Author: Jason Meurer

We recently became aware of what appears to be the return of Emotet. The TrickBot malware family began delivering a dll that is suspiciously similar to the old Emotet payloads. While information is still being developed around this, the shared distribution between TrickBot and Emotet from past endeavors points to …

Continue Reading

There are many circumstances where we must dig into the network traffic generated by malware samples. And in lots of cases, we don’t have the benefit of the traffic being unencrypted. Perhaps you do not want, or cannot, run a MITM (man in the middle) proxy to handle this decryption …

Continue Reading

The Dead Have Risen

On July 17, 2020 the Emotet botnet sprang back to life from a five-month hiatus—by far the longest break of the preceding few years.  We assess it is possible that COVID may have thrown a monkey wrench into their plans, but we cannot be sure of that.  While this is …

Continue Reading

As we have noted before, attackers will leverage any file format they can to evade security protections put in place by their targets. (https://cofenselabs.com/all-you-need-is-text/).

On Jun 11, 2020 we noticed an odd file extension show up in our analysis pipeline.

It was a jnlp file. The jnlp extension is short …

Continue Reading

Normally we try to allow our personalities shine through our posts, but we are living in abnormal times. The coronavirus (COVID-19) is a pandemic and is affecting everyone and everything.  As if worrying about whether or not you will live or die isn’t enough, criminals began capitalizing on the worry …

Continue Reading

Yes… another Emotet post, but they just keep on changing things up! We were having a look around our data from the Emotet botnet and came across an interesting example of the reply-chain tactic that has become the new normal for them.

As can be seen in the example above, …

Continue Reading