News
Guildma malware is now accessing Facebook and YouTube to keep up-to-date, (Tue, Aug 20th)
A new variant of the information stealer Guildma (aka Astaroth) we analyzed last week is accessing Facebook and YouTube to get a fresh list of its C2 servers. The C2 list is encrypted and hosted in two Facebook and three YouTube profiles maintained and constantly updated by the cybercriminals. This innovative strategy is probably helping the […]
Read moreISC Stormcast For Tuesday, August 20th 2019 https://isc.sans.edu/podcastdetail.html?id=6628, (Tue, Aug 20th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.
Read moreCompressed ISO Files (ISZ), (Mon, Aug 19th)
While researching a user submitted Direct Access Archive file (DAA), I learned about another file format I too had never heard of before: compressed ISO files, or .isz files. ISZ files are similar to DAA files: insofar they also contain an ISO file, split in chunks that are then compressed. Like DAA, it’s a proprietary […]
Read moreISC Stormcast For Monday, August 19th 2019 https://isc.sans.edu/podcastdetail.html?id=6626, (Mon, Aug 19th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.
Read moreVideo: Analyzing DAA Files, (Sun, Aug 18th)
This is a video to illustrate the analysis of DAA files (Direct Access Archives), discussed in diary entries “Malicious .DAA Attachments” and “The DAA File Format“. As can be expected, these DAA files, sent as email attachment, contain a malicious Windows executable (PE file). Didier Stevens Senior handler Microsoft MVP blog.DidierStevens.com DidierStevensLabs.com (c) SANS Internet […]
Read moreIssue #64 – Volume XXI – SANS Newsbites – August 16th, 2019
Reposted from SANS NewsBites. Click here to read the original posting.
Read moreThe DAA File Format, (Fri, Aug 16th)
In diary entry “Malicious .DAA Attachments“, we extracted a malicious executable from a Direct Access Archive file. Let’s take a closer look at this file format. Here is an hex/ascii dump of the beginning of the file: With the source code of DAA2ISO, I was able to make some sense of this data. I highlighted […]
Read moreISC Stormcast For Friday, August 16th 2019 https://isc.sans.edu/podcastdetail.html?id=6624, (Fri, Aug 16th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.
Read moreAnalysis of a Spearphishing Maldoc, (Thu, Aug 15th)
A spearphishing attack with a VBA maldoc on US utility companies was mentioned in SANS NewsBites Vol. 21, Num. 61. I always like to take a look at malicious documents mentioned in the news. Luckily for me, Proofpoint’s analysis includes the hashes of the maldocs, and one maldoc can be found on VirusTotal. This maldoc […]
Read moreISC Stormcast For Thursday, August 15th 2019 https://isc.sans.edu/podcastdetail.html?id=6622, (Thu, Aug 15th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.
Read more
