Malware Analysis

This post was authored by Xabier Ugarte Pedrero In July 2017 we released PyREBox, a Python Scriptable Reverse Engineering Sandbox as an open source tool. This project is part of our continuous effort to create new tools to improve our workflows. PyREBox is a versatile instrumentation framework based…

This blog post is authored by Warren Mercer, Paul Rascagneres, Vitor Ventura and with contributions from Jungsoo An. Summary Several days ago, EST Security published a post concerning a fake antivirus malware targeting the Android mobile platform. In the Korean media, it was mentioned that there cou…

Detecting User Interaction Evasion Techniques Malware sometimes checks for user interaction as a form of evasion to avoid being detected by antiviruses and other security software, especially sandbox analysis environments. Threat Grid, Cisco’s advanced sandbox analysis environment, has recently adde…

In the infosec world, it’s well established that time is a precious commodity. Time to detection and time to resolution are critical concepts that can mean the difference between a minor incident and making the news. In order to be effective, security teams need to be able to quickly access data, ga…

The Threat Grid team is always working on improvements to our leading malware analysis and threat intelligence platform. In the latter part of 2017 and into early 2018, the team has released a number of improvements to the User Interface (UI) and workflow, making sure that customers can get to the s…

Let’s talk about API usage. An API is a means of interacting with a program via another program. Just like a UI is a User Interface, an API is an Application Program Interface. Cisco is committed to providing practical, robust, scalable APIs across the Advanced Threat Solutions product space,…

New Cisco Threat Grid dashboard yields faster malware analysis and response Black Hat Europe kicked off just after the X Factor series finale was recorded live at the London ExCel Center, briefly mixing the Network Operations Centre (NOC) and Security Operations Centre (SOC) staff with hordes of tee…

This post was authored by Warren Mercer, Paul Rascagneres and with contributions from Jungsoo An. Earlier this year, Talos published 2 articles concerning South Korean threats. The first one was about the use of a malicious HWP document which dropped downloaders used to retrieve malicious payloads o…

Since public disclosure in April 2017, CVE-2017-0199 has been frequently used within malicious Office documents. The vulnerability allows attackers to include Ole2Link objects within RTF documents to launch remote code when HTA applications are opened and parsed by Microsoft Word. In this recent cam…