“Squirrelwaffle” Maldoc Analysis

“Squirrelwaffle” Maldoc Analysis

Summary Squirrelwaffle is an emerging malware threat noted by several security researchers beginning around September 13th. TheAnalyst, @ffforward noted a new payload delivered on the “TR” botnet. Brad Duncan at Malware Traffic Analysis also observed that this new loader was being delivered by the same “TR” infrastructure that historically delivered the Qakbot banking trojan. He…

Quick Post: Mummy Spider Delivers Emotet Maldocs for the Holidays

Quick Post: Mummy Spider Delivers Emotet Maldocs for the Holidays

Emotet is a modular malware delivery platform that has consistently dominated the commodity malware threat landscape over the past couple of years. It has evolved from a straightforward banking trojan into a full-fledged malware distribution service, delivering a variety of payloads for other threat actor groups. The U.S. Department of Homeland Security states that Emotet infections cost state…

Quick Post: Spooky New PowerShell Obfuscation in Emotet Maldocs

Quick Post: Spooky New PowerShell Obfuscation in Emotet Maldocs

Emotet is a modular malware delivery platform that has consistently dominated the commodity malware threat landscape over the past couple of years. It has evolved from a straightforward banking trojan into a full-fledged malware distribution service, delivering a variety of payloads for other threat actor groups. The U.S. Department of Homeland Security states that Emotet infections cost state…

New Obfuscation Techniques in Emotet Maldocs

New Obfuscation Techniques in Emotet Maldocs

Summary Emotet is a modular malware delivery platform that has consistently dominated the commodity malware threat landscape over the past couple of years. It has evolved from a straightforward banking trojan into a full-fledged malware distribution service, delivering a variety of payloads for other threat actor groups. The U.S. Department of Homeland Security states that Emotet infections…

Quick Post: Analyzing Maldoc with “Do While” Loop in VBA Downloader

Quick Post: Analyzing Maldoc with “Do While” Loop in VBA Downloader

Summary Emotet is a modular malware delivery platform that has consistently dominated the commodity malware threat landscape over the past couple of years. It has evolved from a straightforward banking trojan into a full-fledged malware distribution service, delivering a variety of payloads for other threat actor groups. The U.S. Department of Homeland Security states that…

Analysis of a New Emotet Maldoc with VBA Downloader

Analysis of a New Emotet Maldoc with VBA Downloader

Summary Emotet is a modular delivery platform that has consistently dominated the commodity malware threat landscape over the past couple of years. It has evolved from a straightforward banking trojan into a full-fledged malware distribution service, delivering a variety of payloads for other threat actor groups. The U.S. Department of Homeland Security states that Emotet…

FlawedAmmyy RAT & Excel 4.0 Macros

FlawedAmmyy RAT & Excel 4.0 Macros

Summary According to Proofpoint’s Q4 2018 Quarterly Threat Report, the volume of Remote Access Tools (RATs) significantly increased from 2017 to 2018. Previously, RATs only accounted for just .04% of all observed malware in the email channel. However, by Q4 of 2018, this figure increased to over 8%, and a RAT variant known as FlawedAmmyy…

How To: Extract Network Indicators of Compromise (IOCs) from Maldoc Macros — Part 3

How To: Extract Network Indicators of Compromise (IOCs) from Maldoc Macros — Part 3

read time = 5 minutes Summary This is the third in a series of posts exploring fundamental malware analysis techniques. Please check out Part 1 and Part 2 for some additional background. The following techniques are presented as an alternative to automated sandboxing, which are effective and powerful tools. However, as we showed in Part…