in-the-wild

September 2021

Microsoft MSHTML Remote Code Execution Vulnerability As we roll into autumn and the season changes, so does the threat landscape. The emergence of new CVE signals another arms race with both sides vying for effectively leveraging the exploit and understanding how to mitigate the effects respectively.

August 2021

The Trystero Project The "Trystero Project" is our code name for an experiment that we're actively conducting to measure the security efficacy of the two largest mail providers, Google (Workspace, aka GSuite) and Microsoft (O365), against real-world emerging malware. The name and icons are sourced from Crying of Lot 49, a novel written by American author Thomas Pynchon and published in 1965. Why e-mail security?

July 2021

Mobile devices as an espionage tool.
Email-borne pathogens frequently commence with the inclusion of a malicious document. This long-running trend continues to pose a serious threat to the security of organizations and users. Criminals are constantly improving their methods and looking for new ways to compromise victims. Payload trends change over time, with Ransomware being one that is capturing many headlines.

May 2021

We have found an exciting document that hides a whole chain of PS scripts. Unfortunately, the original document has used a coercive lure to make the victim enable macros that drop malicious artifacts. This specific document's lure is written in French "BIENVENUE DANS WORD Microsoft Word a ete mise a jour avec succes"

March 2021

At InQuest, we're fanatical about malware analysis and ingest real-world samples at-scale, dissecting millions of files daily. We leverage a combination of our Deep File Inspection (DFI™) analysis engine and a proprietary machine-learning apparatus to distill a daily volume of millions of samples down to a harvest consisting of dozens of "interesting" samples.

February 2021

The staff at InQuest have been busy running a variety of different research experiments in the realm of bleeding-edge maldoc discovery to ensure the efficacy of detection for our customers and generate threat intelligence. One such experiment is our Twitter bot that tweets about malicious stage-2 RTFs referenced from documents found within the InQuest Labs Corpus. Another additional research project includes the mass curation and password cracking attempts of encrypted files.

January 2021

Throughout InQuest's research into detecting maldocs, deserving attention has been given to the graphical asset that is used as the coercive lure. From "Worm Charming", InQuest's Malware Lures Gallery, and Optical Character Recognition inspection of the instructive text to enable embedded logic, uncountable wins have been brought to the community's attention. This quick blog details a couple of approaches for acquiring maldoc images without the need to open the document and copy the image.
On December 16th, 2020 Twitter user Insomnihack @pro_integritate posted an interesting obfuscated document, where it was flagged as Dridex in some sandboxes. This sample threw an error and would not open in Office 2010 until I changed the file extension to “doc’. The thing that stood out the most on initial inspection is the massive use of the properties “wd.. “ like “wdArtWeavingStrips” each of these properties map to constant values of “Word Enumerated Constants”

November 2020

The SOC-Class is a niche course on cybersecurity operations, training CISOs, SOC Managers, and technical leads to build and excel in Cybersecurity Operations Centers SOCs/CSOCs. This use case development methodology is one of the approaches discussed in the course and is intended to provide a framework for mature and repeatable construction of engineered detections.

August 2020

A while back we had an interesting alert generated from one of the InQuest DFI sensors that were initially very suspicious, but proved to be entertaining and still questionable regarding the true purpose of the activity. My initial suspicion was driven to an event highlighting an Image with an Embedded executable.

July 2020

A common tactic seen used in Phishing campaigns today is to embed the phish within Google's Firebase Cloud Storage platform called Firebase. Follow along with this workflow to analyze some phishing lures.

February 2018

On February 1st, Adobe published bulletin APSA18-01 for CVE-2018-4878 describing a use-after-free (UAF) vulnerability affecting Flash versions 28.0.0.137 and earlier. As of February 6th, Adobe has patched the issue in version 28.0.0.161, APSB18-03. This post provides an overview of the vulnerability, a walk-through of the exploit seen in the wild, and covers several detection mechanisms.