All blog posts in chronological order

July 2018

Plyara: Parsing YARA rules with Python - Plyara is a Python lexer and parser for YARA rules. You can use it to build your own tools around YARA rules: whether analyzing or performing bulk operations on a large corpus, parsing rule content for display, writing a linter, or any other application you might think of.

June 2018

FormBook stealer: Data theft made easy - The FormBook information-stealing malware, being advertised as providing an "extensive and powerful internet monitoring experience", has clearly caught the eye of threat actors since its debut on underground forums in 2016. Due to its low price, it is easily accessible to threat actors of all sophistication for use in campaigns of varying complexity and shows no signs of slowing down. The malware provides a variety of data theft capabilities such as stealing stored passwords from local applications, recording user keystrokes, browsing and interacting with files on the infected host, taking screenshots, and more. Although the information stealing functionality seems rather standard, the measures FormBook takes to avoid analysis makes this malware family difficult to detect and analyze, making the stealer all the more appealing to malicious actors looking for a new take on an old threat.

May 2018

Phorpiex malware spreads GandCrab phishing emails - After analyzing the on-going GandCrab email distribution campaign, we at InQuest decided to look further into the emails themselves and exactly how this malware is being propagated. Taking a second look at one of the payloads from our last analysis, we found the Phorpiex malware family acts as an email spreader for sending phishing emails with attachments and is very likely to be the malware causing so much havoc across Internet mailboxes these past weeks. By taking a closer look at the malware named in a previous blog post as "Trik" or "Trik.pdb", we have now identified this as the malware family Phorpiex. Due to the families email spreader capability and unique strings found in the malware, it is highly likely to be responsible for the distribution of the GandCrab phishing campaigns we've seen in-the-wild over the past several weeks to months.
Field Notes: Agent Tesla Open Directory - InQuest discovered an open directory hosting several Agent Tesla payloads, as well as several separate web panels for the administration of different Agent Tesla malware campaigns. We decided this was a good time to have a quick look at this malware family, it's capabilities, and the artifacts found in the open directory. Agent Tesla is a malware family written in .NET for Microsoft Windows systems and has much in common with spyware in its capabilities. Its primary functions include stealing credentials, keylogging, collecting screenshots, capturing web camera images, and gathering clipboard data, although unlike many spyware families it is often seen in more standard malware campaigns and makes use of common malware techniques for obfuscation, unpacking, and data collection.
Aggregating Public Domain Reputation Feeds - SOC analysts typically have access to a mix of proprietary, commercial, open source, and personal reputation sources for various indicator of compromise (IOCs). IOCs include file hashes, IP addresses, domain names, SSL certificate fingerprints and more. Aggregating the variety of feeds into a single source is a prudent first-step for manual search and programmatic accessibility. In this article we outline a number of publicly available resources and describe a simple method for aggregating them into a single reputation database. The final product, while not containing the highest fidelity data, can provide a valuable reference for threat hunters. Commercially, we supply InQuest users with a propriety reputation API, sourced from both manual and automated threat hunting efforts. Over 80% of these artifacts do not overlap with what we're seeing in the public domain.
RetroHunt: Retrospective Analysis for Threat Hunters - InQuest helps organizations in both threat-hunting and incident response through the use of our RetroHunt capability. This allows users to search back through mass amounts of sessions and files on newly created signatures. Weekly releases of new InQuest signatures ensures we stay on top of the latest threats and exploits, while RetroHunt makes sure you stay alerted if they appear in your environment.

April 2018

Advanced Malware Multi-Scanning On Premises by OPSWAT Metadefender Core - Due to the variability in anti-virus and malware detection methodologies, organizations can benefit from the coverage that a multi-AV solution provides. To facilitate this, InQuest includes OPSWAT MetaDefender as part of its network-based malware detection products.
Walkthrough of a Common Malware Carrier - E-mail is a prominent vector for malware delivery, by way of a malicious URL or file attachments. When embedding malicious content within a file, malware authors commonly nest a variety of formats within one another and pivot through numerous stages of payloads before retrieving the final one. In this post, we'll walk through the dissection of a common document malware carrier.
GandCrab Swarm - In early April of 2018 we noticed a spike in malicious activity, sourced mostly from the Asias and delivered via SMTP. This post covers our exploration of the campaign and the eventual realization that it is responsible for distributing a mix of garden variety malware, including GandCrab ransomware.

March 2018

InQuest Provides Zero-Day Coverage Against Advanced Threats via Partner Exodus Intel - Threat intelligence is only as good as the sources that drive it, which is why we integrate Zero-Day exploitation coverage into our product via research from Exodus Intelligence. Going beyond public vulns and in-the-wild samples, this level of coverage affords protection against new TTPs, long before they become part of the known threat landscape.