Letā€™s get the team togetherā€¦

It was the last week of April:Ā our entire NVISO team had packed their bags and was ready to board a plane. Where to? A secret location, to celebrate the achievements of our fantastic team ! Destination: unknown... From the very beginning, it became clear thatĀ the discovery of our destination was a fun team-building event by …

Hunting malware with metadata

A while ago Michel wrote a blog post Tracking threat actors through .LNK files. In this post, we want to illustrate how VirusTotal (retro) hunting can be leveraged to extract malware samples and metadata linked to a single threat actor. We use the power of YARA rules to pinpoint the metadata we are looking for. …

Analysis of a CVE-2017-0199 Malicious RTF Document

There is a new exploit (CVE-2017-0199) going around for which a patch was released by Microsoft on 11/04/2017. In this post, we analyze an RTF document exploiting this vulnerability and provide a YARA rule for detection. rtfdump.py is a Python tool to analyze RTF documents. Running it on our sample produces a list withĀ all "entities" …

CSCBE Challenge Write-up ā€“ Sufbo

The Sufbo challenge was tackled during the Cyber Security Challenge qualifiers and proved to be very difficult to solve. This write-up gives you a possible way of solving it! Credits All challenges of the Cyber Security Challenge are created by security professionals from many different organisations. The Sufbo challenge in particular was created by Adriaan Dens, …

Tracking threat actors through .LNK files

In the blog postĀ .LNK downloader and bitsadmin.exe in malicious Office documentĀ we were asked the following question by Harlan Carvey: Did you parse the LNK file for things such as embedded MAC address, NetBIOS system name, any SID, and volume serial number? We did not do that at the time, however we see the value in …

CSCBE Challenge Write-up – Trace Me

This is the first post in a series of write-ups on some of the challenges that were tackled by students during our Cyber Security ChallengeĀ Belgium this month. Credits All challenges of the Cyber Security Challenge Belgium are created by security professionals from many different organisations. The TraceMeĀ challenge in particular was created by Vasileios Friligkos, one …

New Hancitor maldocs keep on coming…

Didier Stevens will provide NVISO training on malicious documents at Brucon Spring:Ā Malicious Documents for Blue and Red Teams. For more than half a year now we see malicious Office documents delivering Hancitor malware via a combination of VBA, shellcode and embedded executable. The VBA code decodes and executes the shellcode, the shellcode hunts for the …

.LNK downloader and bitsadmin.exe in malicious Office document

We received a malicious office document (529581c1418fceda983336b002297a8e) that tricks the user into clicking on an embedded LNKĀ file which in its turn uses theĀ Microsoft Background Intelligent Transfer Service (BITS)Ā to download a malicious binary from the internet. The following Word document (in Japanese) claims to be an invoice, the user must click the Word icon to generate …

Developing complex Suricata rules with Lua – part 2

In part 1 we showed a Lua program to have Suricata detect PDF documents with obfuscated /JavaScript names. In this second part we provide some tips to streamline the development of such programs. When it comes to developing Lua programs, Suricata is not the best development environment. The "write code & test"-cycle with Suricata can …