Malware Analysis

August 9, 2017

THREAT RESEARCH

WinDBG and JavaScript Analysis

This blog was authored by Paul Rascagneres. Introduction JavaScript is frequently used by malware authors to execute malicious code on Windows systems because it is powerful, natively available and rarely disabled. Our previous article on .NET analysis generated much interest relating to how to use WinDBG to analyse .js files. In this post we extend our description of […]

August 3, 2017

THREAT RESEARCH

Taking the FIRST look at Crypt0l0cker

This post is authored by Matthew Molyett. Executive Summary In March, Talos reported on the details of Crypt0l0cker based on an extensive analysis I carried out on the sample binaries. Binaries — plural — because, as noted in the original blog, the Crypt0l0cker payload leveraged numerous executable files which shared the same codebase. Those executables had nearly identical […]

July 19, 2017

THREAT RESEARCH

Unravelling .NET with the Help of WinDBG

This blog was authored by Paul Rascagneres and Warren Mercer. Introduction .NET is an increasingly important component of the Microsoft ecosystem providing a shared framework for interoperability between different languages and hardware platforms. Many Microsoft tools, such as PowerShell, and other administrative functions rely on the .NET platform for their functionality. Obviously, this makes .NET an enticing language […]

July 6, 2017

THREAT RESEARCH

New KONNI Campaign References North Korean Missile Capabilities

This blog was authored by Paul Rascagneres Executive Summary We recently wrote about the KONNI Remote Access Trojan (RAT) which has been distributed by a small number of campaigns over the past 3 years. We have identified a new distribution campaign which took place on 4th July. The malware used in this campaign has similar […]

May 3, 2017

THREAT RESEARCH

KONNI: A Malware Under The Radar For Years

Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. […]

February 2, 2017

SECURITY

Malware Analysis for the Incident Responder

Malware is one of the most prevalent and most insidious forms of cyber attack.  Identifying and eliminating them are critical in minimizing the impact of a breach.  As a cybersecurity incident responder, I always end up performing some level of malicious file analysis.  In this blog, I’ll share some recommended approaches that have worked for […]

January 30, 2017

THREAT RESEARCH

EyePyramid: An Archaeological Journey

The few last days, a malware sample named EyePyramid has received considerable attention, especially in Italy. The Italian police have arrested two suspects and also published a preliminary report of the investigation. This malware is notable due to the targeting of Italian celebrities and politicians. We conducted our analysis on one of the first public […]

September 15, 2016

SECURITY

Protecting against the latest variant of H1N1

This is the third and final installment in our technical analysis of the H1N1 loader. In case you missed it, my colleague Josh Reynolds peeled apart the latest variant of H1N1 and analyzed its obfuscation tactics and techniques in the first blog, and in the second blog provides deep technical analysis of its execution. While […]

September 14, 2016

SECURITY

H1N1: Technical analysis reveals new capabilities – part 2

This is the second blog in a 3 part series that provides an in-depth technical analysis on the H1N1 malware. You can read the first entry here where I covered the evolution of H1N1, its infection vector and obfuscation techniques. This blog will provide an overview of its execution. H1N1 Execution Execution flow is broken down […]