Author Archives: SANS Internet Storm Center, InfoCON: green

I spotted another interesting file that uses, once again, steganography. It seems to be a trend (see one of my previous diaries&#;x26;#;x5b;1&#;x26;#;x5d;). The file is an malicious Excel sheet called blcopy.xls. Office documents are rare these days because Microsoft improved the rules to allow automatic macro execution&#;x26;#;x5b;2&#;x26;#;x5d;. But it does not mean that Office documents can&#;x26;#;39;t execute malicious code. In the sample I found (SHA256:c92c761a4c5c3f44e914d6654a678953d56d4d3a2329433afe1710b59c9acd3a), there are other embedded XLS sheets:

Continue reading More Steganography!, (Sat, Jun 14th)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Friday, June 13th, 2025 https://isc.sans.edu/podcastdetail/9492, (Fri, Jun 13th)→

[This is a Guest Diary by Michal Ambrozkiewicz, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].]

Continue reading [Guest Diary] Anatomy of a Linux SSH Honeypot Attack: Detailed Analysis of Captured Malware, (Fri, Jun 13th)→

[This is a Guest Diary by William Constantino, an ISC intern as part of the SANS.edu BACS program]

Continue reading Automated Tools to Assist with DShield Honeypot Investigations [Guest Diary], (Wed, Jun 11th)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Thursday, June 12th, 2025 https://isc.sans.edu/podcastdetail/9490, (Thu, Jun 12th)→

RAT&#;x26;#;39;s are popular malware. They are many of them in the wild, Quasar[1] being one of them. The malware has been active for a long time and new campaigns come regularly back on stage. I spotted an interesting .bat file (Windows script) that attracted my attention because it is very well obfuscated. This file is a second stage that is downloaded and launched from a simple script:

Continue reading Quasar RAT Delivered Through Bat Files, (Wed, Jun 11th)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Wednesday, June 11th, 2025 https://isc.sans.edu/podcastdetail/9488, (Wed, Jun 11th)→

Microsoft today released patches for 67 vulnerabilities. 10 of these vulnerabilities are rated critical. One vulnerability has already been exploited and another vulnerability has been publicly disclosed before today.

Continue reading Microsoft Patch Tuesday June 2025, (Tue, Jun 10th)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Tuesday, June 10th, 2025 https://isc.sans.edu/podcastdetail/9486, (Tue, Jun 10th)→

Continue reading OctoSQL & Vulnerability Data, (Sun, Jun 8th)→