Time for another spelunking session. While scanning our data for any samples with detection hits but no sandbox detonation, I came across an XLS attachment from an Italian language email.
It was flagged as containing VBA macros and a hidden XLM sheet, so let’s examine …
We recently found out about 2 actions taken against the TrickBot botnet by 2 very large and powerful entities. Brian Krebs covered this initially and stated that it involved some actor modifying the configuration files that were pushed to the botnet clients. We later found out that it was a …
Previously, I wrote a little doodad on scripting GIMP to reduce the timesuck of repetitive image manipulation and gave an example script on creating square, black bordered thumbnails of images with the thumbnailed image maintaining the proper aspect ratio. Yeah, kinda mediocre skillset-wise, but there is an entire index of …
On July 17, 2020 the Emotet botnet sprang back to life from a five-month hiatus—by far the longest break of the preceding few years. We assess it is possible that COVID may have thrown a monkey wrench into their plans, but we cannot be sure of that. While this is …
Malicious documents exploiting CVE-2017-11882 continue to be used by malicious actors, but it has been a few years since I took a deep dive into their mechanics. A quick spelunk through our dataset produces quite a few, but I wanted an RTF example with minimal RTF obfuscation and came across …
I have this awful habit of testing concepts in poorly designed code with no logging, alerting, or comments, then somehow, they end up in production. Not real production, but it fills a need, saves time and effort, and several others want to use it, so it’s available for anyone who …
As we have noted before, attackers will leverage any file format they can to evade security protections put in place by their targets. (https://cofenselabs.com/all-you-need-is-text/).
On Jun 11, 2020 we noticed an odd file extension show up in our analysis pipeline.
It was a jnlp file. The jnlp extension is short …
While working on some wrapper scripts for dumping OLE VBA macros and attempting to deobfuscate them in search of downloader links, I came across an annoying, but not new, edge case – VBA macros using Excel cells to store additional code. In the past I used Philippe Lagadec’s excellent ViperMonkey…
Normally we try to allow our personalities shine through our posts, but we are living in abnormal times. The coronavirus (COVID-19) is a pandemic and is affecting everyone and everything. As if worrying about whether or not you will live or die isn’t enough, criminals began capitalizing on the worry …
While searching through our data for any samples of our current pandemic and threat actors’ favorite theme, I came across a rather interesting sample. The email and DOC are rather simple but consistent in theme and lacking the usual spelling and grammatical errors.
