I published the following diary on isc.sans.edu: “XLSB Files: Because Binary is Stealthier Than XML“: In one of his last diaries, Brad mentioned an Excel sheet named with a .xlsb extension. Now, it was my turn to find one… What’s the magic behind this file extension? “XLS” means that we
I published the following diary on isc.sans.edu: “Clean Binaries with Suspicious Behaviour“: EDR or “Endpoint Detection & Response” is a key element of many networks today. An agent is installed on all endpoints to track suspicious/malicious activity and (try to) block it. Behavioral monitoring is also a key element in
I published the following diary on isc.sans.edu: “Keep an Eye on WebSockets“: It has been a while that I did not spot WebSockets used by malware. Yesterday I discovered an interesting piece of Powershell. Very small and almost undetected according to its Virustotal score (2/54). A quick reminder for those
I published the following diary on isc.sans.edu: “Credentials Leaks on VirusTotal“: A few weeks ago, researchers published some information about stolen credentials that were posted on Virustotal. I’m keeping an eye on VT for my customers and searching for data related to them. For example, I looking for their domain name(s)
I published the following diary on isc.sans.edu: “Infostealer in a Batch File“: It’s pretty common to see malicious content delivered as email attachments. Every day, my mailboxes are flooded with malicious content… which is great from a research point of view. Am I the only one to be happy when I see
I published the following diary on isc.sans.edu: “Ukraine & Russia Situation From a Domain Names Perspective“: For a few days, the eyes of the world are on the situation between Russia and Ukraine. Today, operations are also organized in the “cyber” dimension (besides the classic ones – land, air, sea,
When you keep an eye on newly registered domains, they are some of them that attract your eyes immediately. Some domains related to Europol, the European Union’s law enforcement agency, and Interpol have been recently registered. Domain Registration Date Registrar europol-belgique.com 2022-02-15 Google euro-interpol.com 2022-02-08 WebNic europol-be.com 2022-02-15 Ligne Web
I published the following diary on isc.sans.edu: “A Good Old Equation Editor Vulnerability Delivering Malware“: Here is another sample demonstrating how attackers still rely on good old vulnerabilities… In 2017, Microsoft Office suffered from a critical vulnerability that affected its Equation Editor tool, known as CVE-2017-11882. It’s a memory corruption
I published the following diary on isc.sans.edu: “Remcos RAT Delivered Through Double Compressed Archive“: One of our readers shared an interesting sample received via email. Like him, if you get access to interesting/suspicious data, please share it with us (if you’re authorized of course). We are always looking for fresh
I published the following diary on isc.sans.edu: “Who Are Those Bots?“: I’m operating a mail server for multiple domains. This server is regularly targeted by bots that launch brute-force attacks to try to steal credentials. They try a list of common usernames but they also try targeted ones based on
