Posted on 2022-03-30Dmitry Melikov
We uncovered a very interesting document that was observed impersonating the United States Securities and Exchange Commission. It is our assumption with a high degree of probability that an attacker called Cloud Atlas is responsible for this malicious campaign. Initially, this sample collects information about the system it is running on, which is then exfiltrated to the remote server.
Posted on 2022-02-24Dmitry Melikov
Some time ago, we discovered a novel payload delivery method in malicious documents. The focus of this article is to explore this technique via samples of the document. The treat sequencing follows the chain of a malicious spreadsheet that downloads an archive containing thinBasic binaries and a malicious thinBasic script.
Posted on 2022-02-10Josiah Smith
Over the recent months, the media coverage of tensions in Eastern Europe and Ukraine have been in steady circulation. As a result, cyberattacks on government networks and networked resources have seen an uptick. A notable case involves systems of organizations targeted with files subject to destruction by the so-called #WhisperGate malicious program.
Posted on 2022-01-26Josiah Smith and Nick Chalard
This post is a quick dissection of an interesting malware lure that appears to be a part of a campaign targeting 🇧🇷 Brazilian / Portuguese speaking users. The sample in question is available on InQuest Labs. Glancing at the macro you’ll quickly notice that a number of notepad.exe processes will be launched, additionally, there’s a reference to a malicious domain which we have filtered the below screenshot to: unimed-corporated[.]com
Posted on 2022-01-24Dmitry Melikov
Some time ago, we discovered a large wave of phishing emails with an exciting delivery method. This article will describe this method and show how it works, starting from a malicious document. We will explore the following documents, each with a beautiful visual lure that abuses the names and logos of Chase Bank and Bank of America.