Author: nate

Thanks to our readers, we get often interesting samples to analyze. This time, Frederick sent us a malicious Microsoft Word document called Invoice_6083.doc (which was delivered in a zip archive). I had a quick look padding:5px 10px”> viper Invoice_6083.doc padding:5px 10px”> viper Invoice_6083.doc virustotal -v [+] VirusTotal Report for bc922d7335a58ae4269bfd652d62f03e: [*] Detecting engines: +———————-+——————————+ | …

Read more “Analysis of a Maldoc with Multiple Layers of Obfuscation, (Fri, Apr 21st)”

In many cases, DNS remains a goldmine to detect potentially malicious activity. DNS can be used in multiple ways to bypass securitycontrols. DNS tunnelling is a common way to establish connections with remote systems. It is often based on TXT records used to deliver the encoded payload. TXT records are also used for good reasons, …

Read more “DNS Query Length… Because Size Does Matter, (Thu, Apr 20th)”

Recently, I found a malicious Excel sheet which contained a VBA macro. One particularity of this file was that useful information was stored in cells. The VBA macro read and used them to download the malicious PE file. The Excel file looked classic, asking the user to enable macros: But below, around the 1000th row, …

Read more “Hunting for Malicious Excel Sheets, (Wed, Apr 19th)”

Our reader Charlieforwarded us a somewhat interesting Apple phish. Apple is a big phishing target, and the phish itself wasnt all that special. It does a reasonable good jobemulating real Apple e-mails, but what is more interesting are the From width:300px” /> The From address was set to apple.ssl.com . For the uninitiated, this may …

Read more “Yet Another Apple Phish and Some DNS Lessons Learned From It, (Tue, Apr 18th)”

[This is a guest diary contributed by Remco Verhoef. If you would like to contribute a guest post, please let us know via our contact page] Currently there is a campaign going on where phishing attacks will use domains that lookexactly like safe domainsby using Punycode domains. (https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/) This is called a homograph attack. The …

Read more “Tool to Detect Active Phishing Attacks Using Unicode Look-Alike Domains, (Sun, Apr 16th)”

With Fridays release of additional Shadowbroker tools, a lot of attention was spent on exploits with names like Eternalblue, which exploited only recently patched vulnerabilities. Another item of interesthowever, is the command and control channel used to communicate with systems post exploitation. One covert channel, double pulsar, is designed to particular for systems that are …

Read more “Detecting SMB Covert Channel ("Double Pulsar"), (Sun, Apr 16th)”

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected) (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected) (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

[DISCLAIMER: So far, the exploit hasnt worked for me. But I am outside of the office, and do not have access to my usual tools. Please let us know if you have any additional details] Shadowbroker, as part of the set of exploits it collected and had offered for auction, today released a number of …

Read more “ETERNALBLUE: Possible Window SMB Buffer Overflow / 0-Day, (Fri, Apr 14th)”

Akamai researchers Jose Arteaga Wilber Mejia have posted details on a new reflected DDOS apprach, using the Connectionless LDAP protocol (on udp/389). Reflected UDP attacks arent new, but using CLDAP seems to be. Which made me wonder who are the folks that decided that their AD (or other LDAP directory) should be put on the …

Read more “Akamai reports UDP DDOS Using C-LDAP reaching 24Gbps, (Thu, Apr 13th)”