I published the following diary on isc.sans.edu: “Spotting the Red Team on VirusTotal!“: Many security researchers like to use the VirusTotal platform. The provided services are amazing: You can immediately have a clear overview of the dangerousness level of a file but… VirusTotal remains a cloud service. It means that, once you uploaded a
I published the following diary on isc.sans.edu: “VBA Macro Trying to Alter the Application Menus‘”: Who remembers the worm Melissa? It started to spread in March 1999! In information security, it looks like speaking about prehistory but I spotted a VBA macro that tried to use the same defensive technique
I published the following diary on isc.sans.edu: “New Example of XSL Script Processing aka ‘Mitre T1220‘”: Last week, Brad posted a diary about TA551. A few days later, one of our readers submitted another sample belonging to the same campaign. Brad had a look at the traffic so I decided
I published the following diary on isc.sans.edu: “How Attackers Brush Up Their Malicious Scripts“: On Friday, I received a bunch of alerts from one of my YARA hunting rules. Several samples were submitted from the same account (through the VT API), from the same country (US), and in a very
I published the following diary on isc.sans.edu: “A Mix of Python & VBA in a Malicious Word Document“: A few days ago, Didier wrote an interesting diary about embedded objects into an Office document. I had a discussion about an interesting OLE file that I found. Because it used the same
I published the following diary on isc.sans.edu: “Malicious Excel Sheet with a NULL VT Score“: Just a quick diary today to demonstrate, once again, that relying only on a classic antivirus solution is not sufficient in 2020. I found a sample that just has a very nice score of 0/57 on VT. Yes, according to
I published the following diary on isc.sans.edu: “A Safe Excel Sheet Not So Safe“: I discovered a nice sample yesterday. This excel sheet was found in a mail flagged as “suspicious†by a security appliance. The recipient asked to release the mail from the quarantine because “it was sent from
I published the following diary on isc.sans.org: “Antivirus Evasion? Easy as 1,2,3“: For a while, ISC handlers have demonstrated several obfuscation techniques via our diaries. We always told you that attackers are trying to find new techniques to hide their content to not be flagged as malicious by antivirus products.
I published the following diary on isc.sans.org: “Microsoft Office VBA Macro Obfuscation via Metadata“: Often, malicious macros make use of the same functions to infect the victim’s computer. If a macro contains these strings, it can be flagged as malicious or, at least, considered as suspicious. Some examples of suspicious functions
I published the following diary on isc.sans.org: “Base64 All The Things!“. Here is an interesting maldoc sample captured with my spam trap. The attached file is “PO# 36-14673.DOC†and has a score of 6 on VT. The file contains Open XML data that refers to an invoice.. [Read more]
