InQuest Blog Articles Filed Under ""

You can view all blog posts filed under this tag.

InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.

Analyzing Sophisticated PowerShell Targeting Japan

Posted on 2019-03-23 by aniakanlahiji

In this article, we dissect a sophisticated multi-stage PowerShell script that was found on HybridAnalysis a few days back. The discussion entails an in-depth analysis of the various techniques that this particular malware instance utilized to keep itself under the radar. As of writing this article, none of the AntiViruses on VirusTotal detected this sample.

threat-hunting malware-analysis powershell

Blog Archive

InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.

Extracting "Sneaky" Excel XLM Macros

Posted on 2019-03-23 by aniakanlahiji

In this article, we dissect a sneaky malicious Microsoft Excel XLM file that we caught in the wild. To do so, we utilize a few open source as well as in-house tools to analyze the Excel document. During our analysis, we point out the limitations of a few popular file carving tools, such as foremost and scalpel, in extracting data from this and related samples.

threat-hunting deep-file-inspection malware-analysis yara open-source

Blog Archive

InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.

Threat Hunting IQY files with YARA

Posted on 2019-03-23 by aswanda

The goal of threat hunting is to proactively identify potential threats that have evaded existing security measures. Over the past several months the use of malicious Excel IQY files to deliver malware has fallen into this category for many organizations and users as a blind spot. Threat actors, both cybercrime and APT, have launched phishing campaigns using this technique to evade common detection methodologies and have left computer network defenders wondering how to catch future occurrences of this technique. Although many of the notable phishing campaigns have similar indicators that one might hunt for, limiting yourself to these will leave your scope narrowed to a limited set of known threats, and when hunting you are looking to identify otherwise unknown threats. In this post, we will review how to leverage YARA signatures in a multi-staged hunting approach to identify indicators of potential malicious activity in these file types. We will cover the IQY file format in both its legitimate and malicious uses, as well as identify common indicators of malicious activity seen in the wild, and how we can broaden those indicators to increase the scope of our threat hunting.

threat-hunting yara

Blog Archive

InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.

Phorpiex malware spreads GandCrab phishing emails

Posted on 2019-03-23 by aswanda

After analyzing the on-going GandCrab email distribution campaign, we at InQuest decided to look further into the emails themselves and exactly how this malware is being propagated. Taking a second look at one of the payloads from our last analysis, we found the Phorpiex malware family acts as an email spreader for sending phishing emails with attachments and is very likely to be the malware causing so much havoc across Internet mailboxes these past weeks. By taking a closer look at the malware named in a previous blog post as "Trik" or "Trik.pdb", we have now identified this as the malware family Phorpiex. Due to the families email spreader capability and unique strings found in the malware, it is highly likely to be responsible for the distribution of the GandCrab phishing campaigns we've seen in-the-wild over the past several weeks to months.

phishing malware-analysis threat-hunting ransomware

Blog Archive

InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.

RetroHunt: Retrospective Analysis for Threat Hunters

Posted on 2019-03-23 by aswanda

InQuest helps organizations in both threat-hunting and incident response through the use of our RetroHunt capability. This allows users to search back through mass amounts of sessions and files on newly created signatures. Weekly releases of new InQuest signatures ensures we stay on top of the latest threats and exploits, while RetroHunt makes sure you stay alerted if they appear in your environment.

threat-hunting incident-reponse malware-analysis retrohunt yara

Blog Archive

InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.
Blog Archive

InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.

Microsoft Office DDE SEC OMB Approval Lure

Posted on 2019-03-23 by pedram

In reviewing the results of our Microsoft Office DDE malware hunt, we came across an interesting lure posing as an Securities and Exchange Commission (SEC) Office of Management and Budget (OMB) approval letter. The sample utilizes some tricks to increase chances of successful exploitation. We'll walk through the dissection of the components in this post.

threat-hunting deep-file-inspection malware-analysis

Blog Archive

InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.

Microsoft Office DDE Macro-less Command Execution Vulnerability

Posted on 2019-03-23 by pedram

On October 9th 2017, SensePost researchers posted a technique demonstrating macro-less command execution in Microsoft Office documents through Dynamic Data Exchange (DDE). While variations of this technique are known, the post sheds light on the fact that Microsoft has no intent to address the matter, and that "exploit" creation is trivial. This post provides an overview of the vulnerability, provides a mitigation, covers sample hunting, and covers the dissection of a few interesting samples gathered during the week.

vulnerability threat-hunting deep-file-inspection malware-analysis yara

Blog Archive