I published the following diary on isc.sans.edu: “Python and Risky Windows API Calls“: The Windows API is full of calls that are usually good indicators to guess the behavior of a script. In a previous diary, I wrote about some examples of “API call groups” that are clearly used together
Category: Malware
[SANS ISC] Example of Malicious DLL Injected in PowerShell
I published the following diary on isc.sans.edu: “Example of Malicious DLL Injected in PowerShell“: For a while, PowerShell remains one of the favorite languages for attackers. Installed by default (and almost impossible to get rid of it), powerful, perfectly integrated with the core operating system. It’s very easy to develop
[SANS ISC] Malicious Excel Sheet with a NULL VT Score
I published the following diary on isc.sans.edu: “Malicious Excel Sheet with a NULL VT Score“: Just a quick diary today to demonstrate, once again, that relying only on a classic antivirus solution is not sufficient in 2020. I found a sample that just has a very nice score of 0/57 on VT. Yes, according to
[SANS ISC] Keep An Eye on LOLBins
I published the following diary on isc.sans.edu: “Keep An Eye on LOLBins“: Don’t misread, I won’t talk about “lolcats” today but “LOLBins” or “Living Off The Land Binaries”. All operating systems provide a rich toolbox to achieve multiple day-to-day tasks like maintenance of the certificates, installation of patches and applications,
[SANS ISC] Tracking A Malware Campaign Through VT
I published the following diary on isc.sans.edu: “Tracking A Malware Campaign Through VT“: During the weekend, I found several samples from the same VBA macro. The only difference between all the samples was the URL to fetch a malicious PE file. I have a specific YARA rule to search for embedded
[SANS ISC] Example of Word Document Delivering Qakbot
I published the following diary on isc.sans.edu: “Example of Word Document Delivering Qakbot“: Qakbot is back on stage at the moment! Many security companies already reported some peaks of activity around this malware. On my side, I also spotted several samples. The one that I’ll cover today has been reported by one of our
[SANS ISC] Using API’s to Track Attackers
I published the following diary on isc.sans.edu: “Using API’s to Track Attackers“: For a few days, I’m keeping an eye on suspicious Python code posted on VT. We all know that VBA, JavaScript, Powershell, etc are attacker’s best friends but Python is also a good candidate to perform malicious activities on
[SANS ISC] A Fork of the FTCode Powershell Ransomware
I published the following diary on isc.sans.edu: “A Fork of the FTCode Powershell Ransomware“: Yesterday, I found a new malicious Powershell script that deserved to be analyzed due to the way it was dropped on the victim’s computer. As usual, the malware was delivered through a malicious Word document with
[SANS ISC] Powershell Bot with Multiple C2 Protocols
I published the following diary on isc.sans.edu: “Powershell Bot with Multiple C2 Protocols“: I spotted another interesting Powershell script. It’s a bot and is delivered through a VBA macro that spawns an instance of msbuild.exe This Windows tool is often used to compile/execute malicious on the fly (I already wrote a diary about this
Detecting Code ReUse in Ghidra With Intezer’s Plugin
Ghidra is a very nice disassembler developed by the NSA. When they released it, the tool became very popular amongst the security community thanks to its power and a huge list of features (that some competitors included with extra licenses – like the pseudo-code generator). Ghidra is also the default