Barracuda

Reclaim Your Network

You are here: Home / Archives for Jonathan Tanner

NotPetya – Both More and Less than it Seems

by Leave a Comment

This week has been abuzz with articles on the new Petya outbreak, now being commonly referred to as NotPetya. Initially, the new malware outbreak was observed to have many of the same characteristics of the Petya ransomware from last year as it rewrites the master boot record of victim's computer with a ransom note claiming that the disk has been encrypted and giving instructions on how to pay the ransom to recover files. Early on, differences in NotPetya were noted such as using a single email address as a point of contact rather than using the Tor network to facilitate ransom payment and recovery key distribution. On June 28th, https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b revealed that NotPetya is, in fact, a disk wiper and not ransomware, overwriting the disk in a way that is not reversible, likely much to the dismay of those infected.

Click here for larger image
[Read more…]

Fileception – Malicious Files Embedded in Other Files (Again)

by Leave a Comment

Combining file formats is one of many techniques attackers use in an attempt to evade detection. One such instance I've already written about where JavaScript files were embedded into Microsoft Word documents . This previous technique was amidst a long-running and still ongoing campaign of JavaScript malware, simply leveraging the same payload in a new container to throw off detection systems. Shortly after the writing of the previous blog post, Microsoft Word document-based malware (typically with macros rather than JavaScript) was on the rise. Once again the same principle has been leveraged, this time encapsulating the macro-containing Word malware into Adobe Acrobat files (PDFs).

[Read more…]

JavaScript Malware Gets a New Look

by Leave a Comment

Since at least December 2015, JavaScript has been a popular attack method for email malware. The most common distribution method was as a heavily obfuscated JavaScript file inside of a ZIP file and outbreaks of this sort peaked during spring and early summer of 2016. Recently this sort of attack has subsided greatly and older-style Microsoft Word documents (OLE-encoded) with macros have seemed to become the preferred delivery method of email-based malware.

Recently, however, some malware samples were brought to my attention that were quite unique and yet all-too-familiar upon analysis. They were the newer OOXML version of Microsoft Word documents (commonly seen with the docx file extension, as they were in this case). As this file type is basically a ZIP file containing various other files, including XML as the type suggests, it was easy to extract the files and take a look. To my surprise, no macros were present in the document. In fact, the only noteworthy files were two OLE-encoded files which are most commonly used for embedding content from a different Microsoft Office application, such as a chart from an Excel spreadsheet. Using a common tool for analyzing OLE files on the first and larger of the two files led to an interesting find: something very reminiscent of our old friend, JavaScript.

[Read more…]

Barracuda

Resources


Websites

Contact Us

Follow Us