jRAT += Houdini: New Year 2019

jRAT += Houdini: New Year 2019

In the late evening of 08-01-2019 a phishing document related to the Ministry of Defense of Turkey has been captured in the wild and caught my attention (md5: 0d3b1c3c4287fe12399dc29d88905e9c). Further investigations led to believe that a new malicious campaign aimed to the spreading of HWorm + jRat variants is raising up in these last days. Insights The phishing document (md5: 0d3b1c3c4287fe12399dc29d88905e9c) tries to attract the curiosity of the potential victims through a file name that … [Read more]

APT28 / Sofacy – SedUploader under the Christmas tree

APT28 / Sofacy - SedUploader under the Christmas tree

Another APT28 / Sofacy supposed decoy document related to defence and security sector [md5: f8a778d21003098075c9aef8ed58c6c3] has been captured in the wild yesterday evening. It's likely targeting at least one eastern europe country. The spear-phishing document collected seems to work primarly through the use of macro code to complete the cycle of infection. An image related to the decoy document is reported following:It seems similar, for some pieces of internal code, to the document … [Read more]

Shamoon / DiskTrack Malware IoC for recent Oil & Gas Energy sector attack

A variant of Shamoon malware crippled more than 300 company's computer of Saipem, the italian Oil & Gas services firm. Yesterday, a new variant of this malware has been upload on Virus Total platform from Italy (md5: b41f586fc9c95c66f0967f1592641a85 ). The sample seems to have not been compiled recently (2011-11-28 14:53:13). The malware variant under analysis presents the Arabic language ID support which is in line with previous Shamoon version. It has the capabilities to overwrite the MBR … [Read more]

APT29 threat group seems to be back targeting US public / gov /defense sector

APT29, the well known hacking group, seems to be back with slightly different tactical and technical procedures to conduct its last cyber operation. In the late evening of 15  / 11, some malicious documents likely to be referred to the group in question have been submitted to a major online malware analysis platform (Virus Total - @DrunkBinary credits for the first discovery). The analyzed decoy document retrieved by me is clearly referring to a DoS (Department of State) PDF form that is shown … [Read more]

Exobot Source Code Available

Exobot Source Code Available

Exobot source code has been leaked and released in darkweb. The code proved to be version 2.5 of the Exobot banking trojan, also known as the "Trump Edition," one of Exobot's last version before its original author gave up on its development. To avoid proliferations of malware samples based on the source code here presented, security restrictions have been applied to download.(Please note that archive is encrypted !! Only accredited security vendors, vetted security researchers and law … [Read more]

Dridex Downloader Analysis

Dridex Downloader Analysis

This morning I received on my company box an email with an attached .xlsm file named D92724446.xlsm coming from [email protected] Central and local AV engines did not found anything malicious and also a multiengine scan got 0/57 as result. I decided to investigate a little more in-depth in order to confirm that was a malicious file and to extract at least the code I was imagining being inside this document. These are some general info collected about the received file: Name: … [Read more]

Pattern-Based Approach for In-Memory ShellCodes Detection

Pattern-Based Approach for In-Memory ShellCodes Detection

This topic has been dealt in one of my last technical articles. The document shows as it’s possible to approach an incident investigation on the basis of common instructions used by shellcodes to achieve their goals. The analysis is conducted within a memory dump. In this regard have been developed some yara custom rules that can be used as an aid for experienced analyst to quickly locate malicious code. Note, however, that this is a very wide topic (have you ever heard of padding, permutations, … [Read more]

Meeting with a Chinese Malware

Meeting with a Chinese Malware

This evening I received an email with an attached zip. This email was very well made and my anti-virus did not detect anything dangerous -_- veeeery nice…i decided to take a look and see what strange monster was inside :] The executable is a trojan/downloader packed with something custom! After recovering the original executable bypassing all protections, i  was able to have a look within it and immediately i saw some interesting functions … [Read more]

OpenSSL TLS HeartBeat (HeartBleed) Vulnerability Subnet Scan

OpenSSL TLS HeartBeat (HeartBleed) Vulnerability Subnet Scan

This script allows to test a full /24 subnet for OpenSLL TLS HeartBeat (HeartBleed) Vulnerability. Originally coded by Jared Stafford ([email protected]) to test this weakness on a single host at a time, it has been modified by Emanuele De Lucia to allow the scan of an entire subnet. This modification has been made for work reasons within few hours by the notice of the vulnerability, in order to readily identify the affected services within a very wide range of systems exposed. May be … [Read more]

Steganography and Steganalysis: Common Image Formats and LSB

Steganography and Steganalysis: Common Image Formats and LSB

 Thousands and thousands of data items currently are riding the Internet every day; their representation could be a continuous stream of data transiting through the entire globe. With the growth in quantity and especially in the importance of such informations, the need to adopt systems designed to guarantee a good level of protection and security has also grown in proportion. This paper explores those that are the common steganographic algorithms used to hide informations within seemingly … [Read more]