InQuest Blog

Don’t Get Caught Under The MistleTOAD

Posted on 2022-11-28 by Chase Sims

InQuest Labs has observed an uptick in TOAD (Telephone-oriented attack delivery) threat actors targeting personal and business email addresses, presumably in line with the coming holiday shopping season. Based on our research efforts, we have observed that they employ multiple team members to execute this attack. The threat actors themselves refer to these components as “customer support” and “the security team”

Hiding in the XML

Posted on 2022-10-03 by David Ledbetter

In this post, I want to cover an item called "CustomXMLParts". Trying to look up this term you can find variations on what it is. In short, it is an XML container to store arbitrary data to be used in the document. The intention for it appears to give the developer a way to change the formatting of the Office document that is not already available or add additional functionality.

What’s your name? … My how you have changed.

Posted on 2022-09-21 by David Ledbetter

In this series of five files, we have seen the evolution of this loader implementing new forms of obfuscation in the VBA as well as the shellcode as they steadily progress. We see that it uses Excel as well as Word documents. Since the files are ‘Zipped” then there is not an easy way to build detections against the compressed file. You can’t use size for sections because of different compression ratios.

What, exactly, is Real-Time Threat Intelligence?

Posted on 2022-09-16 by Pedram Amini

You can’t throw a rock these days without hitting a security threat intelligence feed. There is a veritable cornucopia of feeds provided by security solution vendors, vendors who focus solely on security research and, of course, public / open source agencies. Here at InQuest, we harvest hundreds of internal/proprietary, public, and private 3rd party threat intel sources for insight into today's attack types including sophisticated malware, ransomware, phishing lures, scams, fraud and other forms of malicious content.

Automated Threat Hunting. Is it AI?

Posted on 2022-09-14 by Pedram Amini

For years we’ve known the game of truly stopping cyber attackers should be to collect every possible piece of data, organize it in a manner that man/machine can assimilate it, analyze it, separate signal from noise, and take corrective action without disrupting business continuity - all before calamity strikes. Let’s assume for a moment that we have this Utopian defense.

Blog Archive

2023
- May
  - Highlight of an Email Attack Simulation Bypass
  - 100 Days of YARA: Everything You Need to Know
  April
  - Shifting Left in Cybersecurity: Balancing Detection and Prevention - Part 2
  - Shifting Left in Cyber Security - Part 1
  March
  - Credential Caution: Exploring the New Public Cloud File-Borne Phishing Attack
  February
  - You’ve Got Malware: The Rise of Threat Actors Using Microsoft OneNote for Malicious Campaigns
  January
  - ThreatIngestor Release v1.0.2
  - At Least 4 New Reasons Every Day To Check Your Email Security Stack

2022
- December
  - The Importance of Email Hygiene
  - Black Basta: Riding the Crimeware Sleigh
  November
  - Don’t Get Caught Under The MistleTOAD
  October
  - Hiding in the XML
  September
  August
  July
  June
  - GlowSand
  - Follina, the Latest in a Long Chain of Microsoft Office Exploits
  May
  - Tandem Espionage
  - Detection Multiplexing
  April
  March
  - Cloud Atlas Maldoc
  February
  - Dangerously thinBasic
  - +380-GlowSpark
  January
  - 2022-01 AsyncRAT
  - Analysis of a Remcos RAT Dropper

2021
- December
  - Log4Shell
  - (Don't) Bring Dridex Home for the Holidays
  November
  - Graphical Lures In The Age of Cybercrime.
  - Adults Only Malware Lures
  October
  - How Email Works
  - Advanced Qbot Downloader
  September
  - Rechnung Financial Malspam
  - CVE-2021-40444
  August
  - The Trystero Project
  - Kimsuky Espionage Campaign
  July
  - Espionage Utilizing Mobile Devices
  - IcedID: 07.07.21
  June
  May
  - PSChain
  - Dive Into Cobalt Strike
  April
  - An Exploration and Explanation of Randomized Parameter Optimization
  - Unearthing Hancitor Infrastructure
  March
  - InQuest & MalwareBazaar Integration
  - Mail Provider Comparison
  February
  - Cracking Password Protected Payloads
  January
  - Carving Images for Leisure and Gain
  - String Encoding and YARA... Oh My

