I published the following diary on isc.sans.org: “Antivirus Evasion? Easy as 1,2,3“: For a while, ISC handlers have demonstrated several obfuscation techniques via our diaries. We always told you that attackers are trying to find new techniques to hide their content to not be flagged as malicious by antivirus products.
Category: Security
[SANS ISC] “Blocked” Does Not Mean “Forget It”
I published the following diary on isc.sans.org: “Blocked Does Not Mean Forget It“: Today, organisations are facing regular waves of attacks which are targeted… or not. We deploy tons of security controls to block them as soon as possible before they successfully reach their targets. Due to the amount of
The Evil Mouse Project
In March during TROOPERS’18, I discovered a very nice tiny device developed by Luca Bongiorni (see my wrap-up here): The WiFi HID Injector. Just to resume what’s behind this name, we have a small USB evil device which offers: a Wireless access point for the configuration and exfiltration of data, an HID
[SANS ISC] Malware Distributed via .slk Files
I published the following diary on isc.sans.org: “Malware Distributed via .slk Files“: Attackers are always trying to find new ways to infect computers by luring not only potential victims but also security controls like anti-virus products. Do you know what SYLK files are? SYmbolic LinK files (they use the .slk
Rendering Suspicious EML Files
Sometimes, a security incident starts with an email. A suspicious email can be provided to a security analyst for further investigation. Most of the time, the mail is provided in EML or “Electronic Mail Format“. EML files store the complete message in a single file: SMTP headers, mail body and all
[SANS ISC] Malicious Powershell Targeting UK Bank Customers
I published the following diary on isc.sans.org: “Malicious Powershell Targeting UK Bank Customers”: I found a very interesting sample thanks to my hunting rules… It is a PowerShell script that was uploaded on VT for the first time on the 16th of May from UK. The current VT score is still
Imap2TheHive: Support for Observables
I just published a new update of my imap2thehive tool. A quick reminder: this tool is aimed to poll an IMAP mailbox and feed an instance of TheHive with processed emails. This new version is now able to extract interesting IOCs from the email body and attached HTML files. The following indicators are
[SANS ISC] Nice Phishing Sample Delivering Trickbot
I published the following diary on isc.sans.org: “Nice Phishing Sample Delivering Trickbot“: Users have to deal with phishing for a very long time. Today, most of them remain dumb messages quickly redacted with a simple attached file and a message like “Click on me, it’s urgent!â€. Yesterday, I put my
[SANS ISC] Adding Persistence Via Scheduled Tasks
I published the following diary on isc.sans.org: “Adding Persistence Via Scheduled Tasks“: Once a computer has been infected by a malware, one of the next steps to perform is to keep persistence. Usually, endpoints (workstations) are primary infection vectors due to the use made of it by people: they browse
[SANS ISC] Diving into a Simple Maldoc Generator
The number of malicious documents generated every day keeps growing for a while. To produce this huge amount of files, the process must be automated. I found on Pastebin a Python script to generate malicious Office documents. Let’s have a look at it… [Read more]