Making the decision of what to analyze The last blog post that I wrote was about creating an ELK with a Kibana view of the currently active malware, using the common publicly available sandbox services. This gives some insight of what is currently active and I think it can be quite current as I...
Hunting for msbuild based execution
Why? There has been a new Advanced Persistent Threat group, named Dark Pink which have been using the msbuild.exe LOLBIN for doing their malicious deed. The group has been especially active in the APAC area, with some activity in Europe too – specifically in Bosnia and Herzegovina – weirdly enough. The group is mostly...
HTML Smuggling – how does it look like?
HTML smuggling is a new technique to deliver malicious payload to the endpoints. The idea of the technique is to deliver the malicious code encoded in an image file that is embedded to a HTML attachment file. The reason for doing it this way is to pass the potential perimeter defenses as the...
Qakbot
Qakbot – anything new on a recent sample? I’ve been looking through tria.ge to see what has been the recent trend in the malware world. For the last couple of days the majority of the samples supplied (no actual statistics, just a hunch based on looking at the recently uploaded samples) has been Qakbot....
Recent phishing emails + Emotet recent sample analysis
Phishing emails It’s been a little quiet on the blog for a while now. I’ve been busy with other things and haven’t had the time to find any feasible topics to write about. Now it sort of landed to my lap. I’ve been receiving phishing messages for a ~week now to my personal mailbox....