2020
- December
  - Social Engineering Attacks And E-mail Security
  - Clustering for Classification: Using Unsupervised Learning for Label Expansion
  November
  - The Trystero Project: A Comparison of Mail Providers
  - SOC-Class: Use Case Development
  October
  - Cybersecurity Awareness Month
  - Cerbero Suite: The Hacker’s Multitool
  September
  - InQuest Labs Year in Review
  - IQ-FA009:QBot OOXML
  August
  - Detection in Depth
  - Persian Kitties Hiding Benign Executables
  July
  June
  - Get The Most Out Of Your IoC: The Beginner’s Guide
  May
  April
  - Deep File Inspection for Data Leakage
  March
  - COVID-19 Scare Tactics: Want to buy some masks?
  - Getting Sneakier: Hidden Sheets, Data Connections, and XLM Macros
  February
  - Reverse Engineering on Windows: A Focus on Malware
  - Hiding In Plain Sight
  January
  - Pyramid of Pain Vs. The Iceberg of Inspection
  - Internship Retrospective

2019
- December
  - Threat Hunting On Your Own Network With InQuest
  - Ransomware in Your Stocking
  November
  - Holiday Blog: Tis' the Season
  - Field Notes: Multistage Maldoc Delivers Executable Masked as JPG
  October
  - Base64 Encoded Regular Expressions for Fun and Profit
  - Programmatic Interaction with InQuest Labs via Python
  September
  - Adobe XMP: Tales of an Overlooked Anchor
  - Advanced Support for the SOC Hunter
  August
  July
  - Base64 Encoded Powershell Pivots
  - Emotet, Unmasking via Machine Learning
  June
  - YARA For Everyone: Sharing is Caring
  May
  - Abusing Registration-Free COM Interop
  April
  - Analysis of an Interesting Malicious HTA File
  March
  - Making a Twitter Bot with ThreatIngestor
  - Analyzing Sophisticated PowerShell Targeting Japan
  February
  - Family Matters: Using MinHash to Cluster Data
  - Quick Analysis of A Customer Malspam Encounter
  January
  - Extracting "Sneaky" Excel XLM Macros
  - Detecting Empire with InQuest

2018
- December
  - Ex Machina: A Frolic through the Forests
  - Short-Circuiting Boolean Operators in YARA
  November
  - Ex Machina: Man + Machine
  September
  - Stringless YARA Rules
  July
  - Field Notes: Malicious HFS Instances Serving Gh0stRAT
  May
  April
  March
  - InQuest Provides Zero-Day Coverage Against Advanced Threats via Partner Exodus Intel
  - Defense in Depth: Detonation Technologies
  February
  - An Introduction to Deep File Inspection
  - Adobe Flash MediaPlayer DRM Use-After-Free Vulnerability
  January
  - InQuest Deployed by DISA in the Joint Regional Security Stack (JRSS)

2017
- October

InQuest Blog

Don’t Get Caught Under The MistleTOAD

Hiding in the XML

What’s your name? … My how you have changed.

What, exactly, is Real-Time Threat Intelligence?

Automated Threat Hunting. Is it AI?

Blog Archive

Blog Tags

Subscribe to InQuest Insider

Overview

What is FDR?

Technology

Core Features

Benefits

Differentiation

Solutions

Solutions

File-borne Attack Use Cases

Threat Hunting Use Cases

SOC ROI Use Cases

Products & Services

Products

Services

Pricing

Resources

Company

InQuest Blog

Don’t Get Caught Under The MistleTOAD

Hiding in the XML

What’s your name? … My how you have changed.

What, exactly, is Real-Time Threat Intelligence?

Automated Threat Hunting. Is it AI?

Blog Archive

Blog Tags

Subscribe to InQuest Insider

Subscribe