Malicious documents exploiting CVE-2017-11882 continue to be used by malicious actors, but it has been a few years since I took a deep dive into their mechanics. A quick spelunk through our dataset produces quite a few, but I wanted an RTF example with minimal RTF obfuscation and came across …
I have this awful habit of testing concepts in poorly designed code with no logging, alerting, or comments, then somehow, they end up in production. Not real production, but it fills a need, saves time and effort, and several others want to use it, so it’s available for anyone who …
As we have noted before, attackers will leverage any file format they can to evade security protections put in place by their targets. (https://cofenselabs.com/all-you-need-is-text/).
On Jun 11, 2020 we noticed an odd file extension show up in our analysis pipeline.
It was a jnlp file. The jnlp extension is short …
While working on some wrapper scripts for dumping OLE VBA macros and attempting to deobfuscate them in search of downloader links, I came across an annoying, but not new, edge case – VBA macros using Excel cells to store additional code. In the past I used Philippe Lagadec’s excellent ViperMonkey…
Normally we try to allow our personalities shine through our posts, but we are living in abnormal times. The coronavirus (COVID-19) is a pandemic and is affecting everyone and everything. As if worrying about whether or not you will live or die isn’t enough, criminals began capitalizing on the worry …
While searching through our data for any samples of our current pandemic and threat actors’ favorite theme, I came across a rather interesting sample. The email and DOC are rather simple but consistent in theme and lacking the usual spelling and grammatical errors.
We tend to go a bit overkill on everything. Building a desktop? Yeah, 64GB of RAM should suffice, you know, just in case Windows 11 comes out next week. Testing a new service in Amazon EC2? Well t3.xlarge has more than enough just enough in case of technical things I …
We were looking through some of our latest data and came across an interesting phish. It wasn’t extremely well crafted as can be seen in the image below.
You might ask yourself why this is even worth looking at. Well it turned out that there was a very interesting URL …
Recently I decided to go spelunking through our data in search of any rarities that we have collected. And today I will share some of these interesting specimens. None of these samples are truly unique and most of them are already well known and well documented, but this exercise can …
Yes… another Emotet post, but they just keep on changing things up! We were having a look around our data from the Emotet botnet and came across an interesting example of the reply-chain tactic that has become the new normal for them.
As can be seen in the example above, …