I published the following diary on isc.sans.org: “Ransomware as a Service“: Hunting on the dark web is interesting to find new malicious activities running in the background. Besides the classic sites where you can order drugs and all kind of counterfeited material, I discovered an interesting website which offers a
Category: Malware
Malware Delivered via a Compiled HTML Help File
More a file format is used in a malware infection chain, more files of this type will be flagged as suspicious, analyzed or blocked by security controls. That’s why attackers are constantly looking for new ways to infect computers and use more exotic file formats. Like fashion is in a
[SANS ISC] Microsoft Office VBA Macro Obfuscation via Metadata
I published the following diary on isc.sans.org: “Microsoft Office VBA Macro Obfuscation via Metadata“: Often, malicious macros make use of the same functions to infect the victim’s computer. If a macro contains these strings, it can be flagged as malicious or, at least, considered as suspicious. Some examples of suspicious functions
[SANS ISC] Phishing Kit (Ab)Using Cloud Services
I published the following diary on isc.sans.org: “Phishing Kit (Ab)Using Cloud Services“: When you build a phishing kit, they are several critical points to address. You must generate a nice-looking page which will match as close as possible to the original one and you must work stealthily to not be blocked
[SANS ISC] Fileless Malicious PowerShell Sample
I published the following diary on isc.sans.org: “Fileless Malicious PowerShell Sample“: Pastebin.com remains one of my favourite place for hunting. I’m searching for juicy content and report finding in a Splunk dashboard: Yesterday, I found an interesting pastie with a simple Windows CMD script… [Read more]
[SANS ISC] Suspicious Domains Tracking Dashboard
I published the following diary on isc.sans.org: “Suspicious Domains Tracking Dashboard“. Domain names remain a gold mine to investigate security incidents or to prevent some malicious activity to occur on your network (example by using a DNS firewall). The ISC has also a page dedicated to domain names. But how
[SANS ISC] If you want something done right, do it yourself!
I published the following diary on isc.sans.org: “If you want something done right, do it yourself!“. Another day, another malicious document! I like to discover how the bad guys are creative to write new pieces of malicious code. Yesterday, I found another interesting sample. It’s always the same story, a
[SANS ISC] Interesting VBA Dropper
I published the following diary on isc.sans.org: “Interesting VBA Dropper“. Here is another sample that I found in my spam trap. The technique to infect the victim’s computer is interesting. I captured a mail with a malicious RTF document (SHA256: c247929d3f5c82247db9102d2dec28c27f73dc0824f8b386f92aad1a22fd8edd) that exploits the OLE2Link vulnerability (CVE-2017-0199). Once opened, the
[SANS ISC] Simple Analysis of an Obfuscated JAR File
I published the following diary on isc.sans.org: “Simple Analysis of an Obfuscated JAR File“. Yesterday, I found in my spam trap a file named ‘0.19238000 1509447305.zip’ (SHA256: 7bddf3bf47293b4ad8ae64b8b770e0805402b487a4d025e31ef586e9a52add91). The ZIP archive contained a Java archive named ‘0.19238000 1509447305.jar’ (SHA256: b161c7c4b1e6750fce4ed381c0a6a2595a4d20c3b1bdb756a78b78ead0a92ce4). The file had a score of 0/61 in VT and
[SANS ISC] Some Powershell Malicious Code
I published the following diary on isc.sans.org: “Some Powershell Malicious Code“. Powershell is a great language that can interact at a low-level with Microsoft Windows. While hunting, I found a nice piece of Powershell code. After some deeper checks, it appeared that the code was not brand new but it