Lost in Security (and mostly everything else)

2018-04-21 “TOP URGENT//: REQUEST FOR QUOTAION” Malspam Leads To CVE-2017-11882/Possible Remcos Infection

Herbie Zimmerman April 23, 2018 April 23, 2018Packet Analysis 0

Yesterday while looking for some malspam, I came across some emails that used the CVE-2017-11882 exploit which leveraged an AutoIT script to launch the Remcos keylogger process which used some anti-sandbox techniques as well. For some more information about the CVE, please see the following links: https://researchcenter.paloaltonetworks.com/2017/12/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/ http://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-without-macros-cve-2017-11882 2018-02-17 REMCOS…

2018-04-20 Pony/Fareit Malspam

Herbie Zimmerman April 21, 2018 April 21, 2018Packet Analysis 0

Found some malspam that looks to be Pony/Fareit related. Generally speaking, Pony/Fareit deals with credential stealing varying from FTP to email clients and any other credential that it may be able to obtain. The results that I got from my VM are different than what I got from Any.Run and…

2018-03-09 Emotet From Malspam

Herbie Zimmerman March 10, 2018 March 10, 2018Packet Analysis 0

A quick post today for some more emotet malspam that I was able to find. Nothing really special about this one with the exception of it using punycode for the URL. Outside of that, this is pretty much the standard old emotet infection that most have seen. I did notice…

2018-02-17 Remcos RAT from malspam

Herbie Zimmerman February 18, 2018 February 18, 2018Packet Analysis 0

Earlier this morning I came across some emails that had a subject line that caught my attention. They were all from the same sender and all of them had the same maldoc attached to them. From what I can tell this looks to be related to the REMCOS RAT as…

2018-02-16 Emotet Maldoc

Herbie Zimmerman February 17, 2018 February 17, 2018Packet Analysis 0

Here is a quick writeup for another Emotet maldoc that I saw. Unfortunately I did not get a copy of the email but it did have a link in it which lead to the maldoc. There were two things in this sample that I saw that were different: 1) no…

Deobfuscating an Emotet MalDoc Script

Herbie Zimmerman December 5, 2017 December 5, 2017Code 0

So this post covers the malicious macro script that was found in an older writeup for Emotet which you can find here. While one could develop tools to help deobfuscate the macro script like @David Ledbetter did in his blog post, I wanted to show another way of doing it…

2017-11-17 Maldoc Using CVE 2017-0199

Herbie Zimmerman November 17, 2017 November 17, 2017Packet Analysis 0

This is a quick writeup on some maldocs that I was able to find in our email filters that used the CVE2017-0199 in them. The emails had the same attachments in them (from a hash perspective) which was a Word document and an Excel spreadsheet. The Word document had a…

2017-11-15 Another Malspam Message Leads to New Emotet

Herbie Zimmerman November 16, 2017 November 16, 2017Packet Analysis 0

This is just a quick writeup for an Emotet malspam that I found in Triton. Nothing to detailed or anything of the sort. I was not able to obtain the initial malicious binary (73077.exe) from the Word document, so after getting all the details, I went back on a clean…

2017-11-01 Another Trickbot Maldoc

Herbie Zimmerman November 2, 2017 November 2, 2017Packet Analysis 0

Looking through the email filters yesterday, I saw numerous emails from the sender “secure@hsbcdocuments.com” with the subject of “We need to confirm your details.” The email was a well laid out phish with a malicious Word document attached. This Word document led to a Trickbot banking malware infection via the…

2017-10-30 Generic Infostealer Malware Using UAC Bypass

Herbie Zimmerman November 1, 2017 November 1, 2017Packet Analysis 2

A quick write-up on a generic infostealer that also uses a UAC bypass technique. I could not find much about this malware outside that it was a generic information stealing malware. For some interesting reading on how to bypass UAC within Windows, please see the following links: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/ https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/…