In this blog, we discuss Adobe Extensible Metadata Platform (XMP) identifiers and how they can be used as both pivot and detection anchors. Defined as a standard for mapping graphical asset relationships, XMP allows for tracking of both parent-child relationships and individual revisions. There are three categories of identifiers: original document, document, and instance. Generally, XMP data is stored in XML format, updated on save/copy, and embedded within the graphical asset. This last tenet is critical to our needs as we'll be tracking the usage and re-usage of both malicious and benign graphics within common Microsoft and Adobe document lures.
InQuest provides an automated platform for SOC hunter that includes powerful means for inspecting files to detect the presence of malicious code. The platform ingests network data and then goes through a variety of analytic functions resulting in an effective risk score. Check out this interview between Ed Amoroso of Tag Cyber and Pedram Amini, our CTO.
Since YARA rule creation is a highly valuable skill set we approach the lessons slowly, think of "baby steps" from the movie "What About Bob?" as the approach. In keeping the spirit of the process, we feel that the next natural step to take is to learn about the different components that make up the rules and focus on how they are constructed.
In this blog, we take a subtle dive into memory analysis using Volatility and the memory analysis methodology. For those unfamiliar with the tool, The Volatility Framework is a completely open collection of tools, implemented in Python for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system under investigation but offer visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
InQuest has just released a new analysis suite for the researcher and hobbyist. Welcome to InQuest Labs! Our CTO, Pedram Amini, presented Worm Charming: Harvesting Malware Lures for Fun and Profit at Blackhat USA 2019. During this talk, Pedram detailed the harvesting mechanism that drives the DFI portion of InQuest Labs. Capable of ingesting malware at scale, samples are fed through a lightweight and less featured version of Deep File Inspection to extract embedded logic, semantic content, metadata, and IOCs such as URLs, domains, IPs, e-mails, and file names.
In this short post, we share a YARA rule that threat hunters will find valuable for identifying potentially malicious Powershell pivots. Specifically, we'll be looking for base64 encoded Powershell directives. Additionally, some interesting real-world samples will be shared with the reader. Including an SSL certificate, Microsoft Windows shortcut (LNK) file, and a JPG image.
This is the first post in an ongoing series about YARA and its exceptional ability to carve inside of binaries, documents, photos, and other types of files to uncover and match patterns. The additional posts in the series will give anyone who is thinking about gaining YARA skills the ability to start from scratch and get comfortable with the tool's functionality. Each post will advance in skill level and include some of the personal and professional standards we follow to instill good habits early on in the learning process.
In this short post, we dissect the inner workings of registration-free COM interop and present a known technique that red teamers can abuse to dynamically load .NET assembly logic. Additionally, minor obfuscated variations are presented in hopes of evading existing detection mechanisms. Proof-of-concept code snippets are provided in a variety of scripting languages to demonstrate versatility.
In this article, we analyze a malicious hta file that we found on VirusTotal. This instance uses a few interesting techniques to evade existing detection mechanisms. In this blog post, we provide an in-depth analysis of this instance and reveal the techniques that are utilized to keep the instance under the radar. At the time of hunting this instance, only two engines marked this instance as malicious.
ThreatIngestor helps you collect threat intelligence from public feeds, and gives you context on that intelligence so you can research it further, and put it to use protecting yourself or your organization. In this post, we will go through the process of making a twitter bot.
In this article, we dissect a sophisticated multi-stage PowerShell script that was found on HybridAnalysis a few days back. The discussion entails an in-depth analysis of the various techniques that this particular malware instance utilized to keep itself under the radar. As of writing this article, none of the AntiViruses on VirusTotal detected this sample.
Unsupervised machine learning can give us insights that supervised learning cannot. Here, we go over one of these algorithms, MinHash.
This article covers the analysis of an interesting customer malspam encounter that was identified with a user-defined signature focusing on high levels of entropy within the file. Starting with a pdf lure to get an macro laiden downloader document and finished with emotet banking malware.
In this article, we dissect a sneaky malicious Microsoft Excel XLM file that we caught in the wild. To do so, we utilize a few open source as well as in-house tools to analyze the Excel document. During our analysis, we point out the limitations of a few popular file carving tools, such as foremost and scalpel, in extracting data from this and related samples.
Powershell Empire is a go-to tool for pentesters, red-teamers, and cyber-criminals. While it is an incredible framwork, the InQuest platform easily detects the obfuscated payloads that are generated.
Inquest uses a variety of machine learning algorithms to model the features of malware that we collect and to gain new insights from such data. Here we travel down the branching rabbit hole of random forests and gradient boosting.
