An output of my most recent script (see my post “Malicious Attachment Analysis Script“), is the ability to create statistics and the data-set to understand what kind of malware campaigns are being delivered by email attachments. In October 2020 I received a total of 76,888 emails (2,480 per day) to my spam traps. Obviously not […]
Continue ReadingMalicious Attachment Analysis Script
I love collecting malicious emails, samples and trying to make sense of it, create context and share back with the community. One way I do so is by sharing malicious email attachments to MalwareBazaar and VirusTotal and including context such as email sender, subjects and date information. Since doing that, I have heard a few […]
Continue ReadingMalwareBazaar by abuse.ch – Python Scripts
MalwareBazaar is a project operated by abuse.ch. The purpose of the project is to collect and share malware samples, helping IT-security researchers and threat analyst protecting their constituency and customers from cyber threats. abuse.ch MalwareBazaar Now that abuse.ch has launched their newest service, the MalwareBazaar I am very happy to share some of the python […]
Continue ReadingCelebrating The 100th Shared MISP Event
Today marks a big day for the security research and protection effort here at vulnerability.ch: We just created and shared our 100th event with the wider MISP community. Thanks to the inclusion of our research at the MISP community provided by CIRCL, we have been able to share and consume indicators of compromise (IOCs) from […]
Continue Readingabuse.ch launches URLhaus, collection of malicious URLs
abuse.ch has recently launched a new project called “URLhaus”. URLhaus is a project with the goal of sharing malicious URLs that are being used for malware distribution. Anybody can register with a Twitter account and share malicious URLs they have detected. The system will download and analyse the payload (trying to identify it) and then […]
Continue ReadingFrom Russia with Love (and some help by Google)
Through some threat hunting on some OSINT platforms, I discovered a website hosting an image file named “image293.jpg” (6b872d1e949bd9d111168692301414bb685dc5c262ffae6f55f34c8041de0f5f VT | HA | ANY.RUN | Joe Sandbox). Trying to download the file shows that it is a redirect to Google’s short-url service goo.gl. From the link’s statistics page we can see that over 8500 redirects have been […]
Continue ReadingCVE-2017-0199 Exploit Builder Python Script
On Monday morning I came across a domain which has directory listening open for several subfolders. In most of the folders a Office Word document called “decoy.doc”, a PDF document named “p.doc” (yes, really), an exe and a Python script called “prothemusL_H.py” could be found: That Python script made me curious and I decided to […]
Continue ReadingExtracting Payload Urls From Office Docs With CyberChef
For several months now, Emotet has been using various Office document fields (e.g. Author, Comments) for “hiding” their PowerShell code to download the exe payload. The actors behind the malware often change little things in their code to make automated extraction of urls harder. On November 8th a friend asked me for help on a […]
Continue ReadingLinks of the Week 2017-07-09
Welcome to my collection of interesting links for the week to the 2017-07-09. The links are in no particular order. 94 .ch & .li domain names hijacked and used for drive-by Report on July 7, 2017 incident Schedule for BSidesLV 2017 Attack on Critical Infrastructure Leverages Template Injection Broadpwn Bug Affects Millions of Android and […]
Continue Reading“You order form:[RANDOM] from 06/05/15 recived;” Attachment Analysis
Today I came across a message, which was rather interesting. The mails were received with different subjects, random company names in them as well as random attachment names. The attachment is a Word document with the “*.doc” extension (never a good sign). Quickly analysing shows that the Word document contains a Marco script, which, when executed, […]
Continue Reading