We have started to see malware authors use embedded Visual Basic (VBA) macros in many unconventional file types to attack hosts. In response to this trend, VMRay Analyzer V 2.0 now supports the analysis of Microsoft Access and Microsoft Publisher files. Support for analysis of new sample types means greater coverage of an attack surface […]Read More "Analyzing Malware Embedded in MS Publisher Files"
VMRay Analyzer V 2.0 will be released this week and we’ll be presenting it at the RSA Conference next week. If you are attending, contact us for a demo. The latest release has many new features including the addition of a built-in reputation engine that identifies known malicious or known benign files in milliseconds, support for […]Read More "VMRay Analyzer V 2.0: Introducing the Reputation Engine"
This past week, a new Ransomware variant called Spora was spotted in the wild. Currently, Spora only targets Russian-speaking users. What’s interesting about this Ransomware is that its payment site is so well designed, one could think they are running a legitimate business. The dropper for Spora is basically an HTML application (.hta) that executes VBScript. […]Read More "Spora Ransomware Dropper Uses HTA to Infect System"
A new code injection technique is effective in bypassing most analysis and detection methods. Code injection has been a favorite technique of malware authors for many years. Injecting malicious code into an otherwise-benign process is an effective way of masking malware from anti-virus and sandbox detection. It is used to bypass end-host firewalls and to evade sandbox monitoring. […]Read More "AtomBombing Evasion and Detection"
There have been several variants of the Hancitor malware family seen in the wild over the past several months. Recently, Carbon Black, a VMRay integration partner, provided an in-depth analysis of a specific strain of the Hancitor Malware family that uses a Microsoft calendar identifier to deliver malware to unsuspecting users. We did a full analysis in […]Read More "Hancitor Uses Microsoft Word to Deliver Malware"
Sharing is caring. Nowhere is this more true than for defenders that need to be able to quickly and seamlessly share critical information about malware and the attackers behind them. In the jargon of our industry that means using TIPs (Threat Intelligence Platforms) to ingest, export and correlate IOCs (Indicators of Compromise) and the TTPs (Tactics, […]Read More "Threat intelligence sharing with MISP and VMRay"
This is our final post in a series on sandbox evasion techniques used by malware today. We started with a primer, and then covered the two other main categories of sandbox evasion techniques: Sandbox Detection: Detecting the presence of a sandbox (and only showing benign behavior patterns on detection) Exploiting Sandbox Gaps: Exploiting weaknesses or […]Read More "Sandbox Evasion Techniques – Part 4"
This post is the third part in a series on sandbox evasion techniques used by malware today. We originally posted a primer, outlining the three main categories of evasion techniques by malware authors: Sandbox Detection: Detecting the presence of a sandbox (and only showing benign behavior patterns on detection) Exploiting Sandbox Gaps: Exploiting weaknesses or […]Read More "Sandbox Evasion Techniques – Part 3"
In our initial post on sandbox evasion we outlined the three main categories of sandbox evasion techniques: Sandbox Detection: Detecting the presence of a sandbox (and only showing benign behavior patterns on detection) Exploiting Sandbox Gaps: Exploiting weaknesses or gaps in sandbox technology or in the ecosystem Context-Aware Malware: Using time/event/environment-based triggers (that are not […]Read More "Sandbox Evasion Techniques – Part 2"