Nowadays one of the most frequent cybersecurity threat comes from Malicious (office) document shipped over eMail or Instant Messaging. Some analyzed threats examples include: Step By Step Office Dropper Dissection, Spreading CVS Malware over Google, Microsoft Powerpoint as Malware Dropper, MalHIDE, Info Stealing: a New Operation in the Wild, Advanced All in Memory CryptoWorm, etc. […]Read more "Frequent VBA Macros used in Office Malware"
Many state sponsored groups have been identified over time, many of them have different names (since discovered by different organizations) and there is no an agreed standardization on the topic but many victims and some interests look very tight together. From here the idea to compare the leaked source code of two different state sponsored […]Read more "Similarities and differences between MuddyWater and APT34"
The APT34 Glimpse project is maybe the most complete APT34 project known so far. Indeed we might observe a File based command and control (quite unusual solution) structure, a VBS launcher, a PowerShell Payload and a covert channel over DNS engine. This last feature is the most appreciated characteristics attributed to APT34. But let’s move […]Read more "APT34: Glimpse project"
When an unknown sender suggests me to click on a super wired url, dropping a ZIP file straight in my box, by saying it’s getting the next targeted attack on a huge company, well I kinda looking forward to it ! So I clicked on the link (see IOC section) and I’ve downloaded a “pik.zip” […]Read more "Ransomware, Trojan and Miner together against “PIK-Group”"
On January 19th we downloaded Collectoin #1 to make statistics on its content (you might find more information here). During these days we finished the two main activities to be able to answer some more questions about it data: (i) ELK import and (ii) building of simple views to visualise desired informations. The following image shows […]Read more "“Collection #I” Data Breach Analysis – Part 2"
Nowadays Microsoft office documents are often used to propagate Malware acting like dynamic droppers. Microsoft Excel within macros or Microsoft Word with user actions (like links or external OLE objects) are the main player in this “Office Dropping Arena”. When I figured out that a Microsoft Powerpoint was used to drop and to execute a […]Read more "Microsoft Powerpoint as Malware Dropper"
Today I’d like to share an interesting analysis of a Targeted Attack found and dissected by Yoroi (technical details are available here). The victim was one of the most important leader in the field of security and defensive military grade Naval ecosystem in Italy. Everything started from a well crafted email targeting the right office […]Read more "MartyMcFly Malware: Targeting Naval Industry"
Today I’d like to share a simple analysis based on fascinating threat that I like to call Sustes (you will see name genesis in a bit). Everybody knows Monero crypto currency and probably everybody knows that it has built upon privacy, by meaning It’s not that simple to figure out Monero wallet balance. Sustes (mr.sh) is […]Read more "Sustes Malware: CPU for Monero"
Today I’d like to share a full path analysis including a KickBack attack which took me to gain full access to an entire Ursniff/Gozi BotNet . In other words: from a simple “Malware Sample” to “Pwn the Attacker Infrastructure”. NB: Federal Police has already been alerted on such a topic as well as National […]Read more "Hacking The Hacker. Stopping a big botnet targeting USA, Canada and Italy"
Today I’d like to share the following reverse engineering path since it ended up to be more complex respect what I thought. The full path took me about hours work and the sample covers many obfuscation steps and implementation languages. During the analysis time only really few Antivirus (6 out of 60) were able to […]Read more "Interesting hidden threat since years ?"