Dridex Updates Payload Distribution
Dridex spreads mainly using Office documents containing malicious macros, initially the primary stage would involve using VBA (Visual Basic for Applications) to download and execute the loader from...
View ArticleInfosec Without a Degree
I've seen plenty blogs from people who got into infosec through the academic route, so i figured I'd cover the other side and try to answer the three most asked questions I get via email and twitter:...
View ArticleHow Cerber's Hash Factory Works
Recently I saw a story on SecurityWeek about how the Cerber ransomware morphs every 15 seconds (each download results in a file with a new hash), which I then tracked back to the source, this article...
View ArticleWhat's Happening with Necurs, Dridex, and Locky?
Around the 8th of June VICE picked up the story about Necurs' downtime and wrote a great article including a tweet from Kevin Beaumont referencing my botnet tracker. I was contacted for comment and...
View ArticleWhen Scriptkiddies Attack
Usually I don’t blog about the hundreds of ridiculous or down right crazy emails I receive each year, but this exchange makes all the others seem completely reasonable in comparison. Normally my...
View ArticleNecurs.P2P – A New Hybrid Peer-to-Peer Botnet
Last week I received a tip about a sample displaying some indication that it could be peer-to-peer (a large amount of UDP traffic being sent to residential IPs), after a couple days of analysis I was...
View ArticleDDoSing with Other People’s Botnets
While I was reverse engineering ZeroAccess in order to write a monitoring system, I had an idea which would allow me to use ZeroAccess C&C infrastructure to reflect and amplify a UDP based DDoS...
View ArticleLet’s Analyze: Dridex (Part 1)
Due to popular request I’m starting a new reverse engineering article series which will detail how I go about analyzing various samples, instead of just presenting my findings like I normally do. Most...
View ArticleLet’s Analyze: Dridex (Part 2)
In the previous article we went over how to dump the names of the majority of functions dridex resolves dynamically to complicate analysis. Today we will be using some similar methods to get the other...
View ArticleLet’s Analyze: Dridex (Part 3)
Sorry for the longer than expected delay, occasionally the Dridex group will take the servers offline during the weekend and resume normal operations on Monday; however, it appears they decided to take...
View ArticleDridex Updates Payload Distribution
Dridex spreads mainly using Office documents containing malicious macros, initially the primary stage would involve using VBA (Visual Basic for Applications) to download and execute the loader from one...
View ArticleInfosec Without a Degree
I’ve seen plenty blogs from people who got into infosec through the academic route, so i figured I’d cover the other side and try to answer the three most asked questions I get via email and twitter:...
View ArticleHow Cerber’s Hash Factory Works
Recently I saw a story on SecurityWeek about how the Cerber ransomware morphs every 15 seconds (each download results in a file with a new hash), which I then tracked back to the source, this article...
View ArticleWhat’s Happening with Necurs, Dridex, and Locky?
Around the 8th of June VICE picked up the story about Necurs’ downtime and wrote a great article including a tweet from Kevin Beaumont referencing my botnet tracker. I was contacted for comment and...
View ArticleAutomatic Transfer Systems (ATS) for Beginners
ATS is one of the newer techniques employed by banking malware that not many people are familiar with so I thought I’d do a small post explaining it. To fully appreciate the complexity of ATS we have...
View ArticleNo the FBI Are Not Sending Bitcoins to the Shadowbrokers
A few days ago someone made the following post which suggested the FBI were sending bitcoin from the wallet where all of the seized coins from Silkroad were sent to the ShadowBrokers acution address;...
View ArticleSignificant Increase in Kelihos Botnet Activity
Since the Kelihos takedown in front of a live audience at RSA Conference in 2013, the operator had opted to maintain a low profile by keeping the total number of infections at only a fraction of the...
View ArticleDridex Returns to the UK With Updated TTPs
With the exception of a few unconfirmed reports of Dridex targeting Baltic countries (which doesn’t make much sense economically), infection campaigns have ceased since mid August when Dridex briefly...
View ArticleMapping Mirai: A Botnet Case Study
Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog...
View ArticleWhy Open Source Ransomware is Such a Problem
A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the...
View Article