Yesterday, while hunting, I found another malicious document that (ab)used a Microsoft Word feature: auto-update of links. This feature is enabled by default for any newly created document (that was the case for my Word 2016 version). If you add links to external resources likeĀ URLs, Word will automatically update them without any warning or prompt. …
They are plenty of phishing kits in the wild that try to lure victims to provide their credentials. Services like Paypal arenice targets and we can find new fake pages almost daily. Sometimes, the web server isnt properly configured and the source code is publicly available.A few days ago, I was lucky to find a …
Read more “Analysis of a Paypal phishing kit, (Wed, Aug 16th)”
Introduction A new day, a new way to steal bank data in Brazil. Scammers are calling and urging victims to install a supposed update of the banks security module. In fact, it is a malicious extension of Google Chrome capable of capturing the information entered by the user during access to the bank account. Unlike …
Read more “(Banker(GoogleChromeExtension)).targeting("Brazil"), (Tue, Aug 15th)”
Introduction Ive been corresponding with @dvk01uk about malicious spam (malspam) pushing the Trickbot banking Trojan. Trickbot was first reported in the fall of 2016, and its been described as a successor to Dyreza (also known as Dyre). In-depth analysis on recent versions of Trickbot have been published by the S2 Group and the Malwarebytes Blog, …
Read more “Malspam pushing Trickbot banking Trojan, (Tue, Aug 15th)”
A reader forwarded us a suspicious email. It contained a URL, and I downloaded the content with a method similar to what Lenny explained in this diary entry. Here is the content of the html page: There are several methods to deobfuscate the data in this script. If you take a close look, you will …
Readers submit all kinds of malware to the Internet Storm Center: executables, documents, emails, … This week I took a look at a phishing email submitted by a reader. Going through the headers, I spotted the following: X-PHISHING-TEST: This is a phishing awareness test conducted by $COMPANY X-PHISHING-ID: 123456 Ive seen similar headers before: they …
Recently weve started seeing some attacks that utlise OWA. A person in the victim organisation sends an email to one or more of their customers informing them of change in account details. The attacker provides instructions to customers on paying their account utilising the new account details. The email is cced to other internal staff …
Read more “Outlook Web Access based attacks, (Sat, Aug 12th)”
1. Summary VMware NSX-V Edge updates address OSPF Protocol LSA DoS. 2. Relevant Products VMware NSX-V Edge 3. Problem Description a. VMware NSX-V Edge OSPF Protocol LSA Denial of Service VMware NSX-V implementation of the OSPF protocol doesnt correctly handle the link-state advertisement (LSA). A rogue LSA may exploit this issue resulting in continuous sending …
Read more “VMware Security Advisories -VMSA-2017-0014, (Fri, Aug 11th)”
Triaging suspicious files with pestudio Pestudio[1] by is a utility can be used to Triage malware analysis . all you need is to drop the suspicious file to Pestudio and it will show you the imports, the resources and it will send the MD5 hash of the file to virustotal. border:solid windowtext 1.0pt”> pestudiox.exe border:solid …
Read more “Triaging suspicious files with pestudio, (Fri, Aug 11th)”
We received another Emotet maldoc, but this time the analysis with VBA emulator ViperMonkey will have to be done differently. ViperMonkey is still under development, and for this maldoc, it does not manage to execute the code that reveals the base64 payload. But when we use ViperMonkeys option -a to use an alternate parser, we …
Read more “Maldoc Analysis with ViperMonkey, (Thu, Aug 10th)”