Here at InQuest, YARA is among the many tools we use to perform deep-file inspection, with a fairly extensive rule set. InQuest operates at line speed in very high-traffic networks, so these rules need to be fast. This blog post is the second in a series discussing YARA performance notes, tips, and hacks.
Machine learning is one of the most versatile fields in all of computer science, with applications ranging from physics to art history, so, of course, it has a myriad of uses with regards to the detection and diagnosis of malicious programs; uses that we at InQuest would be remiss to not start utilizing ourselves. Here we go over some of the many ways ML algorithms are being leveraged for our purposes.
After the demise of the Dyreza banking malware, the banking trojan vacuum was quickly filled by the TrickBot malware family. TrickBot is a banking and information stealing trojan which is modular in design and can rapidly expand its functionality by retrieving DLLs from its Command and Control server. This threat is spread most commonly by phishing emails, but it also includes network propagation functionality to spread through a victims' network by using the Microsoft Windows vulnerability known as EternalRomance. In this blog post, we'll dive into the TrickBot malware, its functionality, modules, and Command and Control communications.
Here at InQuest, YARA is among the many tools we use to perform deep-file inspection, with a fairly extensive rule set. InQuest operates at line speed in very high-traffic networks, so these rules need to be fast. This blog post is the first in a series discussing YARA performance notes, tips, and hacks.
Emotet is one of the most prevalent malware families in the cybercrime realm in 2018 and with no breakthroughs in identifying the actors or larger infrastructure, at least publicly, it seems poised to stay that way for the time being. The malware is typically delivered to users through phishing campaigns with malicious Word documents containing macros. Once executed, Emotet will often drop an additional malware family such as TrickBot or another information stealer. In the case we will look at today, an Emotet phishing campaign led to the delivery of not just one additional malware family but three; AZORult, IcedID, and TrickBot.
The goal of threat hunting is to proactively identify potential threats that have evaded existing security measures. Over the past several months the use of malicious Excel IQY files to deliver malware has fallen into this category for many organizations and users as a blind spot. Threat actors, both cybercrime and APT, have launched phishing campaigns using this technique to evade common detection methodologies and have left computer network defenders wondering how to catch future occurrences of this technique. Although many of the notable phishing campaigns have similar indicators that one might hunt for, limiting yourself to these will leave your scope narrowed to a limited set of known threats, and when hunting you are looking to identify otherwise unknown threats. In this post, we will review how to leverage YARA signatures in a multi-staged hunting approach to identify indicators of potential malicious activity in these file types. We will cover the IQY file format in both its legitimate and malicious uses, as well as identify common indicators of malicious activity seen in the wild, and how we can broaden those indicators to increase the scope of our threat hunting.
Open Source Intelligence (OSINT) is data collected from publicly available sources that is meant to be used in the context of intelligence. A great deal of data, combined with analysis by trained professionals, can be turned into actionable intelligence. This intelligence is used to enhance cyber security investigations, provide insight into adversary infrastructure and operators, give context to threat actor profiling, or understand a complex scenario.
HTTP File Server, commonly abbreviated as HFS, is a free and simple means to send and receive files across the Internet. This also makes the software a popular choice among malicious actors for hosting and distributing malware and exploits, and an interesting target for malware researchers. An investigation into an HFS instance hosting an exploit for CVE-2018-8174 led to the discovery of an interesting threat actor and their infrastructure, the continued use of the Gh0st RAT malware, and many common attributes we can use to help us identify this malicious activity in the wild.
Plyara is a Python lexer and parser for YARA rules. You can use it to build your own tools around YARA rules: whether analyzing or performing bulk operations on a large corpus, parsing rule content for display, writing a linter, or any other application you might think of.
The FormBook information-stealing malware, being advertised as providing an "extensive and powerful internet monitoring experience", has clearly caught the eye of threat actors since its debut on underground forums in 2016. Due to its low price, it is easily accessible to threat actors of all sophistication for use in campaigns of varying complexity and shows no signs of slowing down. The malware provides a variety of data theft capabilities such as stealing stored passwords from local applications, recording user keystrokes, browsing and interacting with files on the infected host, taking screenshots, and more. Although the information stealing functionality seems rather standard, the measures FormBook takes to avoid analysis makes this malware family difficult to detect and analyze, making the stealer all the more appealing to malicious actors looking for a new take on an old threat.
After analyzing the on-going GandCrab email distribution campaign, we at InQuest decided to look further into the emails themselves and exactly how this malware is being propagated. Taking a second look at one of the payloads from our last analysis, we found the Phorpiex malware family acts as an email spreader for sending phishing emails with attachments and is very likely to be the malware causing so much havoc across Internet mailboxes these past weeks. By taking a closer look at the malware named in a previous blog post as "Trik" or "Trik.pdb", we have now identified this as the malware family Phorpiex. Due to the families email spreader capability and unique strings found in the malware, it is highly likely to be responsible for the distribution of the GandCrab phishing campaigns we've seen in-the-wild over the past several weeks to months.
