Agent Tesla: Evading EDR by Removing API Hooks

Agent Tesla: Evading EDR by Removing API Hooks

Written by Toby Gray and Ratnesh Pandey. Endpoint detection and response (EDR) tools rely on operating system events to detect malicious activity that is generated when malware is run. These events are later correlated and analysed to detect anomalous and suspicious behaviour. One of the sources for such events are ... Read More
Dridex’s Bag of Tricks: An Analysis of its Masquerading and Code Injection Techniques

Dridex’s Bag of Tricks: An Analysis of its Masquerading and Code Injection Techniques

A new variant of Dridex observed in July 2019 masquerades as legitimate Windows system processes to avoid detection. The variant uses five code injection techniques during its infection lifecycle: AtomBombing, DLL order hijacking, process hollowing, PE injection and thread execution hijacking. The code injection techniques were used against legitimate Windows ... Read More
Protect Before You Detect: FlawedAmmyy and the Case for Isolation

Protect Before You Detect: FlawedAmmyy and the Case for Isolation

Posted by Ratnesh Pandey, Alex Holland and Toby Gray. In June 2019, Microsoft issued warnings about a phishing campaign delivering a new variant of the FlawedAmmyy remote access Trojan (RAT), and a spike in the exploitation of CVE-2017-11882 in the wild. In this blog post we take a look at ... Read More
Figure 1 – Monero’s value in USD from December 2018 to June 2019, source - CoinGecko.com

Cryptojacking: An Unwanted Guest

We analyse a cryptojacking attack that mines the Monero cryptocurrency. The value of Monero in US dollars has more than doubled over the first half of 2019, from $46 to $98. The rebound of the cryptocurrencies market means that cryptojacking is an increasingly profitable activity for criminals. The use of ... Read More
The Emotet-ion Game (Part 3)

The Emotet-ion Game (Part 3)

This blog is a continuation of our blog series on the Emotet banking Trojan. So far, we have analysed Emotet’s delivery mechanism and its behaviour through dynamic analysis. The host and network data captured from Emotet found that it escalates its privileges by registering itself as service, persists in multiple ... Read More
We will walk through the script to find interesting patterns and deobfuscate the code.

Emotet: Catch Me If You Can (Part 2 of 3)

Emotet is a highly modular banking Trojan that has a proper decision tree-based algorithm to perform designated tasks. Due to Emotet’s capability to deliver obfuscated payloads and extend its capabilities through self-upgradable modules, it has become a commonly-used payload launcher in targeted attacks on organisations. Emotet’s use in multi-stage and ... Read More