Ransomware Goes Fileless, Uses Malicious Documents and PowerShell to Encrypt Files
In October 2019, we encountered a phishing campaign delivering a malicious Microsoft Word document that distributed ransomware with a twist. Unlike most ransomware families, such as GandCrab, WannaCry and RobinHood, the malware ...
Buran Ransomware Targets German Organisations through Malicious Spam Campaign
Introduction As of October 2019, commodity ransomware campaigns conducted by financially motivated threat actors pose a significant threat to organisations. The three distinguishing characteristics of such campaigns are: first, they are usually ...
Reawakening of Emotet: An Analysis of its JavaScript Downloader
In mid-September 2019, Emotet resumed its activity and we evaluated changes to its operation in a previous blog post by Alex Holland. One of the noticeable changes is that some of the ...
Changes to Emotet in September 2019
Thank you to Ratnesh Pandey who also contributed to this research. On 16 September 2019, Bromium Labs observed the resumption of Emotet malicous spam (malspam) campaign activity following a hiatus since the ...
Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader
Introduction For a malicious actor to compromise a system, they need to avoid being detected at the point of entry into the target’s network. Commonly, phishing emails delivering malicious attachments (T1193) serve ...
Agent Tesla: Evading EDR by Removing API Hooks
Written by Toby Gray and Ratnesh Pandey. Endpoint detection and response (EDR) tools rely on operating system events to detect malicious activity that is generated when malware is run. These events are ...
Bromium to Speak at Cyber Security Summit Chicago, Aug 27
Visit Bromium at the Cyber Security Summit in Chicago on Tuesday, August 27 Dan Allen, VP Customer Success, is speaking on the panel, "Incident Response – What to do Before, During and ...
Decrypting L0rdix RAT’s C2
In my previous blog post on L0rdix RAT, I took a look at its panel and builder components that have been circulating through underground forums recently. I identified a key as part ...
Dridex’s Bag of Tricks: An Analysis of its Masquerading and Code Injection Techniques
A new variant of Dridex observed in July 2019 masquerades as legitimate Windows system processes to avoid detection. The variant uses five code injection techniques during its infection lifecycle: AtomBombing, DLL order ...
An Analysis of L0rdix RAT, Panel and Builder
L0rdix is a multipurpose remote access tool (RAT) that was first discovered being sold on underground criminal forums in November 2018. Shortly after its discovery, Ben Hunter of enSilo analysed the RAT’s ...
