Category: Lab Notes

Time for another spelunking session. While scanning our data for any samples with detection hits but no sandbox detonation, I came across an XLS attachment from an Italian language email.

Figure 1 – Original Email

It was flagged as containing VBA macros and a hidden XLM sheet, so let’s examine …

Continue Reading

To GIMP or not to GIMP

Previously, I wrote a little doodad on scripting GIMP to reduce the timesuck of repetitive image manipulation and gave an example script on creating square, black bordered thumbnails of images with the thumbnailed image maintaining the proper aspect ratio. Yeah, kinda mediocre skillset-wise, but there is an entire index of …

Continue Reading

The Dead Have Risen

On July 17, 2020 the Emotet botnet sprang back to life from a five-month hiatus—by far the longest break of the preceding few years.  We assess it is possible that COVID may have thrown a monkey wrench into their plans, but we cannot be sure of that.  While this is …

Continue Reading

Fell Deeds Awake

Malicious documents exploiting CVE-2017-11882 continue to be used by malicious actors, but it has been a few years since I took a deep dive into their mechanics. A quick spelunk through our dataset produces quite a few, but I wanted an RTF example with minimal RTF obfuscation and came across …

Continue Reading

Getting Organized

I have this awful habit of testing concepts in poorly designed code with no logging, alerting, or comments, then somehow, they end up in production.  Not real production, but it fills a need, saves time and effort, and several others want to use it, so it’s available for anyone who …

Continue Reading

As we have noted before, attackers will leverage any file format they can to evade security protections put in place by their targets. (https://cofenselabs.com/all-you-need-is-text/).

On Jun 11, 2020 we noticed an odd file extension show up in our analysis pipeline.

It was a jnlp file. The jnlp extension is short …

Continue Reading

While working on some wrapper scripts for dumping OLE VBA macros and attempting to deobfuscate them in search of downloader links, I came across an annoying, but not new, edge case – VBA macros using Excel cells to store additional code. In the past I used Philippe Lagadec’s excellent ViperMonkey

Continue Reading

Normally we try to allow our personalities shine through our posts, but we are living in abnormal times. The coronavirus (COVID-19) is a pandemic and is affecting everyone and everything.  As if worrying about whether or not you will live or die isn’t enough, criminals began capitalizing on the worry …

Continue Reading

While searching through our data for any samples of our current pandemic and threat actors’ favorite theme, I came across a rather interesting sample. The email and DOC are rather simple but consistent in theme and lacking the usual spelling and grammatical errors.

Continue Reading