Recently I completed a project using Tampermonkey user scripts, and I needed to host them somewhere that our team’s browsers could access. S3 is an obvious choice to host static files but I wanted to limit access to certain IP addresses. We maintain several existing EC2 Security Groups and I …
Note to reader: If you are following along, you will need a VPN connection that supports a large list of geographic endpoints. I have found South American and Eastern Bloc countries are good choices for endpoints.
Many downloaders have a double-edged goal in mind – make it easy for the …
We recently became aware of what appears to be the return of Emotet. The TrickBot malware family began delivering a dll that is suspiciously similar to the old Emotet payloads. While information is still being developed around this, the shared distribution between TrickBot and Emotet from past endeavors points to …
VPNs are useful for many reasons. But if you have many devices it can be annoying to install, configure, authenticate, reconfigure, and keep a bunch of different VPN client apps updated. And if you have a device or two that you never want to be attributed to your real IP …
I’ve occasionally used NordVPN the past few years, but while working on another Cofense Lab Note I learned about the service’s more advanced features. So I thought I’d share my findings of what lies just beneath that big blue “Quick Connect” button, and also a small script that simplifies getting …
Namecheap is a useful site for purchasing and maintaining your domains. We wanted to test the ability to use its API for registering and renewing domains, as well as setting up host records after purchase. The API documentation has many request options, but not all the documentation is clear and …
There are many circumstances where we must dig into the network traffic generated by malware samples. And in lots of cases, we don’t have the benefit of the traffic being unencrypted. Perhaps you do not want, or cannot, run a MITM (man in the middle) proxy to handle this decryption …
I regularly check each of our sandbox environments for reports with suspicous yara rule hits and yet no IoCs or network traffic. If any of these reports are maldocs, then I attempt to deobfuscate them and discover whether a sandbox check resulted in the failure to detonate. During one of …
While none of the the configuration management tools I’ve used are perfect, Ansible is by far my top pick. There is a bit of a learning curve though. I think most people’s experience with Ansible goes something like this:
While reviewing the backlog of blogs and news articles that always accumulate over the holidays, I stumbled across an interesting Dridex downloader sample discussed here. I had recently analyzed a similar sample, but the XLM macro was obfuscated and stored in a single cell in the spreadsheet. What peaked …