InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.

Analyzing Sophisticated PowerShell Targeting Japan

Posted on 2019-03-09 by Amirreza Niakanlahiji and Josiah Smith

In this article, we dissect a sophisticated multi-stage PowerShell script that is targeting users in Japan. We found this instance on HybridAnalysis a few days back (on March 7). This malware sample is unique because it utilizes multi-layer of obfuscation, encryption, and steganography to protect its final payload from detection. As of writing this article, none of the AntiViruses on VirusTotal detect this attack.

Family Matters: Using MinHash to Cluster Data

Posted on 2019-02-28 by Steve Esling

As we’ve discussed in our previous two Ex Machina articles, one of the goals in our machine learning efforts is to use artificial intuition as an aid in the construction of our signatures. This was previously illustrated by examining the importance of features in GB and RF algorithms, both of which are supervised techniques. However, both also require a training data set, which must be collected, annotated, and put together by humans; they’re good for finding patterns related to good or bad macros as a whole, but don’t get much more fine-grained than that. Obviously, this is going to lead to very general signatures. Even with very large training sets, the smaller details behind why an ML process yielded a positive or negative result are lost within simpler heuristics. When it comes to designing more specific signatures tailored to locating different kinds of malware, these heuristics are not enough.

Quick Analysis of A Customer Malspam Encounter

Posted on 2019-02-26 by Josiah Smith

The InQuest platform is fully open in the sense that all analytical areas are extensible via customer defined intelligence which can include keywords, hashes, standard IOCs, and fully fledged YARA rules. This article covers the analysis of an interesting customer malspam encounter that was identified with a customer-defined YARA signature focusing on abnormally high levels of entropy within the semantic context of document files. This attack occurred at an undisclosed customer site and specifically targeted three different individuals across the organization. Before we dive into analysis, here are the details of the original file.

AT&T_Account_02_19_19.pdf

File name
File size
MD5
SHA-256
AT&T_Account_02_19_19.pdf
24.78 KB
0f627a1450851494145328fcdeb12195
9e8eb1889ec6b32a6074dd5b963c84fd27d7ba7f314ea997f3e3eb4a1ac70757

The sample is made available on our github malware repository:

9e8eb1889ec6b32a6074dd5b963c84fd27d7ba7f314ea997f3e3eb4a1ac70757

Extracting "Sneaky" Excel XLM Macros

Posted on 2019-01-29 by Amirreza Niakanlahiji and Pedram Amini

In this article, we present our in-depth analysis of a malicious Microsoft Excel document (.xlm format) that we found in the wild. We show how existing open source tools can be utilized to carve out interesting artifacts. During our analysis, we also point out some tool limitations and present our solution to closing the gap. Ultimately, our goal is to orchestrate the carving of as many artifacts as possible, for robust threat detection and prevention.

Detecting Empire with InQuest

Posted on 2019-01-21 by Josiah Smith

Within the last few years, security researchers have released several different toolsets that leverage Microsoft's PowerShell in an offensive role, including PowerSploit, Posh-SecMod, UnmanagedPowerShell, and PowerShell-AD-Recon. These were all fantastic tools but lacked consistency and interoperability.

This is where Empire changed everything.

Blog Archive