InQuest discovered an open directory hosting several Agent Tesla payloads, as well as several separate web panels for the administration of different Agent Tesla malware campaigns. We decided this was a good time to have a quick look at this malware family, it's capabilities, and the artifacts found in the open directory. Agent Tesla is a malware family written in .NET for Microsoft Windows systems and has much in common with spyware in its capabilities. Its primary functions include stealing credentials, keylogging, collecting screenshots, capturing web camera images, and gathering clipboard data, although unlike many spyware families it is often seen in more standard malware campaigns and makes use of common malware techniques for obfuscation, unpacking, and data collection.
SOC analysts typically have access to a mix of proprietary, commercial, open source, and personal reputation sources for various indicator of compromise (IOCs). IOCs include file hashes, IP addresses, domain names, SSL certificate fingerprints and more. Aggregating the variety of feeds into a single source is a prudent first-step for manual search and programmatic accessibility. In this article we outline a number of publicly available resources and describe a simple method for aggregating them into a single reputation database. The final product, while not containing the highest fidelity data, can provide a valuable reference for threat hunters. Commercially, we supply InQuest users with a propriety reputation API, sourced from both manual and automated threat hunting efforts. Over 80% of these artifacts do not overlap with what we're seeing in the public domain.
InQuest helps organizations in both threat-hunting and incident response through the use of our RetroHunt capability. This allows users to search back through mass amounts of sessions and files on newly created signatures. Weekly releases of new InQuest signatures ensures we stay on top of the latest threats and exploits, while RetroHunt makes sure you stay alerted if they appear in your environment.
Due to the variability in anti-virus and malware detection methodologies, organizations can benefit from the coverage that a multi-AV solution provides. To facilitate this, InQuest includes OPSWAT MetaDefender as part of its network-based malware detection products.
E-mail is a prominent vector for malware delivery, by way of a malicious URL or file attachments. When embedding malicious content within a file, malware authors commonly nest a variety of formats within one another and pivot through numerous stages of payloads before retrieving the final one. In this post, we'll walk through the dissection of a common document malware carrier.
In early April of 2018 we noticed a spike in malicious activity, sourced mostly from the Asias and delivered via SMTP. This post covers our exploration of the campaign and the eventual realization that it is responsible for distributing a mix of garden variety malware, including GandCrab ransomware.
Threat intelligence is only as good as the sources that drive it, which is why we integrate Zero-Day exploitation coverage into our product via research from Exodus Intelligence. Going beyond public vulns and in-the-wild samples, this level of coverage affords protection against new TTPs, long before they become part of the known threat landscape.
We believe that any security stack, in essence, follows the Swiss cheese model. With each slice of cheese representing a security product, and each hole representing some bypass or evasion. Following best practices and employing a Defense-in-Depth model results in a stacking of these slices, each additional stack reducing the exposure window and minimizing the overall risk to a computing environment.
Deep File Inspection, or DFI, is the reassembly of packets captured off of the wire into application level content that is then reconstructed, unraveled, and dissected (decompressed, decoded, decrypted, deobfuscated) in an automated fashion. This allows heuristic analysis to better determine the intent by analysis of the file contents (containers, objects, etc.) as an artifact.
On February 1st, Adobe published bulletin APSA18-01 for CVE-2018-4878 describing a use-after-free (UAF) vulnerability affecting Flash versions 22.214.171.124 and earlier. As of February 6th, Adobe has patched the issue in version 126.96.36.199, APSB18-03. This post provides an overview of the vulnerability, a walk-through of the exploit seen in the wild, and covers several detection mechanisms.
Defense Information Systems Agency (DISA) selects InQuest as provider of advanced file and session analytics for Joint Regional Security Stacks (JRSS), a high-volume and mission critical environment.
In reviewing the results of our Microsoft Office DDE malware hunt, we came across an interesting lure posing as an Securities and Exchange Commission (SEC) Office of Management and Budget (OMB) approval letter. The sample utilizes some tricks to increase chances of successful exploitation. We'll walk through the dissection of the components in this post.
On October 9th 2017, SensePost researchers posted a technique demonstrating macro-less command execution in Microsoft Office documents through Dynamic Data Exchange (DDE). While variations of this technique are known, the post sheds light on the fact that Microsoft has no intent to address the matter, and that "exploit" creation is trivial. This post provides an overview of the vulnerability, provides a mitigation, covers sample hunting, and covers the dissection of a few interesting samples gathered during the week.