I published the following diary on isc.sans.org: “Another Day, Another Malicious Behaviour“. Every day, we are spammed with thousands of malicious emails and attackers always try to find new ways to bypass the security controls. Yesterday, I detected a suspicious HTTP GET request: … [Read more]
Go Hunt for Malicious Activity!
What do security analysts when they aren’t on fire? They hunt for malicious activity on networks and servers! A few days ago, some suspicious traffic was detected. It was an HTTP GET request to a URL like hxxp://xxxxxx.xx/south/fragment/subdir/… Let’s try to access this site from a sandbox. Too bad, I
[SANS ISC Diary] Malware Delivered via ‘.pub’ Files
I published the following diary on isc.sans.org: “Malware Delivered via ‘.pub’ Files“. While searching for new scenarios to deliver their malwares, attackers launched a campaignÂ to deliver malicious code embedded in Microsoft Publisher (.pub) files. The tool Publisher is less known thanÂ Word or Excel. ThisÂ desktop publishing toolÂ was released in 1991 (version
[SANS ISC Diary] Maxmind.com (Ab)used As Anti-Analysis Technique
I published the following diary on isc.sans.org: “Maxmind.com (Ab)used As Anti-Analysis Technique“. A long time ago I wrote a diary about malware samples which use online geolocalization services. Such services are used to target only specific victims. If the malware detects that it is executed from a specific area, it
[SANS ISC Diary] Example of Targeted Attack Through a Proxy PAC File
I published the following diary on isc.sans.org: “Example of Targeted Attack Through a Proxy PAC File“. Yesterday, I discovered a nice example of targeted attack against a Brazilian bank. It started with an email sample like this …Â [Read more]
[SANS ISC Diary] Voice Message Notifications Deliver Ransomware
I published the following diary on isc.sans.org: “Voice Message Notifications Deliver Ransomware“. Bad guys need to constantly find new ways to lure their victims. If billing notifications were very common for a while, not all people in a company are working with such kind of documents. Which types of notification
[SANS ISC Diary] Hunting for Malicious Files with MISP + OSSEC
I published the following diary on isc.sans.org: Hunting for Malicious Files with MISP + OSSEC.
Book Review: SÃ©curitÃ© Informatique et Malwares
In 2013, Paul RascagnÃ¨res (aka “@r00tbsd“) wrote a book titled “Malware: Identification, analyse et Ã©radication“. Paul being a friend but especially a renowned security researcher in the field of malware analysis and incident investigations, I bought the first edition of his book which was a very good introduction to malware.
The Impact of a Ransomware Infection
For a while, ransomware is a plague… Just byÂ surfing to a website or by opening an invoice received by email, people get a nice popup window while their files are being encrypted. Everyday, we hear about nightmare stories withÂ companies infected by such malicious code and which do not have a
Running MISP in a Docker Container
MISP (“Malware Information Sharing Platform“) is a free softwareÂ which was initially created by the Belgian Defence to exchange IOC’s with partners like the NCIRC (NATO). Today it became an independent project and is mainly developed by a group of motivated people. MISP is mainly used by CERT’s (“Computer Emergency Response