At the beginning of the week we started to analyze a water hole campaign that was present on the Council on Foreign Relations (CFR) portal. After studying the attack and the payload and realizing that it was likely using a zeroday exploit against Internet Explorer, we sent the information to Microsoft Security Response Center (MSRC) that is … Read more
Just another water hole campaign using an Internet Explorer 0day
December 29th, 2012 | Posted by in APT | Attacks | Exploits | Malware - (Comments Off)Hardening Cuckoo Sandbox against VM aware malware
December 19th, 2012 | Posted by in Code | Malware | Windows - (Comments Off)Some time ago, we wrote a post about how a lot of malware samples check the execution environment, and if it is unwanted (VM, debugger, sandbox, …) the execution unexpectedly finishes. We use Cuckoo Sandbox in the lab for our analysis tasks, we really love how customizable it is. Sometimes we have to deal with … Read more
Batchwiper: Just Another Wiping Malware
December 17th, 2012 | Posted by in APT | Attacks | Forensics | Malware - (Comments Off)A few days ago, The Iranian CERT (Maher Center) released information about a new identified targeted malware with wiping capabilities. The piece of code is very simple and it deletes files on different drives on specific dates. The original dropper is a self-extracting RAR file with the name GrooveMonitor.exe. Once executed it extracts the following files: … Read more
Your malware shall not fool us with those anti analysis tricks
November 5th, 2012 | Posted by in Forensics | General | Malware - (2 Comments)It is well known that a big amount of malware samples are aware of the execution environment. This means that a malware sample can change his behavior if it detects that the running environment is unwanted. There are resources, public source code, and even programs that detail how to bypass automatic malware analysis systems and … Read more
Georbot Botnet – A cyber espionage campaign against Georgian Government
October 31st, 2012 | Posted by in APT | Attacks | Exploits | Forensics | IP Reputation | Malware | News | OTX | Snort - (Comments Off)A few days ago, CERT-Georgia published a great report describing a cyber spionage campaign. ESET wrote a great report a few months ago as well. The report said the malware was found in Georgian Governmental Agencies including ministries, parliament, banks, ngo’s. The report also says the purpose of the malware was “Collecting Sensitive, Confidential Information about Georgian and … Read more
