The Case of the Tricky Tool

Looks can be deceiving. There are times when you think an analysis is going to be easy, and everything points in that direction, until you hit a snag. This happens. Sometimes you've made an assumption that is wrong, sometimes there is a little trick the attacker is doing, and sometimes your tools fail you. This is one of those times.The Malware I received a malicious attachment in my email yesterday that uses a technique that I've started to see more and more in documents - utilizing the metadata fields to hold some of the malicious code. The advantage to this technique is that it spreads the code throughout the document and makes it more difficult to analyze. Despite this, all signs pointed to this being an easy document to analyze. As you'll see, I was wrong.resume.docMD5: e618b9ef551fe10bf83f29f963468adeSHA1: 93993320c636c884e6f1b53f9f878410efca02daSHA256: d400d6392a17311460442e76b26950a0a07e8a85c210c31e87a042a659dc9c52Once more, I used REMNux to statically analyze the file. Yes, I could have executed it with Lazy Office Analyzer to speed up my analysis, but frankly my Windows VM is temporarily fubar'd, so I was stuck doing it this way.The first step in my analysis was to figure out what type of document I was...
Read more

Malicious RTF document leading to NetwiredRC and Quasar RAT

Malware authors use a variety of clever methods to lure users into executing malicious documents. But the ThreatLabZ team recently observed a social engineering campaign with a unique approach. In these cases, malicious RTF documents basically force users to execute an embedded VBA macro, which starts the infection cycle by dropping Quasar RAT and NetWiredRC payloads. The malicious RTF documents contain Excel sheets that include a macro, which downloads the additional payload on execution. The RTF document has the .doc extension and, while opening it in Microsoft Word, a macro warning popup (Fig. 1) is shown, with which a user can enable or disable the macro. However, with this malicious RTF document, Word shows repeated macro warning popups even if the user has clicked the “Disable Macros” button during the first warning.     Fig1: Macro warning popup   There is no way to stop these popups except to click on all of them or to force-quit Word. The current malicious RTF shows the macro warning popup 10 times, since this malicious RTF document has 10 embedded Excel sheets (see Fig....
Read more

Five Reasons Why Marketing Needs to Care About Cybersecurity

Marketing moves fast and worrying about cybersecurity is often the least of our worries. Cybercriminals understand we’re working fast and target our computers because we are likely to do what comes naturally: click, download, forward, open. Alas, organizational security teams struggle to keep us safe and often put limits on our ability to get stuff The post Five Reasons Why Marketing Needs to Care About Cybersecurity appeared first on Bromium.
Read more

Company Embedded Password-Stealing Malware into Installer as Part of DRM Efforts

A company embedded password-stealing malware into an installer as part of its digital rights management (DRM) efforts to combat software pirates. On 18 Sunday, Reddit user crankyrecursion spotted the malware hiding within Flight Sim Labs’ installer for its A320 flight simulator desktop software. A little digging on the user’s part revealed that the threat originates … Read More The post Company Embedded Password-Stealing Malware into Installer as Part of DRM Efforts appeared first on The State of Security.
Read more

Drinkman and Smilianets Sentenced: The End to Our Longest Databreach Saga?

On Thursday, February 15, 2018, we may have finally reached the end of the Albert Gonzalez Databreach Saga.  Vladimir Drinkman, age 37, was sentenced to 144 months in prison, after pleading guilty before U.S. District Judge Jerome Simandle in New Jersey.  His colleague, Dmitriy Smilianets, age 34, had also pleased guilty and was sentenced to 51 months and 21 days in prison (which is basically "time served", so he'll walk immediately).  The pair were actually arrested in the Netherlands on June 28, 2012, and the guilty pleas had happened in September 2015th after they were extradited to New Jersey.Those who follow data breaches will certainly be familiar with Albert Gonzalez, but may not realize how far back his criminal career goes.On July 24, 2003, the NYPD arrested Gonzalez in front of a Chase Bank ATM at 2219 Broadway found Gonzalez in possession of 15 counterfeit Chase ATM cards and $3,000 in cash. (See case 1:09-cr-00626-JBS).  After that arrest, Gonzalez was taken under the wing of a pair of Secret Service agents, David Esposito and Steve Ward.  Gonzalez describes some of the activities he engaged in during his time as a CI in his 53 page...
Read more

Identity Documents Exposed in FedEx-Owned Amazon S3 Bucket

More than 119,000 scanned identity documents, including passports and drivers’ licenses, belonging to people from the United States and abroad were exposed in an insecure Amazon S3 storage bucket. The storage bucket belonged to a company called Bongo International that provided services for cross-border transactions between U.S.-based online merchants and international customers, complete with anti-fraud..
Read more
Page 1 of 4212345...102030...Last »