September 6, 2018 | Javier Ruiz

Malware Analysis using Osquery Part 2

In the first part of this series, we saw how you can use Osquery to analyze and extract valuable information about malware’s behavior. In that post, we followed the activity of the known Emotet loader, popular for distributing banking trojans. Using Osquery, we were able to discover how it infects a system using a malicious Microsoft Office document…

August 1, 2018 | Jose Manuel Martin

Off-the-shelf RATs Targeting Pakistan

IntroductionWe’ve identified a number of spear phishing campaigns with Pakistani themed documents, likely targeting the region. These spear phishing emails use a mix of different openly available malware and document exploits for delivery. These are served from the compromised domains www.serrurier-secours[.]be and careers.fwo.com[.]pk (a part of the Pakistani army). There are some…

Get the latest security news in your inbox.

Subscribe via Email

July 31, 2018 | Javier Ruiz

Malware Analysis using Osquery Part 1

Tools like Sysmon and Osquery are useful in detecting anomalous behavior on endpoints. These tools give us good visibility of what’s happening on endpoints by logging multiple types of events, which we can forward to a SIEM or other correlation system for analysis.In this blog series, we’ll analyze different malware families, looking at the types…

July 18, 2018 | James Quinn

ZombieBoy

This is a guest post by independent security researcher James Quinn.Continuing the 2018 trend of cryptomining malware, I’ve found another family of mining malware similar to the “massminer” discovered in early May.  I’m calling this family ZombieBoy since it uses a tool called ZombieBoyTools to drop the first dll.ZombieBoy, like MassMiner, is…

June 22, 2018 | Chris Doman

Malicious Documents from Lazarus Group Targeting South Korea

By Chris Doman, Fernando Martinez and Jaime BlascoWe took a brief look at some documents recently discussed and reviewed by researchers in South Korea over the past week. The malware is linked to Lazarus, a reportedly North Korean group of attackers. One malicious document appears to be targeting members of a recent G20 Financial Meeting, seeking coordination of the…

June 20, 2018 | Jose Manuel Martin

GZipDe: An Encrypted Downloader Serving Metasploit

At the end of May a Middle Eastern news network published an article about the next Shanghai Cooperation Organization Summit. A week ago, AlienVault Labs detected a new malicious document targeting the area. It uses a piece of text taken from the report as a decoy:This is the first step of a multistage infection in which several servers and…

June 11, 2018 | Chris Doman

More Details on an ActiveX Vulnerability Recently Used to Target Users in South Korea

Written By Chris Doman and Jaime BlascoIntroductionRecently, an ActiveX zero-day was discovered on the website of a South Korea think tank that focuses on national security. Whilst ActiveX controls are disabled on most systems, they are still enabled on most South Korean machines due to mandates by the South Korean government.…

June 1, 2018 | Javier Ruiz

Satan Ransomware Spawns New Methods to Spread

Today, we are sharing an example of how previously known malware keeps evolving and adding new techniques to infect more systems.BleepingComputer first reported on Satan ransomware in January 2017. Recently, Satan Ransomware was identified as using the EternalBlue exploit to spread across compromised environments (BartBlaze’s blog). This is the same exploit associated with a previous WannaCry Ransomware campaign.…

May 1, 2018 | Chris Doman

MassMiner Malware Targeting Web Servers

Written in collaboration wih Fernando MartinezOne of the biggest malware-trends of 2018 has been the increasing variety of crypto-currency malware targeting servers.One family of mining malware, we’ve termed “MassMiner”, stands out as a worm that not only spreads itself through number of different exploits, but also brute-forces access to Microsoft SQL Servers. It surprised us…

January 8, 2018 | Chris Doman

A North Korean Monero Cryptocurrency Miner

AlienVault labs recently analysed an application compiled on Christmas Eve 2017. It is an Installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea.The Installer copies a file named intelservice.exe to the system. The filename intelservice.exe is often associated with…

November 9, 2017 | Chris Doman

LockCrypt Ransomware Spreading via RDP Brute-Force Attacks

We previously reported on SamSam ransomware charging high ransoms for infected servers. But SamSam isn’t the only ransomware out there charging eye-watering amounts to decrypt business servers.Initial reports of a new variant of ransomware called LockCrypt started in June of this year. In October we saw an increase in infections.LockCrypt doesn’t have heavy code…

October 19, 2017 | Chris Doman

ARP Spoofing Used to Insert Malicious Adverts

Recently we came across a new variant of the malware ServStart. ServStart is primarily used by attackers located in China, in a mix of targeted and opportunistic attacks. The attackers are hosting the ServStart malware on a file server that is open for anyone to view.The open file server at http://222.186.11[.]182:9999The Rar ArchiveOne of the…

Watch a Demo ›
GET PRICE FREE TRIAL CHAT