Today I’d like to share an interesting and heavily obfuscated Malware which made me thinking about the meaning of “Targeting Attack”. Nowadays a Targeted Attack is mostly used to address state assets or business areas. For example a targeted attack might address Naval industry (MartyMcFly example is definitely a great example) or USA companies (Botnet […]Read more "From Targeted Attack to Untargeted Attack"
Today I want to share a quick analysis on a new leaked APT34 Tool in order to track similarities between APT34 public available toolsets. This time is the APT34 Jason – Exchange Mail BF project to be leaked by Lab Dookhtegan on June 3 2019. Context According to FireEye, APT 34 has been active since […]Read more "APT34: Jason project"
On 2016 I was working hard to find a way to classify Malware families through artificial intelligence (machine learning). One of the first difficulties I met was on finding a classified testing set in order to run new algorithms and to test specified features. So, I came up with this blog post and this GitHub […]Read more "Malware Training Sets: FollowUP"
The APT34 Glimpse project is maybe the most complete APT34 project known so far. Indeed we might observe a File based command and control (quite unusual solution) structure, a VBS launcher, a PowerShell Payload and a covert channel over DNS engine. This last feature is the most appreciated characteristics attributed to APT34. But let’s move […]Read more "APT34: Glimpse project"
Today I’d like to share a quick analysis on the webmask project standing behind the DNS attacks implemented by APT34. Thanks to the leaked source code is now possible to check APT34 implementations and techniques. Context: Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the […]Read more "APT34: webmask project"
During the past few weeks I received several emails asking how to dissect Office Payloads. While I was thinking on how to answer to such a questions I received a MalSpam with a Microsoft Office document attached by sheer coincidence, so I decided to write little bit on it. This is not going to be […]Read more "Step By Step Office Dropper Dissection"
There are many ways to spot Advanced Persistent Threats, for example during a forensic analysis on “high rate incident” or having sandbox systems on critical infrastructures or again working as incident responder for big companies, working into a national CERT or building a simple tool performing analysis on Malware streams. Today I’d like to share […]Read more "Free Tools: Spotting APTs"
When an unknown sender suggests me to click on a super wired url, dropping a ZIP file straight in my box, by saying it’s getting the next targeted attack on a huge company, well I kinda looking forward to it ! So I clicked on the link (see IOC section) and I’ve downloaded a “pik.zip” […]Read more "Ransomware, Trojan and Miner together against “PIK-Group”"
Hi folks, today I’d like to point you out another tool of mine which extract suspicious IPs from undesired connections. In other words: HoneyPots. I run a personal HoneyPot network which stands from years and over time it harvested numerous IP addresses which could be, potentially, malicious (typically scanners). If you like having fresh HoneyPot […]Read more "Free Tool: Honey Feed"
Hi folks, During the past weeks I received many requests on how to subscribe to my new WordPress blog, so many that I decided to “wrap-up” a little post on how to do it: apparently is not such intuitive (my bad 😛 ). On the top right of the page you should see “three dots”. […]Read more "How to Subscribe"