September 24, 2013 | Eduardo De la Arada

OSX/Leverage.a Analysis

A few days ago, a new OSX malware was detected in the wild. It looks like a picture and behaves like it when you click on it. Everything looks fine when the clicked picture is opened on the screen, but the malware also performs some other actions.After the first look, we saw that the malware copies itself to /Users…

September 17, 2013 | Jaime Blasco

Announcing a new free service: Reputation Monitor Alert

A few weeks ago we launched a new free service called Reputation Monitor Alert. The service aims to alert companies about potential compromised systems and other security problems in their infrastructure. To do this we use all the threat intelligence we gather using our IP reputation database among other external reputation sources.Once you login you just have to enter…

Get the latest security news in your inbox.

Subscribe via Email

August 27, 2013 | Jaime Blasco

Several domains including New York Times and Twitter ones attacked by Syrian Electronic Army

During the last few hours several domains including the one from The New York Times have been redirected to a Syrian Electronic Army server. Here is the list of domains pointing to that server:Returned 39 RRs in 1.50 seconds. sokiland.fr.nf. A 141.105.64.37 sea.sy. A 141.105.64.37 m.sea.sy. A 141.105.64.37 mob.sea.sy. A 141.105.64.37 www.mob.sea.sy. A 141.105.64.37 leaks.sea…

July 1, 2013 | Jaime Blasco

Hunting for malware with undocumented instructions

A few days ago Microsoft Malware Protection Center published a great blog post about some undocumented instruction tricks being used by several malware families.As you can read in the post, they found some malware samples using FPU instructions  that lead to incorrect disassembly in several debuggers and disassemblers.I decided to write a small Python script to help us…

June 26, 2013 | Alberto Ortega

Take care of your server, or it will be hacked and sold

Have you ever had a server open to the internet with SSH service running? Then you know how common it is to receive break in attempts against your servers produced by automated bots that scan wide ranges of hosts trying weak combinations of user/password to log into remote machines.But what happens next? What is the business behind these…

June 17, 2013 | Alberto Ortega

Urausy ransomware family, a quick internals overview

Ransomware is popular among bad actors. Reveton malware family (based on Citadel) made a difference last year, now it is loosing popularity in favor of Urausy, just another lock-screen ransomware. There are a plenty of them living in the wild, but in this post we are going to focus on Urausy.These malware families are being spread by using exploit…

May 23, 2013 | Jaime Blasco

Yara rules and network detection for Operation Hangover

Last week, our friends from Norman published a great report on a cyber espionage campaign named Operation Hangover. We have released some Yara rules to detect most of the payloads mentioned on the paper. You can download the rules from our Github space:On the other hand the Hangover attackers have been using several payloads with network capabilities to steal…

May 5, 2013 | Jaime Blasco

New Internet Explorer zeroday was used in the DoL Watering Hole campaign

In our first analysis we reported that the exploited vulnerability was CVE-2012-4792 . Further analysis showed that the vulnerability exploited wasn’t CVE-2012-4792 but a new zeroday vulnerability affecting Internet Explorer 8 (CVE-2013-1347). It was confirmed by Microsoft that released a Security Advisory on Friday and also FireEye and Invincea.In addition we have…

May 1, 2013 | Jaime Blasco

U.S. Department of Labor website hacked and redirecting to malicious code

During the last few hours we have identified that one the U.S. Department of Labor website has been hacked and it is serving malicious code.Clarification:The website affected is the The Department of Labor (DOL) Site Exposure Matrices (SEM) Website “The Department of Labor (DOL) Site Exposure Matrices (SEM) Website is a repository…

April 29, 2013 | Eduardo De la Arada

UrlQuery Chrome Extension

UrlQuery is a service for detecting and analyzing web-based malware, claims its website, this service is very useful and provides a detailed report of the submitted webpage. We use these services a lot in the lab, so we’ve decided to make our lives easier by developing a simple context menu extension which automatically sends urls to the service.The…

April 16, 2013 | Jaime Blasco

How cybercriminals are exploiting Bitcoin and other virtual currencies

- What is Bitcoin?Bitcoin is an online descentralised virtual currency based on an open source, P2P protocol. Bitcoins can be transferred using a computer without relying on a financial institution.If you haven’t heard about Bitcoin I recommend you watch the following video:Both the Bitcoin creation and transfer is performed by computers called “miners…

March 21, 2013 | Jaime Blasco

New Sykipot developments

SummaryDuring the last few years, we have been publishing about a group of hackers who have focused on targeting DIB (Defence Industrial Base) and other government organizations:- Another Sykipot sample likely targeting US federal agencies- Are the Sykipot’s authors obsessed with next generation US drones?- Sykipot variant hijacks DOD and Windows smart cards-…

Watch a Demo ›
GET PRICE FREE TRIAL