Blank Slate campaign still pushing Cerber ransomware, (Wed, Mar 22nd)

by nateSecurity BulletinsPosted on Comments are Disabled

Introduction Cerber ransomware has been a constant presence since it was first discovered in February 2016. Since then, Ive seen it consistently pushed by exploit kits (like Rig and Magnitude) from the pseudoDarkleech and other campaigns. Ive also been tracking Cerber on a daily basis from malicious spam (malspam). Some malspam pushing Cerber is part …

Read more “Blank Slate campaign still pushing Cerber ransomware, (Wed, Mar 22nd)”

"Blank Slate" campaign still pushing Cerber ransomware, (Wed, Mar 22nd)

by nateSecurity BulletinsPosted on Comments are Disabled

Introduction Cerber ransomware has been a constant presence since it was first discovered in February 2016. Since then, Ive seen it consistently pushed by exploit kits (like Rig and Magnitude) from the pseudoDarkleech and other campaigns. Ive also been tracking Cerber on a daily basis from malicious spam (malspam). Some malspam pushing Cerber is part …

Read more “"Blank Slate" campaign still pushing Cerber ransomware, (Wed, Mar 22nd)”

Malspam with password-protected Word documents, (Tue, Mar 21st)

by nateSecurity BulletinsPosted on Comments are Disabled

Introduction On Monday 2017-03-20, the ISC received a notification through our contact page. Someone reported numerous items of malicious spam (malspam) sent to addresses at his organization. The malspam had Microsoft Word documents (.docx files) as attachments and subject lines such as: Fwd:Ticket k29y729n71c52h692o53171 ReTicket 985v49f155t06g78v412a3n382 Fwd:Ticket 048f1v00u98 ReTicket y18k9178280 Ticket p574v892f453b467 Ticket e26099p58v65x073 ReInquiry …

Read more “Malspam with password-protected Word documents, (Tue, Mar 21st)”

What is really being proxied?, (Wed, Mar 8th)

by nateSecurity BulletinsPosted on Comments are Disabled

An observation from the road, was with a client recently and the discussion of proxy entered into the conversation. Now before we get all Political and start dropping packet bombs, a technical challenge came up that made me really think. What traffic is really hitting the proxy? How many proxy bypass rules are in place? …

Read more “What is really being proxied?, (Wed, Mar 8th)”

Searching for Base64-encoded PE Files, (Sun, Mar 19th)

by nateSecurity BulletinsPosted on Comments are Disabled

When hunting for suspicious activity, its always a good idea to search for Microsoft Executables. They are easy to identify: They start with the characters MZ at the beginning of the file[1]. But, to bypass classic controls, those files are often obfuscated (XOR, Rot13 or Base64). Base64 is very common and it padding:5px 10px”> TV(oA|pB|pQ|qA|qQ|ro)w+ …

Read more “Searching for Base64-encoded PE Files, (Sun, Mar 19th)”

Example of Multiple Stages Dropper, (Sat, Mar 18th)

by nateSecurity BulletinsPosted on Comments are Disabled

If some malware samples remain simple padding:5px 10px”> From: [email protected] To: [redacted] Subject: New Catalogue #2017 Date: 14 Mar 2017 03:12:51 -0700 Dear, FYI! Please submit the file to me asap. Thank you. Best Regards Rachel Lo Ufficio Commerciale Vimin Box S.r.l. Via Emanuele T. DAzeglio, 2 12030 Lagnasco – CUNEO – ITALY Tel. +39 …

Read more “Example of Multiple Stages Dropper, (Sat, Mar 18th)”

Retro Hunting!, (Wed, Mar 15th)

by nateSecurity BulletinsPosted on Comments are Disabled

For a while, one of the securitytrends is to integrate information from 3rd-party feeds to improve the detection of suspicious activities. By collecting indicators of compromize[1], other tools may correlate them with their own data and generate alerts on specific conditions. The initial goal is to share as fast as possible new IOCs with peers …

Read more “Retro Hunting!, (Wed, Mar 15th)”

February and March Microsoft Patch Tuesday, (Tue, Mar 14th)

by nateSecurity BulletinsPosted on Comments are Disabled

Today, Microsoft released its monthly security bulletins. Februarys delayed release was combined with this March release, which likely caused the large number of bulletins (18 total, which includes the Adobe Flash bulletin) You can review the patch summary here:https://isc.sans.edu/mspatchdays.html?viewday=2017-03-14or via our API. Probably the most scary set of vulnerabilities in this update are %%cve:2017-0143%%, %%cve:2017-0144%%, …

Read more “February and March Microsoft Patch Tuesday, (Tue, Mar 14th)”