Formbook is one of the threats that I categorize as part of the “background noise of exploitation” on the internet. While targeted attacks occur in scoped areas, anyone can go buy access for Formbo...

In this quick post I’m taking a look at a PowerPoint file with macros on board! According to MalwareBazaar’s tags, it was reported in association with the group “Aggah”. If you want to follow along...

This post is dedicated to Josh Rickard (@MSAdministrator on Twitter) since his feedback on my blog posts has cut my triage time on MSI files down in a massive way! After writing an analysis of a MS...

Just like with RTF documents, adversaries can use XLSX spreadsheets to exploit the Microsoft Office Equation Editor. To add a little bit of complication on top, adversaries also sometimes like to e...

When adversaries buy and deploy threats like AgentTesla you often see this functional and entertaining chain of older exploitation activity with some .NET framework tradecraft you’d expect from som...

In my last post I walked through the analysis of an unusual MSI file that an adversary had tacked a STRRAT Java ARchive file to the end of the MSI contents. In this post, I want to walk through a m...

Adversaries can get really creative with ways to hide and execute payloads. In this post I’ll cover one instance where an adversary appended STRRAT to a MSI file to make it look legitimate during a...

I personally despise trying to analyze shellcode, but shellcode is becoming more common in malware of all types. From Metasploit and Cobalt Strike to GuLoader, loads of malicious tools include shel...

One of my colleagues made a statement recently about how commonplace process injection has become among malware, to the point where it seems adversaries don’t have to think about the injection tech...

Malware comes in all shapes and sizes, and in the case of BazarISO it comes in the form of an ISO file that contains a malicious shortcut and an executable. In this post I’ll tear apart the ISO to ...