New threat actor uses VBA macros in targeted attacks

In recent years, the revival of malicious VBA macros has become quite popular among cyber criminals. At the beginning of last year, a new threat actor also started to send spear phishing emails with malicious Microsoft Word documents. During my research, I have found multiple malicious documents which indicate that this is a campaign of targeted attacks....

Share:

Read more

What have H1N1 Loader, TreasureHunter and Jolly Roger Stealer in common?

Sometimes, when analysing a malware sample you think: "Wait a minute, I have seen this before". While it's already known that the author of Jolly Roger Stealer is also behind TreasureHunter, this person also wrote H1N1 Loader. When you take a look at the disassembly of Jolly Roger Stealer and H1N1 Loader it becomes clear that it's the same coding style....

Share:

Read more

Geographical distribution of Furtim malware infections

One month ago, someone posted a malware sample on the Kernelmode forum that uses a huge blacklist of security related programs. If one of this programs is found on the victims system the malware stops execution. Probably, this is the reason why this malware stayed undetected for quite some time. A description and an analysis of this threat called Furtim...

Share:

Read more

Project APC - Analyse einer Schadsoftware (german)

Den nachfolgend im Detail beschriebenen Bot habe ich auf der Suche nach Schadsoftware gefunden, die mit Hilfe sog. asynchroner Funktionsaufrufe (engl. Asynchronous Procedure Calls oder kurz APC) Schadcode in einen anderen Prozess laden kann. Neben der Möglichkeit sich mittels APCs in verschiedene Windows Prozesse zu injizieren, besitzt dieser Bot eine Reihe anderer interessanter Funktionen. Zum Beispiel...

Share:

Read more

Dyre banker aka Win32/Win64 Battdil - Inside a related web panel

What I have learned over the years as a hobby malware analyst is whenever you think you are the first who discovered a new malware family, you can be sure at least a dozen people are already working on the threat. And I am not speaking about what you can later see in public... As in the case of the recently discovered banker named Dyre this is no exception. While cleaning up my malware collection...

Share:

Read more

Malware spread over Facebook - TrojanDownloader:Java/Carastavona.E

Earlier today, I stumbled upon a blogpost by Bitdefender which describes a malware sample that spreads across Facebook users: http://www.hotforsecurity.com/blog/its-not-funny-facebook-users-tricked-into-bitcoin-mining-9263.html I thought to give it a shot, since I have realized in my last article that reversing Java malware is quite funny, probably because it is easier and not that exhausting as...

Share:

Read more

Blitzanalysis: Embassy of Greece Beijing - Compromise

It's friday afternoon, I had a bit of free time and stumbled across this tweet by PhysicalDrive0 (thx!) two hours ago and thought to give it a try to finally add a new article to this Blog (first of 2014): https://twitter.com/PhysicalDrive0/status/479921770838102017 So, I went to Google to search for the domain of the Embassy of Greece Beijing and added the (allegedly) malicious java file package...

Share:

Read more