InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.
Posted on 2018-12-28 by Steve Esling
Inquest uses a variety of machine learning algorithms to model the features of malware that we collect and to gain new insights from such data. Here we travel down the branching rabbit hole of random forests and gradient boosting.
Posted on 2018-12-18 by Rob King
Here at InQuest, YARA is among the many tools we use to perform deep-file inspection, with a fairly extensive rule set. InQuest operates at line speed in very high-traffic networks, so these rules need to be fast. This blog post is the second in a series discussing YARA performance notes, tips, and hacks.
Posted on 2018-11-14 by Steve Esling
Machine learning is one of the most versatile fields in all of computer science, with applications ranging from physics to art history, so, of course, it has a myriad of uses with regards to the detection and diagnosis of malicious programs; uses that we at InQuest would be remiss to not start utilizing ourselves. Here we go over some of the many ways ML algorithms are being leveraged for our purposes.
Posted on 2018-11-13 by Adam Swanda
Banking malware and information stealing malware are some of the most popular threats in today's landscape. Many stealers will collect information and credentials from locally installed applications such as web browsers, email and instant messaging clients, and other common software. Banking trojans, on the other hand, go the extra mile to pilfer data and use what is called Web browser injections, more commonly called "web injects". Web injects are code within malware that can inject HTML and JavaScript directly into otherwise legitimate websites a victim visits. This has the effect of modifying rendered browser content to achieve any number of goals the malicious actor chooses, such as adding, removing, or modifying text, inserting form fields, or capturing data entered into fields.
Posted on 2018-10-09 by Adam Swanda
After the demise of the Dyreza banking malware, the banking trojan vacuum was quickly filled by the TrickBot malware family. TrickBot is a banking and information stealing trojan which is modular in design and can rapidly expand its functionality by retrieving DLLs from its Command and Control server. This threat is spread most commonly by phishing emails, but it also includes network propagation functionality to spread through a victims' network by using the Microsoft Windows vulnerability known as EternalRomance. In this blog post, we'll dive into the TrickBot malware, its functionality, modules, and Command and Control communications.
Blog Archive