In my previous diary, I mentioned a recent case that led me to write mac-robber.py. In that case, I mentioned that I needed to build a filesystem timeline and wanted to collect hashes because I suspected there were multiple copies of some possible malware scattered around the disk. The biggest issue I had was that …
Regularly the President of the United States delivers the State of the Union address. This practice “fulfills rules in Article II, Section 3 of the U.S. Constitution, requiring the President to periodically give Congress information on the “state of the union” and recommend any measures that he believes are necessary and expedient.”. What if you …
Read more “What is the State of Your Union? , (Fri, Sep 22nd)”
Introduction I previously wrote a diary on Hancitor back in February 2017. Even though I haven’t written a diary about it lately, it’s been a near-daily occurrence since then. There’s been no significant change, which is why I haven’t bothered. Thursday 2017-09-21 included yet another wave of malicious spam (malspam) pushing Hancitor Word documents. Since …
Read more “Malspam pushing Word documents with Hancitor malware, (Fri, Sep 22nd)”
Introduction As a follow-up to one of our June 2017 diaries asking people to forward us any DDoS threats, we received yet another example: Date: Tuesday 2017-09-19 at 18:04 UTC Subject: DDoS Warning From: Message-Id: Hello, [removed] FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION! We are Phantom Squad …
Read more “Emails threatening DDoS allegedly from Phantom Squad, (Thu, Sep 21st)”
Introduction On 2017-09-12, FireEye published a blog post about a zero-day exploit utilizing CVE-2017-8759. The vulnerability was fixed that same day with Microsoft’s September 2017 Security Updates. In FireEye’s blog post, this exploit was used against Russian speakers to distribute FINSPY malware. By 2017-09-19, I ran across another email spoofing an Argentina government agency using …
Read more “Email attachment using CVE-2017-8759 exploit targets Argentina, (Thu, Sep 21st)”
Today I noticed a high amount of e-mails on my honeypots with similar subject, body and attachment. It caught my attention . After inspecting the attachments and doing some analysis, it was not difficult to realize that those supposed “Status Invoice” messages were, indeed, part of an ongoing campaign pushing a Locky ransomware variant that is …
On a recent forensic investigation where we couldn’t take the Linux system down to image the disks, I was forced to do live response. Fortunately, I was able to get a memory image, but I also wanted a filesystem timeline. I first went to my old friend fls from The SleuthKit (TSK), but for some …
— Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute STI|Twitter| (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The version 5.33 of CCleaner[1] has been reported as compromised (only the 32bits version) and delivers a malware during the installation. If you installed CCleaner between Augustus 15th and September 12th, you better have to search for potentially infected systems. Here is the list of DGA domains that could help to track the infected hosts: ab6d54340c1a.com …
Many of us are receiving a lot of malspam every day. By “malspam”, I mean spam messages that contain a malicious document. This is one of the classic infection vectors today and aggressive campaigns are started every week. Usually, most of them are blocked by modern antivirus or anti-spam but these files could help us …
Read more “Getting some intelligence from malspam, (Mon, Sep 18th)”