Hancitor. Evasive new waves, and how COM objects can use Cached Credentials for Proxy Authentication.

While analyzing a new wave of Hancitor, I have determined that they have combined a variety of techniques together which greatly increases the effectiveness of the campaign. According to my research, they have leveraged an effective combination of Living off the Land Techniques in order to evade detection. WMI for indirect command execution and COM… Continue reading Hancitor. Evasive new waves, and how COM objects can use Cached Credentials for Proxy Authentication.

Reverse Engineering an Unknown RAT – Lets call it SkidRAT 1.0

While monitoring a blogspot page that keeps embedding malicious scripts to execute on victim systems I seen some code changes that interested me. Specifically they added another payload for victim systems to retrieve. A casual glimpse at the blog post below wouldn’t make you think that the post was malicious. However, it does contain embedded… Continue reading Reverse Engineering an Unknown RAT – Lets call it SkidRAT 1.0

Making MetaData Tracking More Difficult – Ideas to Improve Signal.

Currently, Telecoms and Nation States are able to see direct correlations between the source and destination of Signal messages via MetaData of those communications. However, this is also what gives those same entities power to figure out exactly which individuals to target by tracking down the source and destinations of those messages. However, I propose… Continue reading Making MetaData Tracking More Difficult – Ideas to Improve Signal.

50 Malicious Chrome Extensions – A minimum of 59 Million User’s Browsers Infected Over the Last 3 Years

While monitoring the latest Threat Intelligence and InfoSec news articles I came across an excellent article posted on April 17th, 2018 by the company “AdGuard” linked here. I determined a method of detection based on utilizing this campaigns unique usage of hashes in a .txt for domain comparisons. Specifically there was many hashes that are… Continue reading 50 Malicious Chrome Extensions – A minimum of 59 Million User’s Browsers Infected Over the Last 3 Years

Detecting Ursnif Infected Word Documents through metadata.

Good Afternoon, I have recently been working on methods to detect an Information Stealer/Trojan known as Ursnif. The difficulty in detection relies on the use of encrypted Word documents. These documents use an additional encryption pack that comes by default with Office 2007 SP2 or higher. The encryption pack is known as the “High Encryption… Continue reading Detecting Ursnif Infected Word Documents through metadata.

Emotet/Geodo Updated Analysis

Good Morning Everyone, I have created a passivetotal project for tracking of the Downloader and payload domains. Information can be found in the link below as to 214 different domains that we have observed thus far over the last 3 days. We are estimating 128 unique domains per day but are still encountering various variants.… Continue reading Emotet/Geodo Updated Analysis

Emotet/Geodo Domains

Good Morning, While researching a wave of what other analysts alerted as Emotet/Geodo I found 128 different domains that are hosting the javascript based downloader and the payloads. The list of domains can be found at the following Pastebin, I dont want to link them here as Google will mark my blog malicious if I… Continue reading Emotet/Geodo Domains