Hunting for Linux library injection with Osquery

June 20, 2019 | Jaime Blasco
Jaime Blasco

Jaime Blasco

Vice President and Chief Scientist

Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AT&T Cybersecurity, Jaime leads the Alien Labs Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AT&T, Jaime was Chief Scientest at AlienVault. Prior to that, he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.

January 10, 2013 | Jaime Blasco

New year, new Java zeroday!

Earlier this morning @Kafeine alerted us about a new Java zeroday being exploited in the wild. With the files we were able to obtain we reproduced the exploit in a fully patched new installation of Java. As you can see below we tricked the malicious Java applet to execute the calc.exe in our lab. The Java file is highly…

December 29, 2012 | Jaime Blasco

Just another water hole campaign using an Internet Explorer 0day

At the beginning of the week we started to analyze a water hole campaign that was present on the Council on Foreign Relations (CFR) portal. After studying the attack and the payload and realizing that it was likely using a zeroday exploit against Internet Explorer, we  sent the information to Microsoft Security Response Center (MSRC) that is still investigating the…

Get the latest security news in your inbox.

Subscribe via Email

December 17, 2012 | Jaime Blasco

Batchwiper: Just Another Wiping Malware

A few days ago, The Iranian CERT (Maher Center) released information about a new identified targeted malware with wiping capabilities. The piece of code is very simple and it deletes files on different drives on specific dates. The original dropper is a self-extracting RAR file with the name GrooveMonitor.exe. Once executed it extracts the following files: WINDOWSsystem32SLEEP…

October 31, 2012 | Jaime Blasco

Georbot Botnet - A cyber espionage campaign against Georgian Government

A few days ago, CERT-Georgia published a great report describing a cyber spionage campaign. ESET wrote a great report ( [no longer available] a few months ago as well. The report said the malware was found in Georgian Governmental Agencies including ministries, parliament, banks, ngo’s.…

September 19, 2012 | Jaime Blasco

New versions of the IExplorer ZeroDay emerge targeting Defence and Industrial companies

As we related in our previous blog post the latest Internet Explorer ZeroDay is being used to target specific sectors including the Defence and Industrial ones. Following our investigations on the servers found serving the Internet Explorer Zeroday and using OSINT, we were able to use the WHOIS mail address and the ip addresses used by the attackers…

September 18, 2012 | Jaime Blasco

The connection between the Plugx Chinese gang and the latest Internet Explorer Zeroday

Some hours ago my friend PhysicalDrive0 pointed me to a new version of Moh2010.swf that was found in the wild as part of some content exploiting the last Internet Explorer Zeroday. The exploit code was being served on hosted on: The exploit scheme is the same one, the original vector is hosted under /Exploit.html.…

September 17, 2012 | Jaime Blasco

New Internet Explorer zero day being exploited in the wild

After the [no longer available] last zero day exploit on Java we reported some weeks ago it appears that a new 0day has been found in Internet Explorer by the same authors that created the Java one. Yesterday, Eric Romang reported the findings of a new exploit code on the…

September 13, 2012 | Jaime Blasco

Tracking down the author of the PlugX RAT

Some days ago, TrendMicro published some information about a new version of a RAT called PlugX. From the last few months we have been tracking a group using the PlugX RAT that has been attacking different targets especially in Japan, Taiwan, Korea and against Tibetan organizations and individuals. In this post we will focus on the intelligence we have extracted…

August 27, 2012 | Jaime Blasco

New Java 0day exploited in the wild

A few hours ago, FireEye published some information related to a new Java 0day exploited in the wild. The malicious JAR file was served from / meeting / index.html The html loads the Java applet passing some parameters that are used later to build the URL to download the payload. The HTML is encrypted using “Dadong’s JSXX 0.44…

August 15, 2012 | Jaime Blasco

CVE-2012-1535: Adobe Flash being exploited in the wild

Yesterday Adobe issued a security update to address CVE-2012-1535 that was being exploited in the wild. The sample that we analyzed is a Microsoft Office Word document with an embedded malicious Flash file. The name of the malicious doc file is iPhone 5 Battery.doc, md5: 7e3770351aed43fd6c5cab8e06dc0300 The doc file contains…

August 6, 2012 | Jaime Blasco

Feeding Alienvault’s Open Threat Exchange (OTX) threat information to ArcSight

When we launched the Open Threat Exchange (OTX) project, one of our goals was creating an open and free threat database and exchange system. We want it to be used by as many users as possible using a wide range of technologies. That is why we are publishing some code to feed our Open Threat Exchange (OTX) data to an…

July 18, 2012 | Jaime Blasco

New AlienVault OSSIM v4.0 is out: New correlation capabilities

Today we are launching the new AlienVault OSSIM v4.0. You can download it from here. Apart from tons of new features, we have improved the correlation engine capabilities, two of the most impressive features are: - Taxonomy correlation based on the Category and Subcategory of the events. - Correlation using the Open Threat Exchange (OTX) data. The correlation directives editor…

Watch a Demo ›
Get Price Free Trial