News

Guildma malware is now accessing Facebook and YouTube to keep up-to-date, (Tue, Aug 20th)

Published August 20, 2019

A new variant of the information stealer Guildma (aka Astaroth) we analyzed last week is accessing Facebook and YouTube to get a fresh list of its C2 servers. The C2 list is encrypted and hosted in two Facebook and three YouTube profiles maintained and constantly updated by the cybercriminals.  This innovative strategy is probably helping the […]

Read more

ISC Stormcast For Tuesday, August 20th 2019 https://isc.sans.edu/podcastdetail.html?id=6628, (Tue, Aug 20th)

Published August 19, 2019

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.

Read more

Compressed ISO Files (ISZ), (Mon, Aug 19th)

Published August 19, 2019

While researching a user submitted Direct Access Archive file (DAA), I learned about another file format I too had never heard of before: compressed ISO files, or .isz files. ISZ files are similar to DAA files: insofar they also contain an ISO file, split in chunks that are then compressed. Like DAA, it’s a proprietary […]

Read more

ISC Stormcast For Monday, August 19th 2019 https://isc.sans.edu/podcastdetail.html?id=6626, (Mon, Aug 19th)

Published August 18, 2019

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.

Read more

Video: Analyzing DAA Files, (Sun, Aug 18th)

Published August 18, 2019

This is a video to illustrate the analysis of DAA files (Direct Access Archives), discussed in diary entries “Malicious .DAA Attachments” and “The DAA File Format“. As can be expected, these DAA files, sent as email attachment, contain a malicious Windows executable (PE file). Didier Stevens Senior handler Microsoft MVP blog.DidierStevens.com DidierStevensLabs.com (c) SANS Internet […]

Read more

Issue #64 – Volume XXI – SANS Newsbites – August 16th, 2019

Published August 16, 2019

Reposted from SANS NewsBites. Click here to read the original posting.

Read more

The DAA File Format, (Fri, Aug 16th)

Published August 16, 2019

In diary entry “Malicious .DAA Attachments“, we extracted a malicious executable from a Direct Access Archive file. Let’s take a closer look at this file format. Here is an hex/ascii dump of the beginning of the file: With the source code of DAA2ISO, I was able to make some sense of this data. I highlighted […]

Read more

ISC Stormcast For Friday, August 16th 2019 https://isc.sans.edu/podcastdetail.html?id=6624, (Fri, Aug 16th)

Published August 16, 2019

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.

Read more

Analysis of a Spearphishing Maldoc, (Thu, Aug 15th)

Published August 15, 2019

A spearphishing attack with a VBA maldoc on US utility companies was mentioned in SANS NewsBites Vol. 21, Num. 61. I always like to take a look at malicious documents mentioned in the news. Luckily for me, Proofpoint’s analysis includes the hashes of the maldocs, and  one maldoc can be found on VirusTotal. This maldoc […]

Read more

ISC Stormcast For Thursday, August 15th 2019 https://isc.sans.edu/podcastdetail.html?id=6622, (Thu, Aug 15th)

Published August 14, 2019

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.

Read more