During the analysis of some malicious artifacts collected from an incident, we have recently detected a sample that has caught our attention, the sample was deployed on a server exposed to the Internet and was packed with “VMProtect”. After analyzing this malware sample we could see that it was a recent version of a tool […]
Exploiting APT data for fun and (no) profit
Acquisition and processing When attending to talks about APT -or when giving them- sometimes you hear sentences like “most threat actors are focused on information theft” or “Russia is one of the most active actors in APT landscape”. But, where do all those sentences come from? We have spent a whole night exploiting APT data […]
A twisted malware infection chain
Recently, a malware dropper received by mail has caught our attention as we have detected different samples sent to multiple targets in Spain, Portugal, Italy and Norway, although it has probably reached many more European countries. Firstly, it is characteristic that it lands on the victim in PPT format, while it has been much more […]
IOC are dead, long live IOC!
An indicator of compromise (IOC) can be defined as a piece of information that can be used to identify a potential compromise of the infrastructure: from a simple IP address to a set of tactics, techniques and procedures used by an attacker during a campaign. Although when we think about IOC in our mind are […]
Recent FK_Undead rootkit samples found in the wild
Malware that works at Ring0, generally known as rootkit, is one of the most concerning in many environments because it shares privileges and capabilities with antivirus and EDR solutions, which greatly complicates its detection as far as they can tamper and/or hide the data that allows its detection with relative ease. One of these examples […]
Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers
Recently, from Lab52 we have detected a recent malware sample, using the Dll-Sideload technique with a legitimate binary, to load a threat. This particular sample has a very small DLL, that loads an encrypted file, which after being decrypted consists of a sample of the PlugX Trojan. This technique, and final threat together, consists of […]