Posted on 2022-04-07Josiah Smith
To help guide the conversation and thought process, InQuest has developed multiple ROI Calculators that illustrate benefits with regard to time saved, volume processed, and capacity for organizational directors, hiring managers, threat hunters, security operation center (SOC) analysts, and email administrators. We provide sliders across these calculators for tuning variables to match your environment and level of skepticism around vendor claims.
Posted on 2022-03-30Dmitry Melikov
We uncovered a very interesting document that was observed impersonating the United States Securities and Exchange Commission. It is our assumption with a high degree of probability that an attacker called Cloud Atlas is responsible for this malicious campaign. Initially, this sample collects information about the system it is running on, which is then exfiltrated to the remote server.
Posted on 2022-02-24Dmitry Melikov
Some time ago, we discovered a novel payload delivery method in malicious documents. The focus of this article is to explore this technique via samples of the document. The treat sequencing follows the chain of a malicious spreadsheet that downloads an archive containing thinBasic binaries and a malicious thinBasic script.
Posted on 2022-02-10Josiah Smith
Over the recent months, the media coverage of tensions in Eastern Europe and Ukraine have been in steady circulation. As a result, cyberattacks on government networks and networked resources have seen an uptick. A notable case involves systems of organizations targeted with files subject to destruction by the so-called #WhisperGate malicious program.
Posted on 2022-01-26Josiah Smith and Nick Chalard
This post is a quick dissection of an interesting malware lure that appears to be a part of a campaign targeting 🇧🇷 Brazilian / Portuguese speaking users. The sample in question is available on InQuest Labs. Glancing at the macro you’ll quickly notice that a number of notepad.exe processes will be launched, additionally, there’s a reference to a malicious domain which we have filtered the below screenshot to: unimed-corporated[.]com