InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.

Ex Machina: Man + Machine

Posted on 2018-11-14 by Stephen Esling

Since its introduction by WheelGroup in 1995, signature-based detection has been a staple of antivirus software. Now, over twenty years later, it seems that it’s reached the limits of its usefulness. In 2016, the Webroot Threat Report published that, thanks to a large spike in the usage of polymorphic, or self-altering, code, 94% of malware that year was found to be unique, having only been encountered once. This is a trend that has only been continuing into 2018, and, like shaking an Etch-A-Sketch, with every shift in form taken by a malicious file, all work done on defining its characteristics becomes obsolete. We at InQuest have found a robust solution to this problem via the use of generalized, heuristic signatures that work together to give an overall likelihood of a file’s potential maliciousness, but such signatures can be difficult and unintuitive to create.

Examining Malware Web Browser Injections

Posted on 2018-11-13 by Adam Swanda

Banking malware and information stealing malware are some of the most popular threats in today's landscape. Many stealers will collect information and credentials from locally installed applications such as web browsers, email and instant messaging clients, and other common software. Banking trojans, on the other hand, go the extra mile to pilfer data and use what is called Web browser injections, more commonly called "web injects". Web injects are code within malware that can inject HTML and JavaScript directly into otherwise legitimate websites a victim visits. This has the effect of modifying rendered browser content to achieve any number of goals the malicious actor chooses, such as adding, removing, or modifying text, inserting form fields, or capturing data entered into fields.

Dissecting TrickBot

Posted on 2018-10-09 by Adam Swanda

After the demise of the Dyreza banking malware, the banking trojan vacuum was quickly filled by the TrickBot malware family. TrickBot is a banking and information stealing trojan which is modular in design and can rapidly expand its functionality by retrieving DLLs from its Command and Control server. This threat is spread most commonly by phishing emails but it also includes network propagation functionality to spread through a victims network by using the Microsoft Windows vulnerability known as EternalRomance. In this blog post, we'll dive into the TrickBot malware, its functionality, modules, and Command and Control communications.

Stringless YARA Rules

Posted on 2018-09-30 by Rob King

Here at InQuest, YARA is among the many tools we use to perform deep-file inspection, with a fairly extensive rule set. InQuest operates at line speed in very high-traffic networks, so these rules need to be fast.

This blog post is the first in a series discussing YARA performance notes, tips, and hacks.

Emotet campaign delivers AZORult, IcedID, and TrickBot

Posted on 2018-09-30 by Adam Swanda

Emotet is one of the most prevalent malware families in the cybercrime realm in 2018 and with no breakthroughs in identifying the actors or larger infrastructure, at least publicly, it seems poised to stay that way for the time being. The malware is typically delivered to users through phishing campaigns with malicious Word documents containing macros. Once executed, Emotet will often drop an additional malware family such as TrickBot or another information stealer. In the case we will look at today, an Emotet phishing campaign led to the delivery of not just one additional malware family but three; AZORult, IcedID, and TrickBot.