Microsoft Word and Sandboxes
Today's post is a brief one on some Microsoft Word and sandbox detection / discovery / fun.Collect user name from Microsoft OfficeMost sandboxes will trigger somehow or something if a tool or malware tries to collect system information or user information. But what if we collect the user name via ... Read More
Analyse, hunt and classify malware using .NET metadata
IntroductionEarlier last week, I ran into a sample that turned out to be PureCrypter, a loader and obfuscator for all different kinds of malware such as Agent Tesla and RedLine. Upon further investigation, I developed Yara rules for the various stages, which can be found here (excluding the final payload):PureZip2nd stage ... Read More
Digital artists targeted in RedLine infostealer campaign
2021-06-17: updated with information from Twitter user ARC In this post, we'll look at a campaign, that targeted multiple 3D or digital artists using NFT, with malware named RedLine. This malware is a so called "infostealer" or "information stealer" that is capable of extracting sensitive data from your machine (such ... Read More
Blue Team Puzzle
Several years ago, I created a "malware puzzle" - basically, a crossword puzzle but with terms related to malware. You can find that puzzle here: https://bartblaze.blogspot.com/2013/08/malware-puzzle.htmlSeeing crosswords are a hobby of mine, I thought it'd be fun to create another one more than seven years later - this time, all things ... Read More
Satan ransomware rebrands as 5ss5c ransomware
The cybercrime group that brought us Satan, DBGer and Lucky ransomware and perhaps Iron ransomware, has now come up with a new version or rebranding named "5ss5c".In a previous blog post, Satan ransomware adds EternalBlue exploit, I described how the group behind Satan ransomware has been actively developing its ransomware, ... Read More
Monero download site and binaries compromised
IntroductionEarlier this evening I saw a tweet appear which claimed Monero has been hacked and a malicious binary (instead of the real one) has been served:Warning Monero users: If you downloaded Monero in the past 24 hours you may have installed malware. Monero's official website served compromised binaries for at ... Read More
Run applications and scripts using Acer’s RunCmd
This weekend I was cleaning up an old Acer laptop of mine and discovered a hidden folder on the root drive, C:\OEM.Inside's a bunch of interesting files, one of these is a tool called RunCmd_X64.exe.The file is a legitimate and signed binary by Acer:Figure 1 - Signed RunCmd_X64The tool contains ... Read More
Analysing a massive Office 365 phishing campaign
Last week, a friend of mine reached out with a query: a contact in his address book had sent him a suspicious email. As it turns out, it was. In this blog post, we'll have a quick look at an Office 365 phishing campaign, which turned out to be massive ... Read More
MAFIA ransomware targeting users in Korea
A new ransomware family was discovered and sent to me by MalwareHunterTeam, which we'll call MAFIA due to the extension it uses to encrypt files. The ransomware appears to target users in Korea, and may have been developed with at least knowledge of the Korean language.Another interesting (and new to ... Read More
RedEye ransomware: there’s more than meets the eye
A rather anonymous account reached out to me on Twitter asking to check out a "scary & really nasty" sample.It turned out to be RedEye ransomware, a new strain or variant by the same creator of Annabelle ransomware, which I discovered in February earlier this year.AnalysisThis ransomware is named "RedEye" ... Read More