SANS Internet Storm Center – Page 14

[SANS ISC] Tracking A Malware Campaign Through VT

Posted on August 24, 2020 by Xavier

I published the following diary on isc.sans.edu: “Tracking A Malware Campaign Through VT“: During the weekend, I found several samples from the same VBA macro. The only difference between all the samples was the URL to fetch a malicious PE file. I have a specific YARA rule to search for embedded

The post [SANS ISC] Tracking A Malware Campaign Through VT appeared first on /dev/random.

Continue reading [SANS ISC] Tracking A Malware Campaign Through VT→

[SANS ISC] Example of Word Document Delivering Qakbot

Posted on August 19, 2020 by Xavier

I published the following diary on isc.sans.edu: “Example of Word Document Delivering Qakbot“: Qakbot is back on stage at the moment! Many security companies already reported some peaks of activity around this malware. On my side, I also spotted several samples. The one that I’ll cover today has been reported by one of our

The post [SANS ISC] Example of Word Document Delivering Qakbot appeared first on /dev/random.

Continue reading [SANS ISC] Example of Word Document Delivering Qakbot→

[SANS ISC] Using API’s to Track Attackers

Posted on August 18, 2020 by Xavier

I published the following diary on isc.sans.edu: “Using API’s to Track Attackers“: For a few days, I’m keeping an eye on suspicious Python code posted on VT. We all know that VBA, JavaScript, Powershell, etc are attacker’s best friends but Python is also a good candidate to perform malicious activities on

The post [SANS ISC] Using API’s to Track Attackers appeared first on /dev/random.

Continue reading [SANS ISC] Using API’s to Track Attackers→

[SANS ISC] A Fork of the FTCode Powershell Ransomware

Posted on August 6, 2020 by Xavier

I published the following diary on isc.sans.edu: “A Fork of the FTCode Powershell Ransomware“: Yesterday, I found a new malicious Powershell script that deserved to be analyzed due to the way it was dropped on the victim’s computer. As usual, the malware was delivered through a malicious Word document with

The post [SANS ISC] A Fork of the FTCode Powershell Ransomware appeared first on /dev/random.

Continue reading [SANS ISC] A Fork of the FTCode Powershell Ransomware→

[SANS ISC] Powershell Bot with Multiple C2 Protocols

Posted on August 3, 2020 by Xavier

I published the following diary on isc.sans.edu: “Powershell Bot with Multiple C2 Protocols“: I spotted another interesting Powershell script. It’s a bot and is delivered through a VBA macro that spawns an instance of msbuild.exe This Windows tool is often used to compile/execute malicious on the fly (I already wrote a diary about this

The post [SANS ISC] Powershell Bot with Multiple C2 Protocols appeared first on /dev/random.

Continue reading [SANS ISC] Powershell Bot with Multiple C2 Protocols→

[SANS ISC] Compromized Desktop Applications by Web Technologies

Posted on July 25, 2020 by Xavier

I published the following diary on isc.sans.edu: “Compromized Desktop Applications by Web Technologies”: For a long time now, it has been said that “the new operating system is the browser”. Today, we do everything in our browsers, we connect to the office, we process emails, documents, we chat, we perform

The post [SANS ISC] Compromized Desktop Applications by Web Technologies appeared first on /dev/random.

Continue reading [SANS ISC] Compromized Desktop Applications by Web Technologies→

[SANS ISC] Simple Blacklisting with MISP & pfSense

Posted on July 23, 2020 by Xavier

I published the following diary on isc.sans.edu: “Simple Blacklisting with MISP & pfSense“: Here is an example of a simple but effective blacklist system that I’m using on my pfSense firewalls. pfSense is a very modular firewall that can be expanded with many packages. About blacklists, there is a well-known

The post [SANS ISC] Simple Blacklisting with MISP & pfSense appeared first on /dev/random.

Continue reading [SANS ISC] Simple Blacklisting with MISP & pfSense→

[SANS ISC] Sextortion to The Next Level

Posted on June 16, 2020 by Xavier

I published the following diary on isc.sans.edu: “Sextortion to The Next Level“: For a long time, our mailboxes are flooded with emails from “hackers” (note the quotes) who pretend to have infected our computers with malware. The scenario is always the same: They successfully collected sensitive pieces of evidence about

[The post [SANS ISC] Sextortion to The Next Level has been first published on /dev/random]

Continue reading [SANS ISC] Sextortion to The Next Level→

[SANS ISC] Malicious Excel Delivering Fileless Payload

Posted on June 12, 2020 by Xavier

I published the following diary on isc.sans.edu: “Malicious Excel Delivering Fileless Payload“: Macros in Office documents are so common today that my honeypots and hunting scripts catch a lot of them daily. I try to keep an eye on them because sometimes you can spot an interesting one (read: “using a less common

[The post [SANS ISC] Malicious Excel Delivering Fileless Payload has been first published on /dev/random]

Continue reading [SANS ISC] Malicious Excel Delivering Fileless Payload→

[SANS ISC] Anti-Debugging JavaScript Techniques

Posted on June 11, 2020 by Xavier

I published the following diary on isc.sans.edu: “Anti-Debugging JavaScript Techniques“: For developers who write malicious programs, it’s important to make their code not easy to be read and executed in a sandbox. Like most languages, there are many ways to make the life of malware analysts mode difficult (or more

[The post [SANS ISC] Anti-Debugging JavaScript Techniques has been first published on /dev/random]

Continue reading [SANS ISC] Anti-Debugging JavaScript Techniques→