msft-mmpc – WindowsTechs.com

MSRT August 2016 release adds Neobar detection

Posted on August 10, 2016 by msft-mmpc

As part of our ongoing effort to provide better malware protection, the August 2016 release of the Microsoft Malicious Software Removal Tool (MSRT) includes detections for BrowserModifier: Win32/Neobar, unwanted software, and Win32/Rovnix, a trojan malware family. This blog discusses BrowserModifier:Win32/Neobar and its inclusion in MSRT supports our unwanted software family detections in Windows Defender, along… Continue reading MSRT August 2016 release adds Neobar detection→

Nemucod dot dot..WSF

Posted on July 23, 2016 by msft-mmpc

The latest Nemucod campaign shows the malware distributing a spam email attachment with a .wsf extension, specifically ..wsf (with a double dot) extension. It is a variation of what has been observed since last year (2015) – the TrojanDownloader:JS/Nemucod malware downloader using JScript. It still spreads through spam email attachment, typically inside a .zip file,… Continue reading Nemucod dot dot..WSF→

Kovter becomes almost file-less, creates a new file type, and gets some new certificates

Posted on July 22, 2016 by msft-mmpc

Trojan:Win32/Kovter is a well-known click-fraud malware which is challenging to detect and remove because of its file-less persistence on infected PCs. In this blog, we will share some technical details about the latest changes we have seen in Kovter’s persistence method and some updates on their latest malvertising campaigns. New persistence method Since June 2016,… Continue reading Kovter becomes almost file-less, creates a new file type, and gets some new certificates→

Reverse engineering DUBNIUM –Stage 2 payload analysis

Posted on July 14, 2016 by msft-mmpc

Recently, we blogged about the basic functionality and features of the DUBNIUM advanced persistent threat (APT) activity group Stage 1 binary and Adobe Flash exploit used during the December 2015 incident (Part 1, Part 2). In this blog, we will go through the overall infection chain structure and the Stage 2 executable details. Stage 2 executables… Continue reading Reverse engineering DUBNIUM –Stage 2 payload analysis→

Troldesh ransomware influenced by (the) Da Vinci code

Posted on July 13, 2016 by msft-mmpc

We at the MMPC are constantly tracking new and emerging ransomware threats so we can be one step ahead of active campaigns and help protect our users. As part of these efforts, we recently came across a new variant of the Win32/Troldesh ransomware family. Ransomware, like most malware, is constantly trying to change itself in… Continue reading Troldesh ransomware influenced by (the) Da Vinci code→

MSRT July 2016 – Cerber ransomware

Posted on July 12, 2016 by msft-mmpc

As part of our ongoing effort to provide better malware protection, the July 2016 release of the Microsoft Malicious Software Removal Tool (MSRT) includes detection for Win32/Cerber, a prevalent ransomware family. The inclusion in MSRT complements our Cerber-specific family detections in Windows Defender, and our ransomware-dedicated cloud protection features. We started seeing Cerber in February… Continue reading MSRT July 2016 – Cerber ransomware→

Reverse-engineering DUBNIUM’s Flash-targeting exploit

Posted on June 20, 2016 by msft-mmpc

The DUBNIUM campaign in December involved one exploit in-the-wild that affected Adobe Flash Player. In this blog, we’re going to examine the technical details of the exploit that targeted vulnerability CVE-2015-8651. For more details on this vulnerability, see Adobe Security Bulletin APSB16-01. Note that Microsoft Edge on Windows 10 was protected from this attack due… Continue reading Reverse-engineering DUBNIUM’s Flash-targeting exploit→

Where’s the Macro? Malware authors are now using OLE embedding to deliver malicious files

Posted on June 14, 2016 by msft-mmpc

Recently, we’ve seen reports of malicious files that misuse the legitimate Office object linking and embedding (OLE) capability to trick users into enabling and downloading malicious content. Previously, we’ve seen macros used in a similar matter, and this use of OLE might indicate a shift in behavior as administrators and enterprises are mitigating against this… Continue reading Where’s the Macro? Malware authors are now using OLE embedding to deliver malicious files→

Reverse-engineering DUBNIUM

Posted on June 10, 2016 by msft-mmpc

DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features. We located multiple variants of multiple-stage droppers and payloads in the last few months, and although they are not really packed or obfuscated in a… Continue reading Reverse-engineering DUBNIUM→

Link (.lnk) to Ransom

Posted on May 27, 2016 by msft-mmpc

We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate itself and affect more users. We detect this ransomware as Ransom:Win32/ZCryptor.A. Infection vector Ransom:Win32/ZCryptor.A is distributed through the spam email infection vector. It also gets installed in your machine through… Continue reading Link (.lnk) to Ransom→