Buran Ransomware Targets German Organisations through Malicious Spam Campaign
Introduction As of October 2019, commodity ransomware campaigns conducted by financially motivated threat actors pose a significant threat to organisations. The three distinguishing characteristics of such campaigns are: first, they are usually high volume, sent to many employees in an organisation; second, they are indiscriminate, relying on opportunistic infections to ... Read More
Changes to Emotet in September 2019
Thank you to Ratnesh Pandey who also contributed to this research. On 16 September 2019, Bromium Labs observed the resumption of Emotet malicous spam (malspam) campaign activity following a hiatus since the beginning of June 2019. Here's a summary of the changes to Emotet's operation that we've seen so far ... Read More
Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader
Introduction For a malicious actor to compromise a system, they need to avoid being detected at the point of entry into the target’s network. Commonly, phishing emails delivering malicious attachments (T1193) serve as the initial access vector.[1] Adversaries also need a way to execute code on target computers without tipping ... Read More
Decrypting L0rdix RAT’s C2
In my previous blog post on L0rdix RAT, I took a look at its panel and builder components that have been circulating through underground forums recently. I identified a key as part of that analysis, 3sc3RLrpd17, embedded in one of the PHP pages in L0rdix's panel. A SHA-256 hash is ... Read More
An Analysis of L0rdix RAT, Panel and Builder
L0rdix is a multipurpose remote access tool (RAT) that was first discovered being sold on underground criminal forums in November 2018. Shortly after its discovery, Ben Hunter of enSilo analysed the RAT’s functionality. Although L0rdix's author set the price of the RAT at 4000 RUB (64 USD), for many cyber ... Read More
Congratulations, You’ve Won a Meterpreter Shell
Posted by Josh Stroschein, Ratnesh Pandey and Alex Holland. For an attack to succeed undetected, attackers need to limit the creation of file and network artifacts by their malware. In this post, we analyse an attack that illustrates two popular tactics to evade detection: Avoiding saving file artifacts to disk ... Read More
Tricks and COMfoolery: How Ursnif Evades Detection
Ursnif is one of the main threats that is effectively evading detection right now (at publication) The dropper uses a COM technique to hide its process parentage WMI is used to bypass a Windows Defender attack surface reduction rule Fast evolution of delivery servers means detection tools are left in ... Read More
