InQuest Blog

Posted on 2022-07-27 by Isabelle Quinn
A few days ago we discovered a very interesting sample that was uploaded from Iran. The document is a contract for the supply of services to an energy company from southern Iran «Tavangoostar Niro va Gashtavar Jonob». The document also contains a link to this energy company. www.tavangyl.com

Since this family of malicious documents containing executable files was not previously known, we named it the Green Stone.
Posted on 2022-07-25 by David Ledbetter
Follow David Ledbetter through the analysis of a heavily obfuscated maldoc. The analysis shows how to decode unescaped scripts and byte arrays to deliver a weaponized payload.
Posted on 2022-07-04 by David Ledbetter
The purpose of InQuest Labs is to enable independent security researchers with a convenient mixture of files and threat intelligence. Users can register for free and interface via the UI/UX, an open API, or via a Python library / command-line interface. The InQuest team leverages this API to implement a variety of automations designed to surface novel threats, we call these "Special Operations" or SpecOps for short. One of these SpecOps actively follows links discovered in malicious documents. If the target of the link is a malicious file, and that link has not been widely reported, and the file has not been previously seen... then a Tweet is automatically posted. Recently, there's been a number of Tweets that reveal a common pattern, this blog post is a deep dive into these samples.
Posted on 2022-06-27 by Isabelle Quinn
Tools used by threat actors aimed at Ukraine and neighboring countries are constantly changing. Since in many cases the context of successful attacks is the use of documents in email attachments, we will consider some of the novelties of attackers that target Ukrainian government organizations. When these tools shattered like grains of sand, we named it GlowSand.
Posted on 2022-06-23 by Pedram Amini
Microsoft Office has been a long favorite delivery mechanism for malicious payloads, from pen-testers to nation-state threat actor groups, and for good reason. Widely adopted. Large attack surface. Robust legacy support. These traits have been the source of news headlines for decades. This brings us to 2022. On May 27th, @nao_sec Tweeted about a suspicious document pivoting through Microsoft's Support Diagnostic Tool via the 'ms-msdt' scheme. The timing of this in-the-wild discovery coincided with a US holiday, and over the weekend the vulnerability picked up the name "Follina". On May 31st, we saw an official acknowledgment from Microsoft and formalized on CVE-2022-30190.

Blog Archive

Subscribe to InQuest Insider

* indicates required

Already subscribed and want to unsubscribe? Please follow this link: Unsubscribe.