Frankenstein's phishing using Google Cloud Storage, (Wed, May 27th)Wed, 27 May 2020 08:39:20 GMT Phishing e-mail messages and/or web pages are often unusual in one way or another from the technical standpoint – some are surprisingly sophisticated, while others are incredibly simple, and sometimes they are a very strange mix of the two. The latter was the case with an e-mail, which our company e-mail gateway caught last week – some aspects of it appeared to be professionally done, but others screamed that the author was a “beginner†at best.
Seriously, SHA3 where art thou?, (Tue, May 26th)Tue, 26 May 2020 19:18:42 GMT A couple weeks ago, Rob wrote a couple of nice diaries. In our private handlers slack channel I was joking after the first one about whether he was going to rewrite CyberChef in PowerShell. After the second I asked what about SHA3? So, he wrote another one (your welcome for the diary ideas, Rob). I was only half joking.
AgentTesla Delivered via a Malicious PowerPoint Add-In, (Sat, May 23rd)Sat, 23 May 2020 06:16:26 GMT Attackers are always trying to find new ways to deliver malicious code to their victims. Microsoft Word and Excel are documents that can be easily weaponized by adding malicious VBA macros. Today, they are one of the most common techniques to compromise a computer. Especially because Microsoft implemented automatically executed macros when the document is opened. In Word, the macro must be named AutoOpen(). In Excel, the name must be Workbook_Open(). However, PowerPoint does not support this kind of macro. Really? Not in the same way as Word and Excel do!
Some Strings to Remember, (Fri, May 22nd)Fri, 22 May 2020 13:46:43 GMT When you handle unknown files, be it for malware analysis or other reasons, it helps to know some strings / hexadecimal sequences to quickly recognize file types and file content.
Malware Triage with FLOSS: API Calls Based Behavior, (Thu, May 21st)Thu, 21 May 2020 06:04:40 GMT Malware triage is a key component of your hunting process. When you collect suspicious files from multiple sources, you need a tool to automatically process them to extract useful information. To achieve this task, I'm using FAME[1] which means “FAME Automates Malware Evaluationâ€. This framework is very nice due to the architecture based on plugins that you can enable upon your needs. Here is an overview of my configuration:
Report: ATM Skimmer Gang Had Protection from Mexican Attorney General’s OfficeTue, 26 May 2020 21:45:37 +0000 A group of Romanians operating an ATM company in Mexico and suspected of bribing technicians to install sophisticated Bluetooth-based skimmers in cash machines throughout several top Mexican tourist destinations have enjoyed legal protection from a top anti-corruption official in the Mexican attorney general's office, according to a new complaint filed with the government's internal affairs division.
Riding the State Unemployment Fraud ‘Wave’Sat, 23 May 2020 13:40:05 +0000 When a reliable method of scamming money out of people, companies or governments becomes widely known, underground forums and chat networks tend to light up with activity as more fraudsters pile on to claim their share. And that's exactly what appears to be going on right now as multiple U.S. states struggle to combat a tsunami of phony Pandemic Unemployment Assistance (PUA) claims. Meanwhile, a number of U.S. states are possibly making it easier for crooks by leaking their citizens' personal data from the very websites the unemployment scammers are using to file bogus claims.
Ukraine Nabs Suspect in 773M Password ‘Megabreach’Tue, 19 May 2020 16:46:21 +0000 In January 2019, dozens of media outlets raised the alarm about a new “megabreach” involving the release of some 773 million stolen usernames and passwords that was breathlessly labeled “the largest collection of stolen data in history.” A subsequent review by KrebsOnSecurity quickly determined the data was years old and merely a compilation of credentials pilfered from mostly public data breaches. Earlier today, authorities in Ukraine said they’d apprehended a suspect in the case.