One of my favorite Twitter accounts from the last several years was @cobaltstrikebot, mainly because it was an awesome source of threat intelligence for Cobalt Strike beacons in the wild. The accou...

It’s that time of year again - 100 Days of YARA! In this post I want to walk through how I use YARA to document malware analysis findings. YARA has loads of different use cases: Detecting malic...

It’s not unusual for adversaries to explore new and unusual ways to implement loader malware, and lately I’ve been looking at JPHP-based loader malware. This kind of loader doesn’t get a lot of att...

In mid-February, TA577 experimented with a Java Archive (JAR) dropper to deliver Pikabot to their victims. In this post I’ll explore some static analysis of that dropper to show how we can get info...

In a previous blog post I mentioned how adversaries using VHD files to distribute malware can leave around a lot more data than they intend, including identifiable data for tracking. In this post I...

Adversaries use lots of different file formats to distribute malware and one of my favorites has to be Virtual Hard Disk (VHD) files. You may have seen VHD files used with virtualization solutions ...

As folks get into malware analysis they naturally develop their own personal style of triage process based on data that is usually important to them. For example, I go through a process to determin...

Adversaries love to use pre-made tools for remote access and one perennial favorite is the legitimate NetSupport Manager. This post is a short and sweet look at a malicious installer that distribut...

Earlier today, @MalwareHunterTeam posted on Twitter about a malicious MSI file masquerading as a Rufus installer. Searching for "rufus" in Google right now gives 2 ads that are obviously...

Earlier in January, Unit42 and Brad (@malware_traffic) posted tweets with some details on an instance of OriginLogger floating around in the wild. #pcap of the infection traffic, sanitized copy of...