June 14, 2012 | Jaime Blasco


Continuing the research on the last spearphishing campaign we published yesterday,  we found that the same group is using another downloader named Win32/Coswid. The dropper is similar to the one we described in the previous report. The main difference is that instead of using an html file to hide the configuration, it gets the config values from…

June 13, 2012 | Jaime Blasco

Ongoing attacks exploiting CVE-2012-1875

Yesterday, Microsoft released the June 2012 Black Tuesday Update including patches for a vulnerability affecting a wide range versions of Internet Explorer. The exploit works across different Windows versions ranging from XP to Windows 7. The 0day has been actively exploited as reported by mcafee. We have been able to find several servers hosting similar versions of the…

Get the latest security news in your inbox.

Subscribe via Email

June 12, 2012 | Jaime Blasco

Unveiling a spearphishing campaign and possible ramifications

A few days ago, DigitalBond published information about an ongoing spearphishing campaign that affected one of their employees. The attackers were using a pdf document related to ICS (Industrial Control Systems) security as a lure to compromise potential targets within the ICS community. After analyzing the initial information provided, my friend Rubén Santamarta from IOActive and I investigated…

June 4, 2012 | Jaime Blasco

Flamer Indicators Of Compromise (OpenIOC)

Since CrySyS Lab and Kaspersky disclosed the existence of a new malware called Flamer, everyone has been analyzing and discovering new information about its behavior. We will try to summarize some of the Indicators Of Compromise (IOCs) that we can use to detect the presence of the Flamer framework using OpenIOC. Created by Mandiant, OpenIOC is an…

May 30, 2012 | Jaime Blasco

How old is Flame?

As every of you probably know, yesterday Crysys revealed a new threat called Skywiper and also Flame or Flamer. There are rumors that the threat has been out there for a couple of years. Based on our investigations, we have found clues that points to different components related with Flame that has been around for nearly four years. The…

May 6, 2012 | Jaime Blasco

Several Targeted Attacks exploiting Adobe Flash Player (CVE-2012-0779)

A couple of days ago, Adobe issued a security update for Adobe Flash Player that has been detected in the wild targeting specific objectives. Several spear phishing campaigns have been detected. The mails sent contain a Word document attachment. It contains a reference to a Flash file that is downloaded from a remote server once the document is opened. This…

April 23, 2012 | Jaime Blasco

MSUpdater Trojan found using CVE-2012-0158: Space and Missile Defense Conference

The number of samples exploiting CVE-2012-0158 has been growing since we reported some of the first infections last week. We have been detecting several ongoing campaigns against several industries. One of the campaigns which attracted our attention is targeting the military and aerospace industry. Some of the documents sent to the victims have still a low antivirus detection. For…

April 18, 2012 | Jaime Blasco

CVE-2012-0158, Tibet, Targeted Attacks and so on

As our friends at TrendMicro reported a couple of days ago that CVE-2012-0158 is being actively used on different spearphishing campaigns mainly against NGO’s and Tibet related organizations. The vulnerability used was patched by Microsoft a week ago: The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2…

March 28, 2012 | Jaime Blasco

Mac OS X trojan encryption routines found in a Linux backdoor

We were working on some information related to the C&C protocol used on the http://labs.alienvault.com/labs/index.php/2012/alienvault-research-used-as-lure-in-targeted-attacks/ [no longer available] Mac OS X trojan we discovered last week. ESET already did a great job http://blog.eset.com/2012/03/28/osxlamadai-a-the-mac-payload [no longer available]and you can read all the information there. As ESET said,…

March 27, 2012 | Jaime Blasco

MS Office exploit that targets MacOS X seen in the wild - delivers "Mac Control" RAT

Continuing our research on Tibet attacks, we have found more Mac trojans and some interesting MS Office files that  deliver them. The group behind these attacks is the same we have been tracking for a while: - http://labs.alienvault.com/labs/index.php/2012/alienvault-research-used-as-lure-in-targeted-attacks/ [no longer available] AlienVault Tibet related Research now used to target Tibetan non-governmental organizations …

March 19, 2012 | Jaime Blasco

AlienVault Tibet related Research now used to target Tibetan non-governmental organizations

A few hours ago Greg Walton posted a warning on spearphishing mails sent to non-governmental organizations related to Tibet. The content of these emails is about our previous research Targeted Attacks against Tibetan organizations. —————Forwarded message————— From: webmaster <[email protected]> Date: Mon, Mar 19, 2012 at 8:20 AM …

Watch a Demo ›
Get Price Free Trial