APT28 / Fancy Bear still targeting military institutions

APT28 / Fancy Bear still targeting military institutions

APT28, aka Fancy Bear, the famous hacker group believed to be state-sponsored from Russia, seems to be targeting NATO partners / defense / military institutions / affairs in these hours. Spear-phishing emails with attached a malicious document referring to a "nato simulation" event (the name of the doc is "NATO Simulation.doc"), seem to be used to try to compromise some institutional entities (likely from north /  east europe). The hunting group involved in the analysis of this event is … [Read more]

APT29 threat group seems to be back targeting US public / gov /defense sector

APT29, the well known hacking group, seems to be back with slightly different tactical and technical procedures to conduct its last cyber operation. In the late evening of 15  / 11, some malicious documents likely to be referred to the group in question have been submitted to a major online malware analysis platform (Virus Total - @DrunkBinary credits for the first discovery). The analyzed decoy document retrieved by me is clearly referring to a DoS (Department of State) PDF form that is shown … [Read more]

Update: Hands in the MuddyWater – Playing with Iranian Cyber-Espionage Campaign

This is an update of previous post "Hands in the MuddyWater - Playing with Iranian Cyber-Espionage Campaign". Because someone asked me to show DNS hits statistics for all the compromized domain names serving this cyber-espionage campaign, following there are the missing two:Three days data 26-29 /10         Note that "hits" can be referred to, in this case, to normal web browsing also (legitimate … [Read more]

Hands in the MuddyWater – Playing with Iranian Cyber-Espionage Campaign

MuddyWater is likely a state sponsored hacking group targeting Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey and the United States. It is linked by the security community to  the iranian Government, and its operations are heavily evolving over  the last months.The following is an informal report about one recent malware related to the "MuddyWater" APT campaign.Recap IoC:dn: … [Read more]

Exobot Source Code Available

Exobot Source Code Available

Exobot source code has been leaked and released in darkweb. The code proved to be version 2.5 of the Exobot banking trojan, also known as the "Trump Edition," one of Exobot's last version before its original author gave up on its development. To avoid proliferations of malware samples based on the source code here presented, security restrictions have been applied to download.(Please note that archive is encrypted !! Only accredited security vendors, vetted security researchers and law … [Read more]

Anti-Rootkit Evasion (blinding GMER)

Anti-Rootkit Evasion (blinding GMER)

During a discussion with colleagues about the ability of modern malware to evade the most common anti-virus solutions, a fixed point seemed to be using anti-rootkit tools to thoroughly check the status of a system. One of the most reliable and trustworthy (and widely used) seems to be undoubtedly GMER. It was widely believed that only very advanced malware (certainly sponsored by governments or by Microsoft itself) could simultaneously hide its presence within the system and to mock, at the same … [Read more]

Dridex Downloader Analysis

Dridex Downloader Analysis

This morning I received on my company box an email with an attached .xlsm file named D92724446.xlsm coming from [email protected] Central and local AV engines did not found anything malicious and also a multiengine scan got 0/57 as result. I decided to investigate a little more in-depth in order to confirm that was a malicious file and to extract at least the code I was imagining being inside this document. These are some general info collected about the received file: Name: … [Read more]

A look at SANS Brussels Challenges

A look at SANS Brussels Challenges

This morning, a colleague of mine pointed out me to some reversing “challenges” addressed to participants of SANS Brussels 2015 (what? I was not there?). Why not to take a quick look and try to solve them ? I hope to publish the solutions/suggestions is not cause of rage for mentors of SANS, for whom I have a lot of esteem. However, at the time of this writing these challenges are online and accessible without any particular restriction at https://www.sansemea.com/challenges.php, therefore I … [Read more]

Pattern-Based Approach for In-Memory ShellCodes Detection

Pattern-Based Approach for In-Memory ShellCodes Detection

This topic has been dealt in one of my last technical articles. The document shows as it’s possible to approach an incident investigation on the basis of common instructions used by shellcodes to achieve their goals. The analysis is conducted within a memory dump. In this regard have been developed some yara custom rules that can be used as an aid for experienced analyst to quickly locate malicious code. Note, however, that this is a very wide topic (have you ever heard of padding, permutations, … [Read more]

Business Continuity and Disaster Recovery Plan

Business Continuity and Disaster Recovery Plan

This is a document written for an italian magazine by Emanuele De Lucia (Information Security n°27 @ Edisef Editore) and used for a training course headed by the author.In this paper are covered topics useful to ensure business continuity of our organizations. The common differences between a BCP and a DRP and others topics such as “centers of redundancy” and “high availability infrastructures” are also dealt.The article can be viewed on Information Security Magazine website:  … [Read more]