Archive

All blog posts in chronological order

October 2018

Dissecting TrickBot - After the demise of the Dyreza banking malware, the banking trojan vacuum was quickly filled by the TrickBot malware family. TrickBot is a banking and information stealing trojan which is modular in design and can rapidly expand its functionality by retrieving DLLs from its Command and Control server. This threat is spread most commonly by phishing emails, but it also includes network propagation functionality to spread through a victims' network by using the Microsoft Windows vulnerability known as EternalRomance. In this blog post, we'll dive into the TrickBot malware, its functionality, modules, and Command and Control communications.

September 2018

Stringless YARA Rules - Here at InQuest, YARA is among the many tools we use to perform deep-file inspection, with a fairly extensive rule set. InQuest operates at line speed in very high-traffic networks, so these rules need to be fast. This blog post is the first in a series discussing YARA performance notes, tips, and hacks.
Emotet campaign delivers AZORult, IcedID, and TrickBot - Emotet is one of the most prevalent malware families in the cybercrime realm in 2018 and with no breakthroughs in identifying the actors or larger infrastructure, at least publicly, it seems poised to stay that way for the time being. The malware is typically delivered to users through phishing campaigns with malicious Word documents containing macros. Once executed, Emotet will often drop an additional malware family such as TrickBot or another information stealer. In the case we will look at today, an Emotet phishing campaign led to the delivery of not just one additional malware family but three; AZORult, IcedID, and TrickBot.

August 2018

Threat Hunting IQY files with YARA - The goal of threat hunting is to proactively identify potential threats that have evaded existing security measures. Over the past several months the use of malicious Excel IQY files to deliver malware has fallen into this category for many organizations and users as a blind spot. Threat actors, both cybercrime and APT, have launched phishing campaigns using this technique to evade common detection methodologies and have left computer network defenders wondering how to catch future occurrences of this technique. Although many of the notable phishing campaigns have similar indicators that one might hunt for, limiting yourself to these will leave your scope narrowed to a limited set of known threats, and when hunting you are looking to identify otherwise unknown threats. In this post, we will review how to leverage YARA signatures in a multi-staged hunting approach to identify indicators of potential malicious activity in these file types. We will cover the IQY file format in both its legitimate and malicious uses, as well as identify common indicators of malicious activity seen in the wild, and how we can broaden those indicators to increase the scope of our threat hunting.
Omnibus: Automating OSINT Collection - Open Source Intelligence (OSINT) is data collected from publicly available sources that is meant to be used in the context of intelligence. A great deal of data, combined with analysis by trained professionals, can be turned into actionable intelligence. This intelligence is used to enhance cyber security investigations, provide insight into adversary infrastructure and operators, give context to threat actor profiling, or understand a complex scenario.

July 2018

Field Notes: Malicious HFS Instances Serving Gh0stRAT - HTTP File Server, commonly abbreviated as HFS, is a free and simple means to send and receive files across the Internet. This also makes the software a popular choice among malicious actors for hosting and distributing malware and exploits, and an interesting target for malware researchers. An investigation into an HFS instance hosting an exploit for CVE-2018-8174 led to the discovery of an interesting threat actor and their infrastructure, the continued use of the Gh0st RAT malware, and many common attributes we can use to help us identify this malicious activity in the wild.
Plyara: Parsing YARA rules with Python - Plyara is a Python lexer and parser for YARA rules. You can use it to build your own tools around YARA rules: whether analyzing or performing bulk operations on a large corpus, parsing rule content for display, writing a linter, or any other application you might think of.

June 2018

FormBook stealer: Data theft made easy - The FormBook information-stealing malware, being advertised as providing an "extensive and powerful internet monitoring experience", has clearly caught the eye of threat actors since its debut on underground forums in 2016. Due to its low price, it is easily accessible to threat actors of all sophistication for use in campaigns of varying complexity and shows no signs of slowing down. The malware provides a variety of data theft capabilities such as stealing stored passwords from local applications, recording user keystrokes, browsing and interacting with files on the infected host, taking screenshots, and more. Although the information stealing functionality seems rather standard, the measures FormBook takes to avoid analysis makes this malware family difficult to detect and analyze, making the stealer all the more appealing to malicious actors looking for a new take on an old threat.

May 2018

Phorpiex malware spreads GandCrab phishing emails - After analyzing the on-going GandCrab email distribution campaign, we at InQuest decided to look further into the emails themselves and exactly how this malware is being propagated. Taking a second look at one of the payloads from our last analysis, we found the Phorpiex malware family acts as an email spreader for sending phishing emails with attachments and is very likely to be the malware causing so much havoc across Internet mailboxes these past weeks. By taking a closer look at the malware named in a previous blog post as "Trik" or "Trik.pdb", we have now identified this as the malware family Phorpiex. Due to the families email spreader capability and unique strings found in the malware, it is highly likely to be responsible for the distribution of the GandCrab phishing campaigns we've seen in-the-wild over the past several weeks to months.
Field Notes: Agent Tesla Open Directory - InQuest discovered an open directory hosting several Agent Tesla payloads, as well as several separate web panels for the administration of different Agent Tesla malware campaigns. We decided this was a good time to have a quick look at this malware family, it's capabilities, and the artifacts found in the open directory. Agent Tesla is a malware family written in .NET for Microsoft Windows systems and has much in common with spyware in its capabilities. Its primary functions include stealing credentials, keylogging, collecting screenshots, capturing web camera images, and gathering clipboard data, although unlike many spyware families it is often seen in more standard malware campaigns and makes use of common malware techniques for obfuscation, unpacking, and data collection.