Category: Lab Notes

NordVPN: Expert Mode

I’ve occasionally used NordVPN the past few years, but while working on another Cofense Lab Note (coming soon!) I learned about the service’s more advanced features. So I thought I’d share my findings of what lies just beneath that big blue “Quick Connect” button, and also a small script that …

Continue Reading

There are many circumstances where we must dig into the network traffic generated by malware samples. And in lots of cases, we don’t have the benefit of the traffic being unencrypted. Perhaps you do not want, or cannot, run a MITM (man in the middle) proxy to handle this decryption …

Continue Reading

Down the Rabbit Hole

I regularly check each of our sandbox environments for reports with suspicous yara rule hits and yet no IoCs or network traffic. If any of these reports are maldocs, then I attempt to deobfuscate them and discover whether a sandbox check resulted in the failure to detonate. During one of …

Continue Reading

Ansible Reuse Made Easy

While none of the the configuration management tools I’ve used are perfect, Ansible is by far my top pick.  There is a bit of a learning curve though.  I think most people’s experience with Ansible goes something like this:

  1. Review the technically correct and verbose docs.
  2. Decide to google for
Continue Reading

Connecting the Dots

While reviewing the backlog of blogs and news articles that always accumulate over the holidays, I stumbled across an interesting Dridex downloader sample discussed here. I had recently analyzed a similar sample, but the XLM macro was obfuscated and stored in a single cell in the spreadsheet. What peaked …

Continue Reading

Time for another spelunking session. While scanning our data for any samples with detection hits but no sandbox detonation, I came across an XLS attachment from an Italian language email.

Figure 1 – Original Email

It was flagged as containing VBA macros and a hidden XLM sheet, so let’s examine …

Continue Reading

To GIMP or not to GIMP

Previously, I wrote a little doodad on scripting GIMP to reduce the timesuck of repetitive image manipulation and gave an example script on creating square, black bordered thumbnails of images with the thumbnailed image maintaining the proper aspect ratio. Yeah, kinda mediocre skillset-wise, but there is an entire index of …

Continue Reading

The Dead Have Risen

On July 17, 2020 the Emotet botnet sprang back to life from a five-month hiatus—by far the longest break of the preceding few years.  We assess it is possible that COVID may have thrown a monkey wrench into their plans, but we cannot be sure of that.  While this is …

Continue Reading