incident – Insinuator.net

Misc

October 30, 2019 by Frank Block

Dissection of an Incident – Part 2

After our last blogpost regarding Emotet and several other Emotet and Ransomware samples that we encountered, we recently stumbled across a variant belonging to the Gozi, ISFB, Dreambot respectively Ursnif family. In this blogpost, we want to share our insights from the analysis of this malware, whose malware family is mainly known for being a banking trojan that typically tries to infect browser sessions and sniff/redirect data. In particular, we are going to provide details about the first stage Word Document, the embedded JavaScript/XSL document, an in-depth runtime analysis of the downloaded executable, and some details regarding detection.

Also, with this blog post, we are releasing a Rekall plugin called pointerdetector that enumerates all exported functions from all DLLs and searches the memory for any pointer to them (essentially a search for dynamically resolved APIs). This plugin can assist in identifying dynamically resolved APIs and especially memory regions containing DLLs loaded with techniques such as reflective DLL injection. This blog post will contain some examples illustrating the usage of this plugin, as well.

If you are interested in a hands-on analysis of Incidents and malicious files, we are giving another round of our Incident Analysis workshop at Troopers20.

Continue reading “Dissection of an Incident – Part 2”

Misc

August 9, 2019 by Friedwart Kuhn

A Follow-Up on the Heisec Webinar on Emotet & Some Active Directory Security Sources

Some weeks ago, Heinrich and I had the pleasure to participate in the heisec-Webinar “Emotet bei Heise – Lernen aus unseren Fehlern”. We really enjoyed the webinar and the (alas, due to the format: too short) discussions and we hope we could contribute to understand how to make Active Directory implementations out there a bit safer in the future.

Continue reading “A Follow-Up on the Heisec Webinar on Emotet & Some Active Directory Security Sources”

Misc

July 18, 2019 by Dr. Andreas Dewald

Emotet at Heise, Emotet there, Emotet everywhere – Dissection of an Incident

After the Emotet Incident at Heise, where ERNW has been consulted for Incident Response, we decided to start a blogpost series, in which we want to regularly report on current attacks that we observe. In particular we want to provide details about the utilized pieces of malware, different stages, and techniques used for the initial infection and lateral movement. We hope that this information might help you to detect ongoing incidents, apply countermeasures, and in the best case to figure out proactive countermeasures and security controls beforehand.

Continue reading “Emotet at Heise, Emotet there, Emotet everywhere – Dissection of an Incident”

Misc

February 24, 2017 by Birk Kauer

Cloudflare Incident #Cloudbleed

Exactly one week ago I noticed an “urgent” tweet from Tavis Ormandy to get in contact with the Cloudflare team.
Normally when a tweet like this appears from Tavis, something is horribly broken. Well, today we know the background of this tweet as the bug tracker issue went public and it exposed quite a bug from Cloudflare. Continue reading “Cloudflare Incident #Cloudbleed”

Misc

February 1, 2017 by Dr. Andreas Dewald

White Paper on Incident Handling First Steps, Preparation Plans, and Process Models

We just published my Whitepaper about First Steps, Preparation Plans, and Process Models for Incident Handling, that I wrote to pass the time between Christmas and New Year. The whitepaper sums up information that I consider to be useful to prepare for IT security incidents as a conclusion from the incidents in which we supported over the past year. Continue reading “White Paper on Incident Handling First Steps, Preparation Plans, and Process Models”