Posted on 2020-03-20William MacArthur
In this quick, end of the week post, we wanted to touch on the ubiquitous COVID-19 (aka Corona Virus). Sharing an interesting lure, related malware, and some IOCs for colleagues to dig into while society on a whole is relegated to solitude in our homes. Our posting here is in no way comprehensive. There is a myriad of malware campaigns, disinformation operations, and general scamming revolving around the very concerning topic. Our goal is to further awareness and share some knowledge in the process.
Posted on 2020-03-18Amirreza Niakanlahiji and Pedram Amini
In this post, we provide a detailed analysis of an interesting Excel 4.0 XLM macrosheet maldoc distribution campaign that is tied to a variety of executable payloads, a subject matter we'll be covering in a future blog. As of the time of writing, detection rates for this class of attack are relatively low, and these samples happily bypass the internal GSuite and O365 protection mechanisms.
Posted on 2020-02-25Josiah Smith
Our CTO, Pedram Amini, and colleague Ero Carrera have open-sourced all the materials from a two-day reverse engineering class they taught over the years at BlackHat, the last instance being at Blackhat 2009 Federal. Written in LaTeX + Beamer, the course materials can be rendered in both slideshow (PDF) and article (PDF) modes. Additionally, the courseware includes malware samples and all requisite references, scripts, tools, exercises, and solutions.
Posted on 2020-02-24Samuel Kimmons
Samuel Kimmons is a Lead Cyber Threat Emulator/Red Teamer and Penetration Tester at the United States-Air Force Computer Emergency Response Team (US-AFCERT). In his guest blog, he discusses LoLBins or Living Off the Land Binaries to get PowerShell without PowerShell.
Posted on 2020-01-23Josiah Smith
An illustrative blog discussing the Pyramid of Pain and how it relates to the Iceberg of Inspection. Deep File Inspection can uncover TTPs and other indicators to supplement prevention, detection, and threat hunting within your network.