March 20, 2013 | Jaime Blasco

A theory on the South Korean attacks

During the day I’ve been thinking about what have just happened in South Korea.It is a very simple piece of code that overwrites the MBR (Master Boot Record) making the affected system unable to start after reboot.Other companies have published information about the wiper payloads but anyone is giving information about how the attackers gained…

March 20, 2013 | Jaime Blasco

Information about the South Korean banks and media systems attacks

As many of you would probably know several South Korean banks and media companies have been affected by an attack that has wiped several systems.It seems the South Korean security company Nshc has published more details on his Facebook PageBased on the samples we collected, the malware overwrites the MBR (Master Boot Record) of the system. After reboot…

Get the latest security news in your inbox.

Subscribe via Email

March 14, 2013 | Jaime Blasco

Latest Adobe PDF exploit used to target Uyghur and Tibetan activists

Last month Adobe released a fix to patch a vulnerability that was being exploited in the wild. Kaspersky found that the 0day was being used by a very sophisthicated group to target different governments  using a malware called MiniDuke.Alienvault Labs have detected that a different group of attackers have been using this vulnerability to target non-governmental and…

February 20, 2013 | Jaime Blasco

Yara rules for APT1/Comment Crew malware arsenal

I’m sure all of you have heard about Mandiant’s APT1 report published yesterday. As many of you probably know we have been tracking and exposing this group for a long time as well as other individuals and companies in the security industry. A couple of examples are:…

February 13, 2013 | Jaime Blasco

Cyber espionage campaign against the Uyghur community, targeting MacOSX systems

During the last few days together with our colleagues from Kaspersky Lab we have been investigating a new strain of spearphishing mails sent to the Uyghur community. You can read their analysis here.The mails sent contain a Microsoft Office .doc file that exploits MS09-027 affecting Microsoft Office for Mac, this is the same…

February 11, 2013 | Alberto Ortega

Set up your keylogger to report by email? Bad idea! (The case of Ardamax)

A couple of days ago, I was surfing our wild Internet when I came up with a dirty piece of software dedicated to steal accounts of a popular build-with-bricks videogame.The program offered a premium account of the videogame for free. The real fact is that it was a stealer, which installs a keylogger on your computer to record and…

February 8, 2013 | Jaime Blasco

Adobe patches two vulnerabilities being exploited in the wild

Yesterday, Adobe released a patch for Adobe Flash that fixed a zeroday vulnerability that was being exploited in the wild. According to Adobe, CVE-2013-0633 is being exploited using Microsoft Office files with embedded flash content delivered via email. They are also aware of CVE-2013-0634 being exploited trough web browsers such as Firefox and Safari on MacOSX. FireEye released…

January 21, 2013 | Jaime Blasco

Red October - Indicators of Compromise and Mitigation Data

Together with our partner, Kaspersky, we’re releasing a whitepaper on the “indicators of compromise” that can be useful to detect and mitigate the threats from Red October. It contains indicators to detect most of the Red October activity in your systems and networks. Inside the whitepaper you will find snort rules as well as an OpenIOC file that you…

January 10, 2013 | Jaime Blasco

New year, new Java zeroday!

Earlier this morning @Kafeine alerted us about a new Java zeroday being exploited in the wild. With the files we were able to obtain we reproduced the exploit in a fully patched new installation of Java. As you can see below we tricked the malicious Java applet to execute the calc.exe in our lab.The Java file is highly…

December 29, 2012 | Jaime Blasco

Just another water hole campaign using an Internet Explorer 0day

At the beginning of the week we started to analyze a water hole campaign that was present on the Council on Foreign Relations (CFR) portal. After studying the attack and the payload and realizing that it was likely using a zeroday exploit against Internet Explorer, we  sent the information to Microsoft Security Response Center (MSRC) that is still investigating the…

December 19, 2012 | Alberto Ortega

Hardening Cuckoo Sandbox against VM aware malware

Some time ago, we wrote a post about how a lot of malware samples check the execution environment, and if it is unwanted (VM, debugger, sandbox, ...) the execution unexpectedly finishes.We use Cuckoo Sandbox in the lab for our analysis tasks, we really love how customizable it is.Sometimes we have to deal with malware aware of the execution environment,…

December 17, 2012 | Jaime Blasco

Batchwiper: Just Another Wiping Malware

A few days ago, The Iranian CERT (Maher Center) released information about a new identified targeted malware with wiping capabilities. The piece of code is very simple and it deletes files on different drives on specific dates.The original dropper is a self-extracting RAR file with the name GrooveMonitor.exe. Once executed it extracts the following files:\WINDOWS\system32…

Watch a Demo ›