December 17, 2018 | Javier Ruiz

Malware Analysis using Osquery | Part 3

In part 1 of this blog series, we analyzed malware behaviour, and, in part 2, we learned how to detect persistence tricks used in malware attacks. Still, there are more types of events that we can observe with Osquery when malicious activity happens. So, in the last blog post of the series, we will discuss how to detect another example of a…

October 29, 2018 | James Quinn

MadoMiner Part 2 - Mask

This is a guest post by independent security researcher James Quinn.      If you have not yet read the first part of the MadoMiner analysis, please do so now.  This analysis will pick up where Part 1 left off, while also including  a brief correction.  The x64 version of the Install module was…

Get the latest security news in your inbox.

Subscribe via Email

October 18, 2018 | Jose Manuel Martin

Detecting Empire with USM Anywhere

Empire is an open source post-exploitation framework that acts as a capable backdoor on infected systems.  It provides a management platform for infected machines. Empire can deploy PowerShell and Python agents to infect both Windows and Linux systems.Empire can:Deploy fileless agents to perform command and control. Exploit vulnerabilities to escalate privileges. Install itself for persistence. Steal user…

October 8, 2018 | Chris Doman

Delivery (Key)Boy

IntroductionBelow we’ve outlined the delivery phase of some recent attacks by KeyBoy, a group of attackers believed to operate out of China. They were first identified in 2013 targeting governments and NGOs in South East Asia. Their primary targeting continues to this day, though they have also been known to target more diverse victims such as the energy…

September 24, 2018 | James Quinn

MadoMiner Part 1 - Install

2018 seems to be a time for highly profitable cryptominers that spread over SMB file-shares.  Following my analysis on ZombieBoy in July, I found a new malware sample that I’m calling MadoMiner.  With the help of Chris Doman, I was able to analyze it to discover that it uses techniques similar to ZombieBoy, because it hijacks Zombieboy…

September 6, 2018 | Javier Ruiz

Malware Analysis using Osquery Part 2

In the first part of this series, we saw how you can use Osquery to analyze and extract valuable information about malware’s behavior. In that post, we followed the activity of the known Emotet loader, popular for distributing banking trojans. Using Osquery, we were able to discover how it infects a system using a malicious Microsoft Office document…

August 1, 2018 | Jose Manuel Martin

Off-the-shelf RATs Targeting Pakistan

IntroductionWe’ve identified a number of spear phishing campaigns with Pakistani themed documents, likely targeting the region. These spear phishing emails use a mix of different openly available malware and document exploits for delivery. These are served from the compromised domains www.serrurier-secours[.]be and[.]pk (a part of the Pakistani army). There are some…

July 31, 2018 | Javier Ruiz

Malware Analysis using Osquery Part 1

Tools like Sysmon and Osquery are useful in detecting anomalous behavior on endpoints. These tools give us good visibility of what’s happening on endpoints by logging multiple types of events, which we can forward to a SIEM or other correlation system for analysis.In this blog series, we’ll analyze different malware families, looking at the types…

July 18, 2018 | James Quinn


This is a guest post by independent security researcher James Quinn.Continuing the 2018 trend of cryptomining malware, I’ve found another family of mining malware similar to the “massminer” discovered in early May.  I’m calling this family ZombieBoy since it uses a tool called ZombieBoyTools to drop the first dll.ZombieBoy, like MassMiner, is…

June 22, 2018 | Chris Doman

Malicious Documents from Lazarus Group Targeting South Korea

By Chris Doman, Fernando Martinez and Jaime BlascoWe took a brief look at some documents recently discussed and reviewed by researchers in South Korea over the past week. The malware is linked to Lazarus, a reportedly North Korean group of attackers. One malicious document appears to be targeting members of a recent G20 Financial Meeting, seeking coordination of the…

June 20, 2018 | Jose Manuel Martin

GZipDe: An Encrypted Downloader Serving Metasploit

At the end of May a Middle Eastern news network published an article about the next Shanghai Cooperation Organization Summit. A week ago, AlienVault Labs detected a new malicious document targeting the area. It uses a piece of text taken from the report as a decoy:This is the first step of a multistage infection in which several servers and…

June 11, 2018 | Chris Doman

More Details on an ActiveX Vulnerability Recently Used to Target Users in South Korea

Written By Chris Doman and Jaime BlascoIntroductionRecently, an ActiveX zero-day was discovered on the website of a South Korea think tank that focuses on national security. Whilst ActiveX controls are disabled on most systems, they are still enabled on most South Korean machines due to mandates by the South Korean government.…

Watch a Demo ›