InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.

Phorpiex malware spreads GandCrab phishing emails

Posted on 2018-05-29 by Adam Swanda


After analyzing the on-going GandCrab email distribution campaign, we at InQuest Labs decided to look further into the emails themselves and exactly how this malware is being propagated. Taking a second look at one of the payloads from our last analysis we found that the Phorpiex malware family acts as an email spreader for sending phishing emails with attachments. Immediately this jumped out at us as the culprit that is very likely the malware causing so much havoc across Internet mailboxes these past weeks.

By taking a closer look at the malware named in a previous blog post as "Trik" or Trik.pdb", we have now identified this as the malware family Phorpiex. Due to the families email spreader capability and unique strings found in the malware, it is highly likely to be responsible for the distribution of the GandCrab phishing campaigns we've seen in-the-wild over the past several weeks to months.

Field Notes: Agent Tesla Open Directory

Posted on 2018-05-22 by Adam Swanda

InQuest discovered an open directory hosting several Agent Tesla payloads, as well as several separate web panels for the administration of different Agent Tesla malware campaigns. We decided this was a good time to have a quick look at this malware family, it's capabilities, and the artifacts found in the open directory.

Agent Tesla is a malware family written in .NET for Microsoft Windows systems and has much in common with spyware in it's capabilities. It has many spyware like capabilities such as stealing credentials, keylogging, collecting screenshots, capturing web camera images, and gathering clipboard data, but it is often seen in more standard malware campaigns and uses common malware techniques for obfuscation, unpacking, and data collection. Recently, Agent Tesla has been distributed in the wild through phishing emails and malicious Word documents containing macros to drop and execute the malware.

Aggregating Public Domain Reputation Feeds

Posted on 2018-05-17 by Stephen Shinol

SOC analysts typically have access to a mix of proprietary, commercial, open source, and personal reputation sources for various indicator of compromise (IOCs). IOCs include file hashes, IP addresses, domain names, SSL certificate fingerprints and more. Aggregating the variety of feeds into a single source is a prudent first-step for manual search and programmatic accessibility. In this article we outline a number of publicly available resources and describe a simple method for aggregating them into a single reputation database. The final product, while not containing the highest fidelity data, can provide a valuable reference for threat hunters. Commercially, we supply InQuest users with a propriety reputation API, sourced from both manual and automated threat hunting efforts. Over 80% of these artifacts do not overlap with what we're seeing in the public domain.

RetroHunt: Retrospective Analysis for Threat Hunters

Posted on 2018-05-09 by Adam Swanda

InQuest helps organizations in both threat-hunting and incident response through the use of our RetroHunt capability.

RetroHunting allows the searching of a historical data with signatures in order to see if any of the signatures match within that historical file set.

For readers of who have used VirusTotal Intelligence (VTI), this is a familiar concept and a powerful research tool. One of the major features of the InQuest platform is providing that very same RetroHunting functionality across the artifacts traversing your own network. We do this automatically on a weekly basis with each new signature release and/or update, as well expose the functionality to users as an on-demand feature.

This allows users to search back through mass amounts of sessions and files on newly created or recently updated signatures. Weekly releases of new signatures ensures we stay on top of the latest threats and exploits, while RetroHunt makes sure you stay alerted if they appear in your environment. Users are able to leverage both InQuest signatures, and we provide YARA compatibility within our signatures for users to define and/or import their own signatures they wish to scan for.