IR

There's an interesting new malware that is currently being distributed actively around the globe through phishing campaigns. This malware is a Trojan RAT, that poses as a version of the popular open-source archive utility PeaZip. The authors of this malware have copied the file info and make it look like a legit version of PeaZip. Careful analysis of this malware shows us that this infact is a Trojan RAT, that is falsely adverstised as PeaZip. In this article, we analyse this malware and discuss the findings. There are strong indicators that suggest that this is a re-packaged version of DarkComet…

Introduction Keymarble is a trojan malware that has recently been seen in the wild. US CERT released initial information about this malware late last week which can be accessed here - https://www.us-cert.gov/ncas/analysis-reports/AR18-221A In this article, we analyse the malware and try to understand the execution flow. We also look at some useful network IOC that can be extracted from the malware. Some of these have been documented in the release that has been linked above. We'll look at some other IOC that have not yet been released publicly. This is a quick analysis that…

Following a presentation I did for a SANS community night in Melbourne Australia recently, I had a lot of attendees ask if I could provide the graphical timeline that I presented which showed the events leading up to the discovery of WannaCry in May 2017. Below is that timeline with events unique to the WannaCry variant that got a lot of attention in the mainstream news in May 2017. I've tried not to dive too far down the rabbit hole of the EternalBlue exploit, and its use in other malware - which is most certainly occurring in the wild. I've…

Machine Learning, Security Analytics, Behavioral Analytics, call it whatever you like, but will it really uncover hidden security incidents in your network? For the purpose of this article, I am going to refer to machine learning, security analytics, behaviour analytics, user based anomaly detection, and all the other flavours in between as "machine learning". Yes, I understand they can all be different and represent different areas; however, I want to discuss the application of machine-based detection being used to find security incidents versus human based detection. I have to say up front that I am not a data…

One of my common bugbears with businesses is the idea that a Distributed Denial of Service (DDoS) attack is an incident that should be managed and handled by your Cyber Security Incident Response team. It's not and here is why..... Receiving rubbish traffic to a web server, or any service for that matter, that you stick on the internet is just a part of being online and businesses need to accept this upfront and plan for it. It's no different to planning when you drive a car, you decide on the best route with least traffic and when there is…