Modern "fileless" malware campaigns increasingly use specially crafted documents as attack vectors. This allows a malicious file to harbor a payload distinct from executable droppers, and can have its text content easily modified in a phishing campaign without having to alter the nested objects it contains. Deep File Inspection presents a methodology to unwrap these nested files and objects, and classify documents based on their intent; flagging malicious files based on the subsets of functionality they're using.
On February 1st, Adobe published bulletin APSA18-01 for CVE-2018-4878 describing a use-after-free (UAF) vulnerability affecting Flash version 184.108.40.206 and earlier. As of February 6th, Adobe has patched the issue in version 220.127.116.11, see: APSB18-03. This post provides an overview of the vulnerability, a walk-through of the exploit seen in the wild, and covers several detection mechanisms. You can also follow the conversation via our Twitter moment.
InQuest provides an on-premises network-focused security solution deployed at many high-volume, mission critical environments, including DISA’s Joint Regional Security Stack (JRSS)1.
Unfortunately, it appears that ransomware authors are now starting to employ the use of Microsoft Office DDE malware carriers. This post will likely be our last on DDE dissection and covers the delivery of Vortex ransomware, seemingly targeted towards Poland.
In reviewing the results of out Microsoft Office DDE malware hunt, (Microsoft_Office_DDE_Command_Execution.rule) we came across an interesting sample targeted to Freddie Mac employees. This post dives into the dissection of this well put together sample.