April 2, 2019 | Tom Hegel

Xwo - A Python-based bot scanner

Jaime Blasco and Chris Doman collaborated on this blog. Overview: Recently, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it “Xwo” - taken from its primary module name. It is likely related to the previously reported malware families…

March 25, 2019 | James Quinn

The odd case of a Gh0stRAT variant

This is a guest post by independent security researcher James Quinn. This will be Part 1 of a series titled Reversing Gh0stRAT Variants.  As 2018 drew to a close and 2019 took over, I began to see a different behavior from SMB malware authors.  Instead of massive, multi-staged cryptocurrency miners, I began to see more small, covert RATs serving…

Get the latest security news in your inbox.

Subscribe via Email

March 14, 2019 | Tom Hegel

Making it Rain - Cryptocurrency Mining Attacks in the Cloud

By Chris Doman and Tom Hegel Organizations of all sizes have made considerable shifts to using cloud-based infrastructure for their day-to-day business operations. However, cloud security hasn't always kept up with cloud adoption, and that leaves security gaps that hackers are more than happy to take advantage of. One of the most widely observed objectives of attacking an organization'…

March 6, 2019 | Chris Doman

Internet of Termites

Termite is a tool used to connect together chains of machines on a network. You can run Termite on a surprising number of platforms including mobile devices, routers, servers and desktops. That means it can be used used to bounce a connection between multiple machines, to maintain a connection that otherwise wouldn’t be possible: Termite is a useful…

March 5, 2019 | Javier Ruiz

Mapping TrickBot and RevengeRAT with MITRE ATT&CK and AlienVault USM Anywhere

MITRE ATT&CK™ (Adversarial Tactics, Techniques and Common Knowledge) is a framework for understanding attackers’ behaviors and actions. We are pleased to announce that AlienVault USM Anywhere and Open Threat Exchange (OTX)  now include MITRE ATT&CK™ information. By mapping alarms to their corresponding ATT&CK techniques,…

December 17, 2018 | Javier Ruiz

Malware Analysis using Osquery | Part 3

In part 1 of this blog series, we analyzed malware behaviour, and, in part 2, we learned how to detect persistence tricks used in malware attacks. Still, there are more types of events that we can observe with Osquery when malicious activity happens. So, in the last blog post of the series, we will discuss how to detect another example of a…

October 29, 2018 | James Quinn

MadoMiner Part 2 - Mask

This is a guest post by independent security researcher James Quinn.       If you have not yet read the first part of the MadoMiner analysis, please do so now.  This analysis will pick up where Part 1 left off, while also including  a brief correction.  The x64 version of the Install module was…

October 18, 2018 | Jose Manuel Martin

Detecting Empire with USM Anywhere

Empire is an open source post-exploitation framework that acts as a capable backdoor on infected systems.  It provides a management platform for infected machines. Empire can deploy PowerShell and Python agents to infect both Windows and Linux systems. Empire can: Deploy fileless agents to perform command and control. Exploit vulnerabilities to escalate privileges. Install itself for persistence. Steal user…

October 8, 2018 | Chris Doman

Delivery (Key)Boy

Introduction Below we’ve outlined the delivery phase of some recent attacks by KeyBoy, a group of attackers believed to operate out of China. They were first identified in 2013 targeting governments and NGOs in South East Asia. Their primary targeting continues to this day, though they have also been known to target more diverse victims such as the energy…

September 24, 2018 | James Quinn

MadoMiner Part 1 - Install

2018 seems to be a time for highly profitable cryptominers that spread over SMB file-shares.  Following my analysis on ZombieBoy in July, I found a new malware sample that I’m calling MadoMiner.  With the help of Chris Doman, I was able to analyze it to discover that it uses techniques similar to ZombieBoy, because it hijacks Zombieboy…

September 6, 2018 | Javier Ruiz

Malware Analysis using Osquery Part 2

In the first part of this series, we saw how you can use Osquery to analyze and extract valuable information about malware’s behavior. In that post, we followed the activity of the known Emotet loader, popular for distributing banking trojans. Using Osquery, we were able to discover how it infects a system using a malicious Microsoft Office document…

August 1, 2018 | Jose Manuel Martin

Off-the-shelf RATs Targeting Pakistan

Introduction We’ve identified a number of spear phishing campaigns with Pakistani themed documents, likely targeting the region. These spear phishing emails use a mix of different openly available malware and document exploits for delivery. These are served from the compromised domains www.serrurier-secours[.]be and careers.fwo.com[.]pk (a part of the Pakistani army). There are some…

Watch a Demo ›
Get Price Free Trial