I published the following diary on isc.sans.edu: “Agent Tesla Dropped Through Automatic Click in Microsoft Help File‘”: Attackers have plenty of resources to infect our systems. If some files may look suspicious because the extension is less common (like .xsl files), others look really safe and make the victim confident
I published the following diary on isc.sans.edu: “VBA Macro Trying to Alter the Application Menus‘”: Who remembers the worm Melissa? It started to spread in March 1999! In information security, it looks like speaking about prehistory but I spotted a VBA macro that tried to use the same defensive technique
I published the following diary on isc.sans.edu: “New Example of XSL Script Processing aka ‘Mitre T1220‘”: Last week, Brad posted a diary about TA551. A few days later, one of our readers submitted another sample belonging to the same campaign. Brad had a look at the traffic so I decided
I published the following diary on isc.sans.edu: “Another File Extension to Block in your MTA: .jnlp“: When hunting, one thing that I like to learn is how attackers can be imaginative at deploying new techniques. I spotted some emails that had suspicious attachments based on the ‘.jnlp’ extension. I’m pretty sure
I published the following diary on isc.sans.edu: “Powershell Dropping a REvil Ransomware“: I spotted a piece of Powershell code that deserved some investigations because it makes use of RunSpaces. The file (SHA256:e1e19d637e6744fedb76a9008952e01ee6dabaecbc6ad2701dfac6aab149cecf) has a very low VT score: only 1/59!. The technique behind RunSpaces is helpful to create new threads on the existing Powershell
I published the following diary on isc.sans.edu: “Malicious Word Document Delivering an Octopus Backdoor“: Here is an interesting malicious Word document that I spotted yesterday. This time, it does not contain a macro but two embedded objects that the victim must “activate” (click on one of them) to perform the malicious activities.
I published the following diary on isc.sans.edu: “Malware Victim Selection Through WiFi Identification“: Last week, I found a malware sample that does nothing fancy, it’s a data stealer but it has an interesting feature. It’s always interesting to have a look at the network flows generated by malware samples. For
I published the following diary on isc.sans.edu: “Python Backdoor Talking to a C2 Through Ngrok“: I spotted a malicious Python script that implements a backdoor. The interesting behavior is the use of Ngrok to connect to the C2 server. Ngrok has been used for a while by attackers. Like most
I published the following diary on isc.sans.edu: “Live Patching Windows API Calls Using PowerShell“: It’s amazing how attackers can be imaginative when it comes to protecting themselves and preventing security controls to do their job. Here is an example of a malicious PowerShell script that patches live a DLL function
I published the following diary on isc.sans.edu: “PowerShell Dropper Delivering Formbook“: Here is an interesting PowerShell dropper that is nicely obfuscated and has anti-VM detection. I spotted this file yesterday, called ‘ad.jpg’ (SHA256:b243e807ed22359a3940ab16539ba59910714f051034a8a155cc2aff28a85088). Of course, it’s not a picture but a huge text file with Base64-encoded data. The VT score is therefore
