threat-hunting

September 2021

Microsoft MSHTML Remote Code Execution Vulnerability As we roll into autumn and the season changes, so does the threat landscape. The emergence of new CVE signals another arms race with both sides vying for effectively leveraging the exploit and understanding how to mitigate the effects respectively.

August 2021

A few days ago, we found an exciting Javascript file masquerading as a PDF that, upon activation, will drop and display a PDF (to maintain the ruse) as well as drop an executable. The document is a lure for the Korean Foreign Ministry document and its newsletter. The same attack was reported earlier by Malwarebytes in June.

July 2021

Mobile devices as an espionage tool.
Email-borne pathogens frequently commence with the inclusion of a malicious document. This long-running trend continues to pose a serious threat to the security of organizations and users. Criminals are constantly improving their methods and looking for new ways to compromise victims. Payload trends change over time, with Ransomware being one that is capturing many headlines.

June 2021

A few days ago, we found an interesting document in the wild that aims to download spyware applications. The sample in question shows low detection rates across multiple antivirus engines, which rouses our suspicion. The email containing the attachment document was allegedly sent from a logistics campaign.

May 2021

We have found an exciting document that hides a whole chain of PS scripts. Unfortunately, the original document has used a coercive lure to make the victim enable macros that drop malicious artifacts. This specific document's lure is written in French "BIENVENUE DANS WORD Microsoft Word a ete mise a jour avec succes"

March 2021

What we all need now and again is some exciting news, and since we have some, we wanted to make an article to share it! Earlier this month, our friends at Abuse.ch officially announced in a tweet that their MalwareBazaar project has integrated with InQuest’s Deep File Inspection (DFI) analysis stack.
At InQuest, we're fanatical about malware analysis and ingest real-world samples at-scale, dissecting millions of files daily. We leverage a combination of our Deep File Inspection (DFI™) analysis engine and a proprietary machine-learning apparatus to distill a daily volume of millions of samples down to a harvest consisting of dozens of "interesting" samples.

January 2021

Throughout InQuest's research into detecting maldocs, deserving attention has been given to the graphical asset that is used as the coercive lure. From "Worm Charming", InQuest's Malware Lures Gallery, and Optical Character Recognition inspection of the instructive text to enable embedded logic, uncountable wins have been brought to the community's attention. This quick blog details a couple of approaches for acquiring maldoc images without the need to open the document and copy the image.

November 2020

The SOC-Class is a niche course on cybersecurity operations, training CISOs, SOC Managers, and technical leads to build and excel in Cybersecurity Operations Centers SOCs/CSOCs. This use case development methodology is one of the approaches discussed in the course and is intended to provide a framework for mature and repeatable construction of engineered detections.

May 2020

In this blog, we dissect a novel and stealthy Excel Macrosheet fueled malware campaign that currently bypasses most protection stacks to deliver ZLoader to its victims. We trace the earliest appearance to Monday, May 4th (Star Wars Day), and continue to actively track this evolving campaign.

March 2020

In this quick, end of the week post, we wanted to touch on the ubiquitous COVID-19 (aka Corona Virus). Sharing an interesting lure, related malware, and some IOCs for colleagues to dig into while society on a whole is relegated to solitude in our homes. Our posting here is in no way comprehensive. There is a myriad of malware campaigns, disinformation operations, and general scamming revolving around the very concerning topic. Our goal is to further awareness and share some knowledge in the process.
In this post, we provide a detailed analysis of an interesting Excel 4.0 XLM macrosheet maldoc distribution campaign that is tied to a variety of executable payloads, a subject matter we'll be covering in a future blog. As of the time of writing, detection rates for this class of attack are relatively low, and these samples happily bypass the internal GSuite and O365 protection mechanisms.

December 2019

InQuest combines Deep File Inspection (DFI) and RetroHunting™ to bring the threat hunting capabilities of VirusTotal Intelligence to your own environment. VirusTotal provides analysts with powerful tools to threat hunt against millions of files, domains, and IPs, but has the drawback of not currently offering a self-hosted option for organizations that wish to keep their data private.

September 2019

Introduction In this blog, we discuss Adobe Extensible Metadata Platform (XMP) identifiers (IDs) and how they can be used as both pivot and detection anchors. Defined as a standard for mapping graphical asset relationships, XMP allows for tracking of both parent-child relationships and individual revisions. There are three categories of identifiers: original document, document, and instance.
InQuest provides an automated platform for SOC hunter that includes powerful means for inspecting files to detect the presence of malicious code. The platform ingests network data and then goes through a variety of analytic functions resulting in an effective risk score. Check out this interview between Ed Amoroso of Tag Cyber and Pedram Amini, our CTO.

July 2019

In this short post, we share a YARA rule that threat hunters will find valuable for identifying potentially malicious Powershell pivots. Specifically, we'll be looking for base64 encoded Powershell directives. Additionally, some interesting real-world samples will be shared with the reader. Including an SSL certificate, Microsoft Windows shortcut (LNK) file, and a JPG image.

April 2019

In this article, we analyze a malicious hta file that we found on VirusTotal. This instance uses a few interesting techniques to evade existing detection mechanisms. In this blog post, we provide an in-depth analysis of this instance and reveal the techniques that are utilized to keep the instance under the radar. At the time of hunting this instance, only two engines marked this instance as malicious.

March 2019

In this article, we dissect a sophisticated multi-stage PowerShell script that was found on HybridAnalysis a few days back. The discussion entails an in-depth analysis of the various techniques that this particular malware instance utilized to keep itself under the radar. As of writing this article, none of the AntiViruses on VirusTotal detected this sample.

January 2019

In this article, we dissect a sneaky malicious Microsoft Excel XLM file that we caught in the wild. To do so, we utilize a few open source as well as in-house tools to analyze the Excel document. During our analysis, we point out the limitations of a few popular file carving tools, such as foremost and scalpel, in extracting data from this and related samples.

October 2017

In reviewing the results of our Microsoft Office DDE malware hunt, we came across an interesting lure posing as an Securities and Exchange Commission (SEC) Office of Management and Budget (OMB) approval letter. The sample utilizes some tricks to increase chances of successful exploitation. We'll walk through the dissection of the components in this post.
On October 9th 2017, SensePost researchers posted a technique demonstrating macro-less command execution in Microsoft Office documents through Dynamic Data Exchange (DDE). While variations of this technique are known, the post sheds light on the fact that Microsoft has no intent to address the matter, and that "exploit" creation is trivial. This post provides an overview of the vulnerability, provides a mitigation, covers sample hunting, and covers the dissection of a few interesting samples gathered during the week.