I published the following diary on isc.sans.edu: “Malicious Content Delivered Through archive.org“: archive.org, also known as the “way back machine” is a very popular Internet site that allows you to travel back in time and browse old versions of a website (like the ISC website). It works like regular search engines and
Category: Malware
[SANS ISC] Russian Dolls VBS Obfuscation
I published the following diary on isc.sans.edu: “Russian Dolls VBS Obfuscation“: We received an interesting sample from one of our readers (thanks Henry!) and we like this. If you find something interesting, we are always looking for fresh meat! Henry’s sample was delivered in a password-protected ZIP archive and the
[SANS ISC] Malicious PowerShell Hosted on script.google.com
I published the following diary on isc.sans.edu: “Malicious PowerShell Hosted on script.google.com“: Google has an incredible portfolio of services. Besides the classic ones, there are less known services and… they could be very useful for attackers too. One of them is Google Apps Script. Google describes it like this: “Apps
[SANS ISC] Locking Kernel32.dll As Anti-Debugging Technique
[Edited: The technique discussed in this diary is not mine and has been used without proper citation of the original author] I published the following diary on isc.sans.edu: “Locking Kernel32.dll As Anti-Debugging Technique“: For bad guys, the implementation of techniques to prevent Security Analysts to perform their job is key! The idea is
[SANS ISC] Malicious PowerPoint Add-On: “Small Is Beautiful”
I published the following diary on isc.sans.edu: “Malicious PowerPoint Add-On: ‘Small Is Beautiful‘”: Yesterday I spotted a DHL-branded phishing campaign that used a PowerPoint file to compromise the victim. The malicious attachment is a PowerPoint add-in. This technique is not new, I already analyzed such a sample in a previous
[SANS ISC] No Python Interpreter? This Simple RAT Installs Its Own Copy
I published the following diary on isc.sans.edu: “No Python Interpreter? This Simple RAT Installs Its Own Copy“: For a while, I’m keeping an eye on malicious Python code targeting Windows environments. If Python looks more and more popular, attackers are facing a major issue: Python is not installed by default
[SANS ISC] Simple Powershell Ransomware Creating a 7Z Archive of your Files
I published the following diary on isc.sans.edu: “Simple Powershell Ransomware Creating a 7Z Archive of your Files“: If some ransomware families are based on PE files with complex features, it’s easy to write quick-and-dirty ransomware in other languages like Powershell. I found this sample while hunting. I’m pretty confident that this
[SANS ISC] C2 Activity: Sandboxes or Real Victims?
I published the following diary on isc.sans.edu: “C2 Activity: Sandboxes or Real Victims?“: In my last diary, I mentioned that I was able to access screenshots exfiltrated by the malware sample. During the first analysis, there were approximately 460 JPEG files available. I continued to keep an eye on the
[SANS ISC] Quick Analysis of a Modular InfoStealer
I published the following diary on isc.sans.edu: “Quick Analysis of a Modular InfoStealer“: This morning, an interesting phishing email landed in my spam trap. The mail was redacted in Spanish and, as usual, asked the recipient to urgently process the attached document. The filename was “AVISO.001” (This extension is used by multi-volume
[SANS ISC] Jumping into Shellcode
I published the following diary on isc.sans.edu: “Jumping into Shellcode“: Malware analysis is exciting because you never know what you will find. In previous diaries, I already explained why it’s important to have a look at groups of interesting Windows API call to detect some behaviors. The classic example is code