I published the following diary on isc.sans.edu: “Malicious PowerShell Targeting Cryptocurrency Browser Extensions“: While hunting, I found an interesting PowerShell script. After a quick check, my first conclusion was that it is again a simple info stealer. After reading the code more carefully, the conclusion was different: It targets crypto-currency browser
[SANS ISC] Houdini is Back Delivered Through a JavaScript Dropper
I published the following diary on isc.sans.edu: “Houdini is Back Delivered Through a JavaScript Dropper“: Houdini is a very old RAT that was discovered years ago. The first mention I found back is from 2013! Houdini is a simple remote access tool written in Visual Basic Script. The script is not very interesting
[SANS ISC] Sandbox Evasion… With Just a Filename!
I published the following diary on isc.sans.edu: “Sandbox Evasion… With Just a Filename!“: Today, many sandbox solutions are available and deployed by most organizations to detonate malicious files and analyze their behavior. The main problem with some sandboxes is the filename used to submit the sample. The file can be
[SANS ISC] A ‘Zip Bomb’ to Bypass Security Controls & Sandboxes
I published the following diary on isc.sans.edu: “A ‘Zip Bomb’ to Bypass Security Controls & Sandboxes“: Yesterday, I analyzed a malicious archive for a customer. It was delivered to the mailbox of a user who, hopefully, was security-aware and reported it. The payload passed through the different security layers based on big
[SANS ISC] Use Your Browser Internal Password Vault… or Not?
I published the following diary on isc.sans.edu: “Use Your Browser Internal Password Vault… or Not?“: Passwords… a so hot topic! Recently big players (Microsoft, Apple & Google) announced that they would like to suppress (or, at least, reduce) the use of classic passwords. In the meantime, they remain the most common
Botconf Day 3 Wrap-Up
Here we go with day 3! In the morning, there are always fewer people due to the short night. The gala dinner is always a key activity during Botconf! The last day started with “Jumping the air-gap: 15 years of nation-state efforts” presented by Alexis Dorais-Joncas and Facundo Munoz. Does
Botconf Day 2 Wrap-Up
The second day is already over. Here is my recap of the talks. The first one was “Identifying malware campaigns on a budget” by Max “Libra” Kersten and Rens Van Der Linden. The idea was to search for malicious activity without spending too much money. Read: “using as few resources
Botconf Day 1 Wrap-Up
Incredible! Here is my first wrap-up for two years! Now that the COVID seems under control, it’s so good to be back at conferences and meet a lot of good friends. Like most of the events, Botconf was canceled, postponed, uncertain until the COVID situation was better and, finally, it
[SANS ISC] Simple PDF Linking to Malicious Content
I published the following diary on isc.sans.edu: “Simple PDF Linking to Malicious Content“: Last week, I found an interesting piece of phishing based on a PDF file. Today, most of the PDF files that are delivered to end-user are not malicious, I mean that they don’t contain an exploit to
[SANS ISC] XLSB Files: Because Binary is Stealthier Than XML
I published the following diary on isc.sans.edu: “XLSB Files: Because Binary is Stealthier Than XML“: In one of his last diaries, Brad mentioned an Excel sheet named with a .xlsb extension. Now, it was my turn to find one… What’s the magic behind this file extension? “XLS” means that we