This short and sweet blog post will cover some recent additions to my Malware Hunting repo.
A good part of my (spare) time over the past few months has been devoted to constantly building upon my BSides Wellington talk, which – because I like to practice what I preach (and only preach what I truly believe in) – has also involved rolling out a good deal of the content of the talk to my workplace network… the defensive measures that is, not the malware. All I can say is Bro + Critical Stack Intel Client + ELK = badass!
Besides a new project of mine that is investigating the use of neural networks to carry out phishing campaigns (more on this at a later date!):
… and the upcoming Christchurch Hacker Conference, my main project remains my malware tracker (2017-12-01: decommissioned). So I thought I’d take the chance to run through some of the features and data being offered by it. But firstly, I’ll briefly cover off perhaps the most common query I receive concerning it: where does the data come from?
Over the past couple of months I’ve been preparing a talk entitled ‘Beer, Bacon and Blue Teaming’. It covers building solid defense on a shoestring budget, with an outline along the lines of:
- OSINT sources.
- Spam traps.
- Automated analysis.
- Dissecting LuminosityLink:
- Configuration extraction.
- Yara rule creation.
In this short blog post I’ll run over a few of the items in brief detail. Continue reading “missing links”
This is just a short post detailing a quick trick to remove VBA project protection in MS Office documents: tested with a Word 2003 document linked attached to a banking themed email.
The document in question is one of a range that comes as an attachment, apparently from one of several Australian/NZ banks (as outlined here):
In my younger years I had all sorts of collections: books, bottle caps, rocks, coins, action figures, movies, etc. Now, most of those collections sit at the back of my parents shed – although I do still have a tendency to hoard movies.
Naja: a genus of venomous elapid snakes known as cobras. Pseudonaja textilis, more commonly known as the Eastern brown snake, is considered the world’s second most venomous land snake based on its LD50 value in mice.
Naja – in this instance – is a Windows trojan developed by me in Python, inspired by several other Python projects (mentioned throughout this post), which makes use of Metasploit shellcode to facilitate a reverse connection to targets. It is distributed in two parts and makes heavy use of various encoding mechanisms and encryption in conjunction with process injection to bypass antivirus and other mitigations like Microsoft’s EMET.
Note: This post was originally made on 16 Dec ’14, but has since been updated.
Continue reading “stealthy, like a snake”