ThreatIngestor is a flexible, configuration-driven, extensible framework for consuming threat intelligence. It can monitor Twitter, RSS feeds, and other sources, extract meaningful information like C2 IPs/domains and YARA signatures, then send that information to other systems for analysis.
In this post I want to cover an item called "CustomXMLParts".
Trying to look up this term you can find variations on what it is. In short, it is an XML container to store arbitrary data to be used in the document. The intention for it appears to give the developer a way to change the formatting of the Office document that is not already available or add additional functionality.
In this case they are storing a hex encoded executable in the “customXml –> item1.xml
In a previous post, we discussed the “@” symbol used to separate an apparent legitimate URL from the real target. In this case, there has been a small flood using the URL of “http://jmcglone.com@” with many different URLs or IP addresses after the “@” symbol. If we look at the VirusTotal information for this page, we see the online scan says it is clean and that it has also been around for ten years.
In this post we will be working with this Excel Sample from InQuest Labs.
For several weeks, eyes around the world have been set on the war in Ukraine and events that have transpired as a result.
We found a wave of phishing documents containing a very interesting lure. We researched the tactics of this attack in more depth and discovered some unique TTPs including a Stage 2 Blogspot service marked as adult content requiring that you must be logged in as an authorized user with an account no less than a year old.
Let's look at how the next sample works.
A few days ago, we discovered a wave of phishing emails with an attached document. The fact is that a considerable number of samples had zero detection on the VT service. While several files had no AV detection for some time, we decided to focus on this wave and explore it in more detail.
Protecting an organization from today's cyber threats is not a simple but rather extensive task. The threat landscape is constantly changing, requiring a flexible approach to defense. The threats, techniques, and vulnerabilities that cybercriminals exploit may be unknown to organizations that provide protection to their users. This is a prime example of the exploitation of a critical vulnerability. An exploit that was found in the wild.
Microsoft MSHTML Remote Code Execution Vulnerability
As we roll into autumn and the season changes, so does the threat landscape. The emergence of new CVE signals another arms race with both sides vying for effectively leveraging the exploit and understanding how to mitigate the effects respectively.
The Trystero Project
The "Trystero Project" is our code name for an experiment that we're actively conducting to measure the security efficacy of the two largest mail providers, Google (Workspace, aka GSuite) and Microsoft (O365), against real-world emerging malware. The name and icons are sourced from Crying of Lot 49, a novel written by American author Thomas Pynchon and published in 1965. Why e-mail security?
Email-borne pathogens frequently commence with the inclusion of a malicious document. This long-running trend continues to pose a serious threat to the security of organizations and users. Criminals are constantly improving their methods and looking for new ways to compromise victims. Payload trends change over time, with Ransomware being one that is capturing many headlines.
A few days ago, we found an interesting document in the wild that aims to download spyware applications. The sample in question shows low detection rates across multiple antivirus engines, which rouses our suspicion. The email containing the attachment document was allegedly sent from a logistics campaign.
It's no secret that today, targeted attacks and phishing attacks are the primary means of spreading malware. The purpose of which is to collect user data, theft banking data, and espionage. Threat Actors are constantly working to improve the tools they use. In this article, I will try to show you how the Hanictor group is improving their toolbox.
What we all need now and again is some exciting news, and since we have some, we wanted to make an article to share it! Earlier this month, our friends at Abuse.ch officially announced in a tweet that their MalwareBazaar project has integrated with InQuest’s Deep File Inspection (DFI) analysis stack.
The staff at InQuest have been busy running a variety of different research experiments in the realm of bleeding-edge maldoc discovery to ensure the efficacy of detection for our customers and generate threat intelligence. One such experiment is our Twitter bot that tweets about malicious stage-2 RTFs referenced from documents found within the InQuest Labs Corpus. Another additional research project includes the mass curation and password cracking attempts of encrypted files.
To validate an e-mail security stack's capability in blocking current real-world threats harvested from the wild, InQuest gathers unique malware daily and validates the common cloud e-mail providers (GSuite, O365). Collectively (stacked on top of one another), the providers' default security stacks are capable of detecting between 85% and 95% of these novel attacks. The samples capable of bypassing these stacks are candidates for the InQuest Email Security Assessment.
Cerbero Suite
We would like to thank InQuest for this interesting malware sample: it's a great sample to show the power of Cerbero Suite!
InQuest Labs is one year old! Let's take a look at how the site has grown over the last year, the new API documentation, and what's in store for the future of Labs!
While we come across fresh and evasive document carriers on a regular basis, it's not every day we see one with great polish. On July 20th we broke down the individual components of a malicious Office document and drove some collaboration within the Twitter Thread.
So you want to add a little spice to your indicators of compromise. After all, an IoC without context or attribution is very much like when you learn what hot is. There are many tools available for us to determine how “hot” an IoC is without burning ourselves. We will be focusing mainly on what we can access publicly and use for free.
Beyond the capability of identifying, extracting, and exposing malicious content from hundreds of file types. InQuest Deep File Inspection (DFI) utilizes machine vision and optical character recognition (OCR) to identify the social engineering component of a variety of malware lures. This is one of the myriads of techniques that we employ to detect novel malware that may leverage previous unseen pivots.
In this quick, end of the week post, we wanted to touch on the ubiquitous COVID-19 (aka Corona Virus). Sharing an interesting lure, related malware, and some IOCs for colleagues to dig into while society on a whole is relegated to solitude in our homes. Our posting here is in no way comprehensive. There is a myriad of malware campaigns, disinformation operations, and general scamming revolving around the very concerning topic. Our goal is to further awareness and share some knowledge in the process.
Earlier this year, we here at InQuest launched our new InQuest Labs data portal. Labs is an amazing resource, with a plethora of useful tools and intelligence offerings. Much could be written about the site, and much has been...but not about this part right here: Base64 Regular Expression Generator.
Introduction
In this blog, we discuss Adobe Extensible Metadata Platform (XMP) identifiers (IDs) and how they can be used as both pivot and detection anchors. Defined as a standard for mapping graphical asset relationships, XMP allows for tracking of both parent-child relationships and individual revisions. There are three categories of identifiers: original document, document, and instance.
InQuest has just released a new analysis suite for the researcher and hobbyist. Welcome to InQuest Labs!
Our CTO, Pedram Amini, presented Worm Charming: Harvesting Malware Lures for Fun and Profit at Blackhat USA 2019. During this talk, Pedram detailed the harvesting mechanism that drives the DFI portion of InQuest Labs. Capable of ingesting malware at scale, samples are fed through a lightweight and less featured version of Deep File Inspection to extract embedded logic, semantic content, metadata, and IOCs such as URLs, domains, IPs, e-mails, and file names.
