I published the following diary on isc.sans.edu: “Rig Exploit Kit Delivering VBScript“: I detected the following suspicious traffic on a corporate network. It was based on multiples infection stages and looked interesting enough to publish a diary about it. This is also a good reminder that, just by surfing the
I published the following diary on isc.sans.edu: “Blocking Firefox DoH with Bind“: For a few days, huge debates have started on forums and mailing lists regarding the announce of Mozilla to enable DoH (DNS over HTTPS) by default in its Firefox browser. Since this announcement, Google also scheduled a move
I published the following diary on isc.sans.edu: “PowerShell Script with a builtin DLL“: Attackers are always trying to bypass antivirus detection by using new techniques to obfuscate their code. I recently found a bunch of scripts that encode part of their code in Base64. The code is decoded at execution
I published the following diary on isc.sans.edu: “Private IP Addresses in Malware Samples?“: I’m looking for some samples on VT that contains URLs with private or non-routable IP addresses (RFC1918). I found one recently and it made me curious. Why would a malware try to connect to a non-routable IP
I published the following diary on isc.sans.edu: “Malware Dropping a Local Node.js Instance“: Yesterday, I wrote a diary about misused Microsoft tools[1]. I just found another interesting piece of code. This time the malware is using Node.js[2]. The malware is a JScript (SHA256:1007e49218a4c2b6f502e5255535a9efedda9c03a1016bc3ea93e3a7a9cf739c)… [Read more]
I published the following diary on isc.sans.edu: “Malware Samples Compiling Their Next Stage on Premise“: I would like to cover today two different malware samples I spotted two days ago. They have one interesting behaviour in common: they compile their next stage on the fly directly on the victim’s computer. At
I published the following diary on isc.sans.edu: “Simple Mimikatz & RDPWrapper Dropper“: Let’s review a malware sample that I spotted a few days ago. I found it interesting because it’s not using deep techniques to infect its victims. The initial sample is a malicious VBScript. For a few weeks, I started
I published the following diary on isc.sans.edu: “Interesting JavaScript Obfuscation Example“: Last Friday, one of our reader (thanks Mickael!) reported to us a phishing campaign based on a simple HTML page. He asked us how to properly extract the malicious code within the page. I did an analysis of the
I published the following diary on isc.sans.edu: “Behavioural Malware Analysis with Microsoft ASA“: When you need to quickly analyze a piece of malware (or just a suspicious program), your goal is to determine as quickly as possible what’s the impact. In many cases, we don’t have time to dive very
I published the following diary on isc.sans.edu: “The Risk of Authenticated Vulnerability Scans“: NTLM relay attacks have been a well-known opportunity to perform attacks against Microsoft Windows environments for a while and they remain usually successful. The magic with NTLM relay attacks? You don’t need to lose time to crack
