I published the following diary on isc.sans.edu: “A Fork of the FTCode Powershell Ransomware“: Yesterday, I found a new malicious Powershell script that deserved to be analyzed due to the way it was dropped on the victim’s computer. As usual, the malware was delivered through a malicious Word document with
I published the following diary on isc.sans.edu: “Powershell Bot with Multiple C2 Protocols“: I spotted another interesting Powershell script. It’s a bot and is delivered through a VBA macro that spawns an instance of msbuild.exe This Windows tool is often used to compile/execute malicious on the fly (I already wrote a diary about this
I published the following diary on isc.sans.edu: “Compromized Desktop Applications by Web Technologies”: For a long time now, it has been said that “the new operating system is the browser”. Today, we do everything in our browsers, we connect to the office, we process emails, documents, we chat, we perform
I published the following diary on isc.sans.edu: “Simple Blacklisting with MISP & pfSense“: Here is an example of a simple but effective blacklist system that I’m using on my pfSense firewalls. pfSense is a very modular firewall that can be expanded with many packages. About blacklists, there is a well-known
I published the following diary on isc.sans.edu: “Sextortion to The Next Level“: For a long time, our mailboxes are flooded with emails from “hackers†(note the quotes) who pretend to have infected our computers with malware. The scenario is always the same: They successfully collected sensitive pieces of evidence about
I published the following diary on isc.sans.edu: “Malicious Excel Delivering Fileless Payload“: Macros in Office documents are so common today that my honeypots and hunting scripts catch a lot of them daily. I try to keep an eye on them because sometimes you can spot an interesting one (read: “using a less common
I published the following diary on isc.sans.edu: “Anti-Debugging JavaScript Techniques“: For developers who write malicious programs, it’s important to make their code not easy to be read and executed in a sandbox. Like most languages, there are many ways to make the life of malware analysts mode difficult (or more
I published the following diary on isc.sans.edu: “Flashback on CVE-2019-19781“: First of all, did you know that the Flame malware turned 8 years today! Happy Birthday! This famous malware discovered was announced on May 28th, 2012. The malware was used for targeted cyber espionage activities in the Middle East area.
I published the following diary on isc.sans.edu: “Malware Triage with FLOSS: API Calls Based Behavior“: Malware triage is a key component of your hunting process. When you collect suspicious files from multiple sources, you need a tool to automatically process them to extract useful information. To achieve this task, I’m using
I published the following diary on isc.sans.edu: “Using Nmap As a Lightweight Vulnerability Scanner“: Yesterday, Bojan wrote a nice diary about the power of the Nmap scripting language (based on LUA). The well-known port scanner can be extended with plenty of scripts that are launched depending on the detected ports.
