divided Payload in Multiple Pasties”: In politic, there is a strategy which says “divide and conquerâ€. It’s also true for some pieces of malware that spread their malicious code amongst multiple sources. One of our readers shared a sample of Powershell code found
I published the following diary on isc.sans.edu: “Basic Obfuscation With Permissive Languages”: For attackers, obfuscation is key to keep their malicious code below the radar. Code is obfuscated for two main reasons: defeat automatic detection by AV solutions or tools like YARA (which still rely mainly on signatures) and make the code
I published the following diary on isc.sans.edu: “Malicious Powershell Script Dissection”: Here is another example of malicious Powershell script found while hunting. Such scripts remain a common attack vector and many of them can be easily detected just by looking for some specific strings. Here is an example of YARA
I published the following diary on isc.sans.edu: “Diving into Malicious AutoIT Code”: Following my yesterday diary, I had a deeper look at the malicious AutoIT script dropped in my sandbox. For those who are not aware of AutoIT, it is a BASIC-like scripting language designed for automating Windows tasks. If
I published the following diary on isc.sans.edu: “Malicious Powershell using a Decoy Picture“: I found another interesting piece of malicious Powershell while hunting. The file size is 1.3MB and most of the file is a PE file Base64 encoded. You can immediately detect it by checking the first characters of
I published the following diary on isc.sans.edu: “More Equation Editor Exploit Waves“: This morning, I spotted another wave of malicious documents that (ab)use again CVE-2017-11882 in the Equation Editor (see my yesterday’s diary). This time, malicious files are RTF files. One of the samples is SHA256:bc84bb7b07d196339c3f92933c5449e71808aa40a102774729ba6f1c152d5ee2 (VT score: 19/57)… [Read more]
