Whilst Microsoft is fixing the embedded files feature in OneNote I decided to abuse a whole other feature. Embedded URLs. Turns out this is something they may also have to fix.
Category: Malware
OneNote Embedded file abuse
In recent weeks OneNote has gotten a lot of media attention as threat actors are abusing the embedded files feature in OneNote in their phishing campaigns. In this post we will analyze this new way of malware delivery and create a detection rule for it.
Analysis of a trojanized jQuery script: GootLoader unleashed
Update 24/10/202: We have noticed 2 changes since we published this report 3 months ago. The code has been adapted to use registry key âHKEY_CURRENT_USER\SOFTWARE\Microsoft\Personalizationâ instead of âHKEY_CURRENT_USER\SOFTWARE\Microsoft\Phoneâ (sample SHA256 ed2f654b5c5e8c05c27457876f3855e51d89c5f946c8aefecca7f110a6276a6e) When the payload is Cobalt Strike, the beacon configuration now contains hostnames for the C2, like r1dark[.]ssndob[.]cn[.]com and r2dark[.]ssndob[.]cn[.]com (all prior CS samples we … Continue reading Analysis of a trojanized jQuery script: GootLoader unleashed
Analyzing VSTO Office Files
VSTO Office files are Office document files linked to a Visual Studio Office File application. When opened, they launch a custom .NET application. There are various ways to achieve this, including methods to serve the VSTO files via an external web server. An article was recently published on the creation of these document files for … Continue reading Analyzing VSTO Office Files
Hunting Emotet campaigns with Kusto
Introduction Emotet doesn't need an introduction anymore - it is one of the more prolific cybercriminal gangs and has been around for many years. In January 2021, a disruption effort took place via Europol and other law enforcement authorities to take Emotet down for good. [1] Indeed, there was a significant decrease in Emotet malicious … Continue reading Hunting Emotet campaigns with Kusto
Kernel Karnage – Part 7 (Out of the Lab and Back to Reality)
This week I emerge from the lab and put on a different hat. 1. Switching hats With Interceptor being successful in blinding $vendor2 sufficiently to run a meterpreter reverse shell, it is time to put on the red team hat and get out of the perfect lab environment. To do just that, I had to … Continue reading Kernel Karnage – Part 7 (Out of the Lab and Back to Reality)
Kernel Karnage – Part 6 (Last Call)
With the release of this blogpost, weâre past the halfway point of my internship; time flies when youâre having fun. 1. Introduction - Status Report In the course of these 6 weeks, Iâve covered several aspects of kernel drivers and EDR/AVs kernel mechanisms. I started off strong by examining kernel callbacks and why EDR/AV products … Continue reading Kernel Karnage – Part 6 (Last Call)
New mobile malware family now also targets Belgian financial apps
While banking trojans have been around for a very long time now, we have never seen a mobile malware family attack the applications of Belgian financial institutions. Until today... Earlier this week, the Italy-based Cleafy published an article about a new android malware family which they dubbed TeaBot. The sample we will take a look … Continue reading New mobile malware family now also targets Belgian financial apps
How to analyze mobile malware: a Cabassous/FluBot Case study
This blogpost explains all the steps I took while analyzing the Cabassous/FluBot malware. I wrote this while analyzing the sample and I've written down both successful and failed attempts at moving forward, as well as my thoughts/options along the way. As a result, this blogpost is not a writeup of the Cabassous/FluBot malware, but rather … Continue reading How to analyze mobile malware: a Cabassous/FluBot Case study
Epic Manchego â atypical maldoc delivery brings flurry of infostealers
In July 2020, NVISO detected a set of malicious Excel documents, also known as âmaldocsâ, that deliver malware through VBA-activated spreadsheets. While the malicious VBA code and the dropped payloads were something we had seen before, it was the specific way in which the Excel documents themselves were created that caught our attention. The creators … Continue reading Epic Manchego â atypical maldoc delivery brings flurry of infostealers