A while ago Michel wrote a blog post Tracking threat actors through .LNK files. In this post, we want to illustrate how VirusTotal (retro) hunting can be leveraged to extract malware samples and metadata linked to a single threat actor. We use the power of YARA rules to pinpoint the metadata we are looking for. …
Category Archives: malware
Analysis of a CVE-2017-0199 Malicious RTF Document
There is a new exploit (CVE-2017-0199) going around for which a patch was released by Microsoft on 11/04/2017. In this post, we analyze an RTF document exploiting this vulnerability and provide a YARA rule for detection. rtfdump.py is a Python tool to analyze RTF documents. Running it on our sample produces a list with all “entities” …
Continue reading “Analysis of a CVE-2017-0199 Malicious RTF Document”
Tracking threat actors through .LNK files
In the blog post .LNK downloader and bitsadmin.exe in malicious Office document we were asked the following question by Harlan Carvey: Did you parse the LNK file for things such as embedded MAC address, NetBIOS system name, any SID, and volume serial number? We did not do that at the time, however we see the value in …
Continue reading “Tracking threat actors through .LNK files”
New Hancitor maldocs keep on coming…
Didier Stevens will provide NVISO training on malicious documents at Brucon Spring: Malicious Documents for Blue and Red Teams. For more than half a year now we see malicious Office documents delivering Hancitor malware via a combination of VBA, shellcode and embedded executable. The VBA code decodes and executes the shellcode, the shellcode hunts for the …
.LNK downloader and bitsadmin.exe in malicious Office document
We received a malicious office document (529581c1418fceda983336b002297a8e) that tricks the user into clicking on an embedded LNK file which in its turn uses the Microsoft Background Intelligent Transfer Service (BITS) to download a malicious binary from the internet. The following Word document (in Japanese) claims to be an invoice, the user must click the Word icon to generate …
Continue reading “.LNK downloader and bitsadmin.exe in malicious Office document”
Hunting with YARA rules and ClamAV
Did you know the open-source anti-virus ClamAV supports YARA rules? What benefits can this bring to us? One of the important features ClamAV has is the file decomposition capability. Say that the file you want to analyze resides in an archive, or is a packed executable, then ClamAV will unarchive/unpack the file, and run the YARA …
Working with GFI Cloud anti-virus quarantine files
We were recently requested to analyse a sample that was quarantined by GFI Cloud anti-virus. Based on our previous experiences with various anti-virus products we wanted to obtain the sample directly from the quarantine rather than restoring it first. Anti-virus products use quarantine files to safely store files that were detected as being malicious and thus are …
Continue reading “Working with GFI Cloud anti-virus quarantine files”
Detecting py2exe Executables: YARA Rule
Following the release of the tool to decompile EXE files generated with py2exe, we release a YARA rule to detect such EXE files. Imagine you receive an executable for analysis. If you go for static analysis, it’s useful to know how the executable was produced. For example, if it was “converted” from Python to EXE, decompiling …
Analyzing an Office Maldoc with a VBA Emulator
Today we were informed of another maldoc sample. After a quick look, we were convinced that this sample would be a good candidate for Philippe Lagadec’s VBA emulator ViperMonkey. The maldoc in a nutshell: when the spreadsheet is opened, the VBA code builds a long JScript script and then executes it. This script contains base64 code for …
Continue reading “Analyzing an Office Maldoc with a VBA Emulator”
Malicious Document Targets Belgian Users
In this blog post I want to show how a malicious document (maldoc) behaves and how it can be analyzed with free tools. A couple of weeks ago many users in Belgium received an e-mail, supposedly from a courier company, informing them that a package was waiting for them (article in Dutch). This is an example …