Malware Analysis

August 14, 2017

THREAT RESEARCH

When combining exploits for added effect goes wrong

1 min read

Since public disclosure in April 2017, CVE-2017-0199 has been frequently used within malicious Office documents. The vulnerability allows attackers to include Ole2Link objects within RTF documents to launch remote code when HTA applications are opened and parsed by Microsoft Word. In this recent campaign, attackers combined CVE-2017-0199 exploitation with an earlier exploit, CVE-2012-0158, possibly in […]

August 9, 2017

THREAT RESEARCH

WinDBG and JavaScript Analysis

1 min read

This blog was authored by Paul Rascagneres. Introduction JavaScript is frequently used by malware authors to execute malicious code on Windows systems because it is powerful, natively available and rarely disabled. Our previous article on .NET analysis generated much interest relating to how to use WinDBG to analyse .js files. In this post we extend our description of […]

August 3, 2017

THREAT RESEARCH

Taking the FIRST look at Crypt0l0cker

1 min read

This post is authored by Matthew Molyett. Executive Summary In March, Talos reported on the details of Crypt0l0cker based on an extensive analysis I carried out on the sample binaries. Binaries — plural — because, as noted in the original blog, the Crypt0l0cker payload leveraged numerous executable files which shared the same codebase. Those executables had nearly identical […]

July 19, 2017

THREAT RESEARCH

Unravelling .NET with the Help of WinDBG

1 min read

This blog was authored by Paul Rascagneres and Warren Mercer. Introduction .NET is an increasingly important component of the Microsoft ecosystem providing a shared framework for interoperability between different languages and hardware platforms. Many Microsoft tools, such as PowerShell, and other administrative functions rely on the .NET platform for their functionality. Obviously, this makes .NET an enticing language […]

July 6, 2017

THREAT RESEARCH

New KONNI Campaign References North Korean Missile Capabilities

1 min read

This blog was authored by Paul Rascagneres Executive Summary We recently wrote about the KONNI Remote Access Trojan (RAT) which has been distributed by a small number of campaigns over the past 3 years. We have identified a new distribution campaign which took place on 4th July. The malware used in this campaign has similar […]

May 3, 2017

THREAT RESEARCH

KONNI: A Malware Under The Radar For Years

1 min read

Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. […]

February 2, 2017

SECURITY

Malware Analysis for the Incident Responder

7 min read

Malware is one of the most prevalent and most insidious forms of cyber attack.  Identifying and eliminating them are critical in minimizing the impact of a breach.  As a cybersecurity incident responder, I always end up performing some level of malicious file analysis.  In this blog, I’ll share some recommended approaches that have worked for […]

January 30, 2017

THREAT RESEARCH

EyePyramid: An Archaeological Journey

1 min read

The few last days, a malware sample named EyePyramid has received considerable attention, especially in Italy. The Italian police have arrested two suspects and also published a preliminary report of the investigation. This malware is notable due to the targeting of Italian celebrities and politicians. We conducted our analysis on one of the first public […]

September 13, 2016

SECURITY

H1N1: Technical analysis reveals new capabilities

7 min read

This blog is the first in a 3 part series that will provide an in-depth technical analysis on the H1N1 malware. I’ll be looking at how H1N1 has evolved, its obfuscation, analyzing its execution including new information stealing and user account control bypass capabilities, and finally exploring how we are both using and influencing security tools […]