In IR cases we use a very simple script that is uploaded to every Windows computer in the corporate network to collect logs, NTFS data, entries from the Windows registry and strings from the binary files to find out how exactly the attackers were moving through the network. It’s holiday season and it is our pleasure to share this script with you. Read Full Article
Spiegel.de provided a copy of a malicious program codenamed “QWERTY”, supposedly used by several governments in their CNE operations. Looking at the code closely, we conclude that the “QWERTY” malware is identical in functionality to the Regin 50251 plugin. Read Full Article
Perhaps one of the most interesting things we observed in the Regin malware operation are the forgotten codenames for some of its modules. We decided to analyse two of these modules in more detail. Read Full Article
In September 2013, we published our extensive analysis of Icefog, an APT campaign that focused on the supply chain – targeting government institutions, military contractors, maritime and ship-building groups. Icefog, also known as the “Dagger Panda” by Crowdstrike’s naming convention,… Read Full Article
On Feb 12th 2013, FireEye announced the discovery of an Adobe Reader 0-day exploit which is used to drop a previously unknown, advanced piece of malware. We called this new malware “ItaDuke” because it reminded us of Duqu and because of the ancient Italian comments in the shellcode copied from Dante Alighieri’s “Divine Comedy”. Read Full Article
Together with our partner CrySyS Lab, we’ve discovered two new, previously-unknown infection mechanisms for Miniduke. These new infection vectors rely on Java and IE vulnerabilities to infect the victim’s PC. While inspecting one of the C&C servers of Miniduke, we… Read Full Article
Earlier this week, Dr. Web reported the discovery of a Mac OS X botnet Flashback (Flashfake). According to their information, the estimated size of this botnet is more than 500, 000 infected Mac machines. Read Full Article
In my previous blogpost about the Duqu Framework, I described one of the biggest remaining mysteries about Duqu – the oddities of the C&C communications module which appears to have been written in a different language than the rest of the Duqu code. Read Full Article
While analyzing the components of Duqu, we discovered an interesting anomaly in the main component that is responsible for its business logics, the Payload DLL. We would like to share our findings and ask for help identifying the code. Read Full Article
We have been studying the Duqu Trojan for two months now, exploring how it emerged, where it was distributed and how it operates. Read Full Article