I published the following diary on isc.sans.edu: “New Campaign Using Old Equation Editor Vulnerability“: Yesterday, I found a phishing sample that looked interesting: From: sales@tjzxchem[.]com To: me Subject: RE: Re: Proforma Invoice INV 075 2018-19 ’08 Reply-To: exports.sonyaceramics@gmail[.]com [Read more]
I published the following diary on isc.sans.edu: “More Excel DDE Code Injection“: The “DDE code injection†technique is not brand new. DDE stands for “Dynamic Data Exchangeâ€. It has already been discussed by many security researchers. Just a quick reminder for those who missed it. In Excel, it is possible to
I published the following diary on isc.sans.edu: “Malware Delivered Through MHT Files“: What are MHT files? Microsoft is a wonderful source of multiple file formats. MHT files are web page archives. Usually, a web page is based on a piece of HTML code with links to external resources, images and other
I published the following diary on isc.sans.edu: “Crypto Mining in a Windows Headless Browser“: Crypto miners in the browser are not new. Delivery through malicious or compromised piece of javascript code is common these days (see my previous diary about this topic). This time, it’s another way to deliver the
I published the following diary on isc.sans.edu: “Malicious PowerShell Compiling C# Code on the Fly“: What I like when hunting is to discover how attackers are creative to find new ways to infect their victim’s computers. I came across a Powershell sample that looked new and interesting to me. First,
I published the following diary on isc.sans.edu: “Crypto Mining Is More Popular Than Ever!“: We already wrote some diaries about crypto miners and they remain more popular than ever. Based on my daily hunting statistics, we can see that malicious scripts performing crypto mining operations remain on top of the
I published the following diary on isc.sans.org: “Microsoft Publisher Files Delivering Malware“: Attackers are always searching for new ways to deliver malicious content to their victims. A few days ago, Microsoft Publisher malicious files were spotted by security researchers[1]. Publisher is a low-level desktop publishing application offered by Microsoft in
I published the following diary on isc.sans.org: “Malicious DLL Loaded Through AutoIT“: Here is an interesting sample that I found while hunting. It started with the following URL: hxxp://200[.]98[.]170[.]29/uiferuisdfj/W5UsPk.php?Q8T3=OQlLg3rUFVE740gn1T3LjoPCQKxAL1i6WoY34y2o73Ap3C80lvTr9FM5 The value of the parameter (‘OQlLg3rUFVE740gn1T3LjoPCQKxAL1i6WoY34y2o73Ap3C80lvTr9FM5’) is used as the key to decode the first stage. If you don’t specify it,
I published the following diary on isc.sans.org: “Windows Batch File Deobfuscation“: Last Thursday, Brad published a diary about a new ongoing campaign delivering the Emotet malware. I found another sample that looked the same. My sample was called ‘Order-42167322776.doc’ (SHA256:4d600ae3bbdc846727c2922485f9f7ec548a3dd031fc206dbb49bd91536a56e3 and looked the same as the one analyzed Brad. The
A few days ago, I published a diary on the SANS Internet Storm Center website about a Javascript file that was altered to deliver a cryptominer into the victim’s browser. Since my first finding, I’m hunting for more samples. The best way to identify them is to search for the following
