A while back we had an interesting alert generated from one of the InQuest DFI sensors that were initially very suspicious, but proved to be entertaining and still questionable regarding the true purpose of the activity. My initial suspicion was driven to an event highlighting an Image with an Embedded executable.
While we come across fresh and evasive document carriers on a regular basis, it's not every day we see one with great polish. On July 20th we broke down the individual components of a malicious Office document and drove some collaboration within the Twitter Thread.
Beyond the capability of identifying, extracting, and exposing malicious content from hundreds of file types. InQuest Deep File Inspection (DFI) utilizes machine vision and optical character recognition (OCR) to identify the social engineering component of a variety of malware lures. This is one of the myriads of techniques that we employ to detect novel malware that may leverage previous unseen pivots.
Field notes pertaining to a low detection (5/60) malicious document that leverages a macro+form to pivot to VBE in serb.xml from jplymell[.]com. The lure then pivots to smartapp.jpg, a PE32 executable from the same source. An executable with much better detection than the carrier which delivered it (17/69).
Field Notes: Malicious HFS Instances Serving Gh0stRAT
Posted on 2018-07-09 by Adam Swanda