Malware Analysis

6 Best Practices for your Malware Sandbox Proof of Concept

Any time you incorporate a major new component—such as a sandbox platform—into your security ecosystem, it’s important to do a rigorous, side-by-side evaluation of competing products to determine the best choice for your situation. But a proof of concept is about more than detection rates and vendor scores. It’s also a chance to get a […]

READ MORE
Malware AnalysisProduct Features

Analyzing Malware Embedded in MS Publisher Files

We have started to see malware authors use embedded Visual Basic (VBA) macros in many unconventional file types to attack hosts. In response to this trend, VMRay Analyzer V 2.0 now supports the analysis of Microsoft Access and Microsoft Publisher files. Support for analysis of new sample types means greater coverage of an attack surface […]

READ MORE
Malware Analysis

Spora Ransomware Dropper Uses HTA to Infect System

This past week, a new Ransomware variant called Spora was spotted in the wild. Currently, Spora only targets Russian-speaking users. What’s interesting about this Ransomware is that its payment site is so well designed, one could think they are running a legitimate business. The dropper for Spora is basically an HTML application (.hta) that executes VBScript. […]

READ MORE
Malware Analysis

AtomBombing Evasion and Detection

A new code injection technique is effective in bypassing most analysis and detection methods. Code injection has been a favorite technique of malware authors for many years. Injecting malicious code into an otherwise-benign process is an effective way of masking malware from anti-virus and sandbox detection. It is used to bypass end-host firewalls and to evade sandbox monitoring. […]

READ MORE
Malware Analysis

Goldeneye Ransomware Uses COM to Execute Malicious JavaScript

There is a new ransomware going wild in Germany called Goldeneye, which is a variant of Petya. It’s targeting German-speaking users via email by attaching an application (Bewerbung) in Excel format (xls). At the time we started analyzing the Goldeneye malware, VirusTotal scored 9/54, but the score varied for different attachments, some were as low […]

READ MORE
Malware Analysis

Hancitor Uses Microsoft Word to Deliver Malware

There have been several variants of the Hancitor malware family seen in the wild over the past several months. Recently, Carbon Black, a VMRay integration partner, provided an in-depth analysis of a specific strain of the Hancitor Malware family that uses a Microsoft calendar identifier to deliver malware to unsuspecting users. We did a full analysis in […]

READ MORE
Malware Analysis

Malware uses Java Archive (JAR)

What’s old is new again – Malware uses two-decade old technology to evade detection Say what you will about cybercriminals, there is surely no corner of the tech world that embraces fast innovation better.  They certainly have the motivation. Their payoff only occurs once malware jumps through multiple hurdles, bypassing and evading whatever security barriers our industry […]

READ MORE
Malware Analysis

Malicious Word doc uses ActiveX to infect

A malicious Word doc was recently shared with us that used just about every trick in the book to infect a machine yet initially had zero detections on VirusTotal. At the time of this blog post, detections had improved somewhat to a less-than-impressive 2/55:   Likewise, the file was unknown on Metadefender, submitting it for analysis showed […]

READ MORE
Cyber SecurityMalware Analysis

Decoding the Screenlocker (Ransomlock) Activation key

Recently our team analyzed FreeDownloadManager.exe which is screen-locking malware, or Ransomlock. Victims get a screen that looks like a Windows activation screen: They are prompted to call a toll-free number whereby they would presumably be asked to pay a fee in return for the ‘activation code’ that would unlock the victim’s computer. Fortunately, our team was […]

READ MORE
Cyber SecurityMalware Analysis

Word macro uses WMI to detect VM environments

We recently came across an interesting malicious Word document that used an embedded Word macro to detect whether or not it was being opened inside a VM. If no VM was detected, the macro proceeded to attempt to download a payload (executable) to infect the machine. Let’s take a look at our analysis and how VMRay’s Function […]

READ MORE

Website designed and developed by Raincastle Communications, Inc.