InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.

Stringless YARA Rules

Posted on 2018-09-30 by Rob King

Here at InQuest, YARA is among the many tools we use to perform deep-file inspection, with a fairly extensive rule set. InQuest operates at line speed in very high-traffic networks, so these rules need to be fast.

This blog post is the first in a series discussing YARA performance notes, tips, and hacks.

Emotet campaign delivers AZORult, IcedID, and TrickBot

Posted on 2018-09-30 by Adam Swanda

Emotet is one of the most prevalent malware families in the cybercrime realm in 2018 and with no breakthroughs in identifying the actors or larger infrastructure, at least publicly, it seems poised to stay that way for the time being. The malware is typically delivered to users through phishing campaigns with malicious Word documents containing macros. Once executed, Emotet will often drop an additional malware family such as TrickBot or another information stealer. In the case we will look at today, an Emotet phishing campaign led to the delivery of not just one additional malware family but three; AZORult, IcedID, and TrickBot.

Threat Hunting IQY files with YARA

Posted on 2018-08-23 by Adam Swanda

The goal of threat hunting is to proactively identify potential threats that have evaded existing security measures. Over the past several months the use of malicious Excel IQY files to deliver malware has fallen into this category for many organizations and users as a blind spot. Threat actors, both cybercrime and APT, have launched phishing campaigns using this technique to evade common detection methodologies and have left computer network defenders wondering how to catch future occurrences of this technique. Although many of the notable phishing campaigns have similar indicators that one might hunt for, limiting yourself to these will leave your scope narrowed to a limited set of known threats, and when hunting you are looking to identify otherwise unknown threats. In this post, we will review how to leverage YARA signatures in a multi-staged hunting approach to identify indicators of potential malicious activity in these file types. We will cover the IQY file format in both its legitimate and malicious uses, as well as identify common indicators of malicious activity seen in the wild, and how we can broaden those indicators to increase the scope of our threat hunting.

Omnibus: Automating OSINT Collection

Posted on 2018-08-16 by Adam Swanda

Open Source Intelligence (OSINT) is data collected from publicly available sources that is meant to be used in the context of intelligence. A great deal of data, combined with analysis by trained professionals, can be turned into actionable intelligence. This intelligence is used to enhance cyber security investigations, provide insight into adversary infrastructure and operators, give context to threat actor profiling, or understand a complex scenario.

When performing threat investigations OSINT is a crucial resource and is commonly used by analysts to enrich their data or gather new information on indicators found during their research. Though manual collection of this information can be a long, tedious, and costly process - especially if you need to perform the same collection tasks against dozens or hundreds of data points. On top of the information collection itself, analysts need a way to organize the gathered data so that it can be easily accessed, queried, and understood afterwards.

This is where InQuest Lab's new project Omnibus comes into play.

Field Notes: Malicious HFS Instances Serving Gh0stRAT

Posted on 2018-07-09 by Adam Swanda

HTTP File Server, commonly abbreviated as HFS, is a free and simple means to send and receive files across the Internet. This also makes the software a popular choice among malicious actors for hosting and distributing malware and exploits, and an interesting target for malware researchers. An investigation into an HFS instance hosting an exploit for CVE-2018-8174 led to the discovery of an interesting threat actor and their infrastructure, the continued use of the Gh0st RAT malware, and many common attributes we can use to help us identify this malicious activity in the wild.

Blog Archive