Microsoft MSHTML Remote Code Execution Vulnerability As we roll into autumn and the season changes, so does the threat landscape. The emergence of new CVE signals another arms race with both sides vying for effectively leveraging the exploit and understanding how to mitigate the effects respectively.
The Trystero Project The "Trystero Project" is our code name for an experiment that we're actively conducting to measure the security efficacy of the two largest mail providers, Google (Workspace, aka GSuite) and Microsoft (O365), against real-world emerging malware. The name and icons are sourced from Crying of Lot 49, a novel written by American author Thomas Pynchon and published in 1965. Why e-mail security?
Mobile devices as an espionage tool.
Email-borne pathogens frequently commence with the inclusion of a malicious document. This long-running trend continues to pose a serious threat to the security of organizations and users. Criminals are constantly improving their methods and looking for new ways to compromise victims. Payload trends change over time, with Ransomware being one that is capturing many headlines.
We have found an exciting document that hides a whole chain of PS scripts. Unfortunately, the original document has used a coercive lure to make the victim enable macros that drop malicious artifacts. This specific document's lure is written in French "BIENVENUE DANS WORD Microsoft Word a ete mise a jour avec succes"
At InQuest, we're fanatical about malware analysis and ingest real-world samples at-scale, dissecting millions of files daily. We leverage a combination of our Deep File Inspection (DFI™) analysis engine and a proprietary machine-learning apparatus to distill a daily volume of millions of samples down to a harvest consisting of dozens of "interesting" samples.
The staff at InQuest have been busy running a variety of different research experiments in the realm of bleeding-edge maldoc discovery to ensure the efficacy of detection for our customers and generate threat intelligence. One such experiment is our Twitter bot that tweets about malicious stage-2 RTFs referenced from documents found within the InQuest Labs Corpus. Another additional research project includes the mass curation and password cracking attempts of encrypted files.
Throughout InQuest's research into detecting maldocs, deserving attention has been given to the graphical asset that is used as the coercive lure. From "Worm Charming", InQuest's Malware Lures Gallery, and Optical Character Recognition inspection of the instructive text to enable embedded logic, uncountable wins have been brought to the community's attention. This quick blog details a couple of approaches for acquiring maldoc images without the need to open the document and copy the image.
On December 16th, 2020 Twitter user Insomnihack @pro_integritate posted an interesting obfuscated document, where it was flagged as Dridex in some sandboxes. This sample threw an error and would not open in Office 2010 until I changed the file extension to “doc’. The thing that stood out the most on initial inspection is the massive use of the properties “wd.. “ like “wdArtWeavingStrips” each of these properties map to constant values of “Word Enumerated Constants”
The SOC-Class is a niche course on cybersecurity operations, training CISOs, SOC Managers, and technical leads to build and excel in Cybersecurity Operations Centers SOCs/CSOCs. This use case development methodology is one of the approaches discussed in the course and is intended to provide a framework for mature and repeatable construction of engineered detections.
A while back we had an interesting alert generated from one of the InQuest DFI sensors that were initially very suspicious, but proved to be entertaining and still questionable regarding the true purpose of the activity. My initial suspicion was driven to an event highlighting an Image with an Embedded executable.
A common tactic seen used in Phishing campaigns today is to embed the phish within Google's Firebase Cloud Storage platform called Firebase. Follow along with this workflow to analyze some phishing lures.
On February 1st, Adobe published bulletin APSA18-01 for CVE-2018-4878 describing a use-after-free (UAF) vulnerability affecting Flash versions 18.104.22.168 and earlier. As of February 6th, Adobe has patched the issue in version 22.214.171.124, APSB18-03. This post provides an overview of the vulnerability, a walk-through of the exploit seen in the wild, and covers several detection mechanisms.