InQuest Blog

Follow along through the dissection and analysis of an oddly obfuscated maldoc that ultimately delivers the well-known GOZI ISFB banking trojan.

We are excited to announce File Detection and Response (FDR) as the new moniker for InQuest solutions. I’d like to give you a little background on how this came about. As most of our readers know, InQuest is all about Deep File InspectionTM (DFI) and RetroHuntingTM, these two core technologies are what sets InQuest solutions apart from other file analysis solutions on the marketplace.

A few days ago we discovered a very interesting sample that was uploaded from Iran. The document is a contract for the supply of services to an energy company from southern Iran «Tavangoostar Niro va Gashtavar Jonob». The document also contains a link to this energy company. www.tavangyl.com

Since this family of malicious documents containing executable files was not previously known, we named it the Green Stone.

Follow David Ledbetter through the analysis of a heavily obfuscated maldoc. The analysis shows how to decode unescaped scripts and byte arrays to deliver a weaponized payload.

The purpose of InQuest Labs is to enable independent security researchers with a convenient mixture of files and threat intelligence. Users can register for free and interface via the UI/UX, an open API, or via a Python library / command-line interface. The InQuest team leverages this API to implement a variety of automations designed to surface novel threats, we call these "Special Operations" or SpecOps for short. One of these SpecOps actively follows links discovered in malicious documents. If the target of the link is a malicious file, and that link has not been widely reported, and the file has not been previously seen... then a Tweet is automatically posted. Recently, there's been a number of Tweets that reveal a common pattern, this blog post is a deep dive into these samples.