We recently became aware of what appears to be the return of Emotet. The TrickBot malware family began delivering a dll that is suspiciously similar to the old Emotet payloads. While information is still being developed around this, the shared distribution between TrickBot and Emotet from past endeavors points to …
There are many circumstances where we must dig into the network traffic generated by malware samples. And in lots of cases, we don’t have the benefit of the traffic being unencrypted. Perhaps you do not want, or cannot, run a MITM (man in the middle) proxy to handle this decryption …
We recently found out about 2 actions taken against the TrickBot botnet by 2 very large and powerful entities. Brian Krebs covered this initially and stated that it involved some actor modifying the configuration files that were pushed to the botnet clients. We later found out that it was a …
On July 17, 2020 the Emotet botnet sprang back to life from a five-month hiatus—by far the longest break of the preceding few years. We assess it is possible that COVID may have thrown a monkey wrench into their plans, but we cannot be sure of that. While this is …
Another jnlp campaign leveraging a classic missed package delivery theme.
Loads MD5 (FedEx_Delivery_invoice.jnlp) = 315740b45e4d29392f4ee735584ef3bd
As we have noted before, attackers will leverage any file format they can to evade security protections put in place by their targets. (https://cofenselabs.com/all-you-need-is-text/).
On Jun 11, 2020 we noticed an odd file extension show up in our analysis pipeline.
It was a jnlp file. The jnlp extension is short …
Normally we try to allow our personalities shine through our posts, but we are living in abnormal times. The coronavirus (COVID-19) is a pandemic and is affecting everyone and everything. As if worrying about whether or not you will live or die isn’t enough, criminals began capitalizing on the worry …
We were looking through some of our latest data and came across an interesting phish. It wasn’t extremely well crafted as can be seen in the image below.
You might ask yourself why this is even worth looking at. Well it turned out that there was a very interesting URL …
Yes… another Emotet post, but they just keep on changing things up! We were having a look around our data from the Emotet botnet and came across an interesting example of the reply-chain tactic that has become the new normal for them.
As can be seen in the example above, …
