I published the following diary on isc.sans.org: “Base64 All The Things!“. Here is an interesting maldoc sample captured with my spam trap. The attached file is “PO# 36-14673.DOC†and has a score of 6 on VT. The file contains Open XML data that refers to an invoice.. [Read more]
I published the following diary on isc.sans.org: “Investigating Security Incidents with Passive DNS“. Sometimes when you need to investigate a security incident or to check for suspicious activity, you become frustrated because the online resource that you’re trying to reach has already been cleaned. We cannot blame system administrators and
I published the following diary on isc.sans.org: “The easy way to analyze huge amounts of PCAP data“. When you are investigating a security incident, there are chances that, at a certain point, you will have to dive into network traffic analysis. If you’re lucky, you’ll have access to a network capture.
I published the following diary on isc.sans.org: “Getting some intelligence from malspam“. Many of us are receiving a lot of malspam every day. By “malspam”, I mean spam messages that contain a malicious document. This is one of the classic infection vectors today and aggressive campaigns are started every week.
I published the following diary on isc.sans.org: “AutoIT based malware back in the wild“. One week ago I wrote a diary with an analysis of a malicious RAR archive that contained an AutoIT script. The technique was not new but I was curious to see if this was a one-shot
I published the following diary on isc.sans.org: “Malicious AutoIT script delivered in a self-extracting RAR file“. Here is another sample that hit my curiosity. As usual, the infection vector was an email which delivered some HTML code in an attached file called “PO_5634_780.docx.html†(SHA1:d2158494e1b9e0bd85e56e431cbbbba465064f5a). It has a very low VT
I published the following diary on isc.sans.org: “Malicious script dropping an executable signed by Avast?“. Yesterday, I found an interesting sample that I started to analyze… It reached my spam trap attached to an email in Portuguese with the subject: “Venho por meio desta solicitar orçamento dos produtos†(“I hereby
I published the following diary on isc.sans.org: “Defang all the things!“. Today, I would like to promote a best practice via a small Python module that is very helpful when you’re dealing with suspicious or malicious URLs. Links in documents are potentially dangerous because users can always click by mistake
I published the following diary on isc.sans.org: “Maldoc with auto-updated link“. Yesterday, while hunting, I found another malicious document that (ab)used a Microsoft Word feature: auto-update of links. This feature is enabled by default for any newly created document (that was the case for my Word 2016 version). If you
I published the following diary on isc.sans.org: “Analysis of a Paypal phishing kit“. They are plenty of phishing kits in the wild that try to lure victims to provide their credentials. Services like Paypal are nice targets and we can find new fake pages almost daily. Sometimes, the web server isn’t
