I published the following diary on isc.sans.edu: “Keeping an Eye on Dangerous Python Modules“: With Python getting more and more popular, especially on Microsoft Operating systems, it’s common to find malicious Python scripts today. I already covered some of them in previous diaries. I like this language because it is very
Category: Security
[SANS ISC] Russian Dolls VBS Obfuscation
I published the following diary on isc.sans.edu: “Russian Dolls VBS Obfuscation“: We received an interesting sample from one of our readers (thanks Henry!) and we like this. If you find something interesting, we are always looking for fresh meat! Henry’s sample was delivered in a password-protected ZIP archive and the
[SANS ISC] Malicious PowerShell Hosted on script.google.com
I published the following diary on isc.sans.edu: “Malicious PowerShell Hosted on script.google.com“: Google has an incredible portfolio of services. Besides the classic ones, there are less known services and… they could be very useful for attackers too. One of them is Google Apps Script. Google describes it like this: “Apps
[SANS ISC] “Serverless” Phishing Campaign
I published the following diary on isc.sans.edu: “‘Serverless’ Phishing Campaign“: The Internet is full of code snippets and free resources that you can embed in your projects. SmtpJS is one of those small projects that are very interesting for developers but also bad guys. It’s the first time that I spot
[SANS ISC] Locking Kernel32.dll As Anti-Debugging Technique
[Edited: The technique discussed in this diary is not mine and has been used without proper citation of the original author] I published the following diary on isc.sans.edu: “Locking Kernel32.dll As Anti-Debugging Technique“: For bad guys, the implementation of techniques to prevent Security Analysts to perform their job is key! The idea is
[SANS ISC] From RunDLL32 to JavaScript then PowerShell
I published the following diary on isc.sans.edu: “From RunDLL32 to JavaScript then PowerShell“: I spotted an interesting script on VT a few days ago and it deserves a quick diary because it uses a nice way to execute JavaScript on the targeted system. The technique used in this case is
[SANS ISC] “Open” Access to Industrial Systems Interface is Also Far From Zero
I published the following diary on isc.sans.edu: “‘Open’ Access to Industrial Systems Interface is Also Far From Zero“: Jan’s last diary about the recent attack against the US pipeline was in perfect timing with the quick research I was preparing for a few weeks. If core components of industrial systems
[SANS ISC] Alternative Ways To Perform Basic Tasks
I published the following diary on isc.sans.edu: “Alternative Ways To Perform Basic Tasks“: I like to spot techniques used by malware developers to perform basic tasks. We know the LOLBins that are pre-installed tools used to perform malicious activities. Many LOLBins are used, for example, to download some content from
[SANS ISC] From Python to .Net
I published the following diary on isc.sans.edu: “From Python to .Net“: The Microsoft operating system provides the .Net framework to developers. It allows to fully interact with the OS and write powerful applications… but also malicious ones. In a previous diary, I talked about a malicious Python script that interacted with the
[SANS ISC] Malicious PowerPoint Add-On: “Small Is Beautiful”
I published the following diary on isc.sans.edu: “Malicious PowerPoint Add-On: ‘Small Is Beautiful‘”: Yesterday I spotted a DHL-branded phishing campaign that used a PowerPoint file to compromise the victim. The malicious attachment is a PowerPoint add-in. This technique is not new, I already analyzed such a sample in a previous