At InQuest Labs, multiple high-volume data streams are ingested daily. We take every password-protected document and attempt to crack with a dictionary list, followed by brute-forcing.

Over the last few weeks, InQuest Lab's telemetry has identified multiple Dridex campaigns utilizing password-protected Excel documents. Due to their encryption, traditional AV products have not achieved adequate detection. The cracked passwords are then added to the on-product dictionary list for known maldoc passwords.

Recent Dridex samples on InQuest Labs!

InQuest Email Security Assessment

This month we harvested 2430 samples from the wild capable of bypassing either Microsoft or Google. Of those, Microsoft missed 318 (13%), and Google missed 2262 (93%). The distribution of misses by file kind is depicted below:

InQuire for a free, personalized email security assessment!

Latest InQuest™ Blog Posts

(Don't) Bring Dridex Home for the Holidays

Posted on 2021-12-20 by Nick Chalard

With the holiday season upon us and Log4j-nia still keeping most of us awake at night, we want to revisit an old chum who continues to operate in full swing amidst the chaos. With fresh tactics at their disposal, Dridex continues to target large organizations with somewhat elaborate lures to ensure user interaction and infection. On Monday, December 15th we noticed an uptick in the amount of verified malware hiding behind password-protected Microsoft Excel spreadsheets, specifically ones containing the dated "macrosheet" functionality.

Log4Shell

Posted on 2021-12-28 by Dmitry Melikov

On December 9, 2021, a vulnerability (CVE-2021-44228) was published to the global information security community. Logging utility Log4j (version 2.0 to 2.15.0-rc2 version) contained a critical remote code execution (RCE) vulnerability, which was dubbed Log4Shell. If a threat actor manages to execute an exploit on a vulnerable machine, they are able to execute arbitrary code and potentially gain full control over the system.

InQuest™ Labs Research Spotlight

XOpcodeCalc

x86/64 Opcode calculator. The program works on macOS, Linux, and Windows.

Ambiguous PNG Packer

Craft PNG files that appear completely different in Apple software.

log4j-scan

A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts.

Global Security Events

New iLOBleed Rootkit Targeting HP Enterprise Servers with Data Wiping Attacks

A previously unknown rootkit has been found setting its sights on Hewlett-Packard Enterprise's Integrated Lights-Out (iLO) server management technology to carry out in-the-wild attacks that tamper with the firmware modules and completely wipe data off the infected systems.

New Flagpro malware linked to Chinese state-backed hackers

BlackTech cyber-espionage APT group has been spotted targeting Japanese companies using novel malware that researchers call ‘Flagpro’. The threat actor uses Flagpro in the initial stage of an attack for network reconnaissance, to evaluate the target’s environment, and to download second-stage malware and execute it.

AWS went down hard, yet again - here's what happened

Cloud computing service AWS has now recovered from a third major outage in as many weeks. The latest AWS outage began around 4am PT/12pm GMT on December 22, with more than a thousand incident reports flagged on tracker site DownDetector.

Useful Links

Support

Social

Twitter

GitHub

InQuest™ Insider - Your monthly resource for the latest in cyber security news, trends, tips and tools. Subscribe here.

Unsubscribe here.