Malware Analysis

This blog was authored by Paul Rascagneres. Introduction JavaScript is frequently used by malware authors to execute malicious code on Windows systems because it is powerful, natively available and rarely disabled. Our previous article on .NET analysis generated much interest relating to how to use…

This post is authored by Matthew Molyett. Executive Summary In March, Talos reported on the details of Crypt0l0cker based on an extensive analysis I carried out on the sample binaries. Binaries — plural — because, as noted in the original blog, the Crypt0l0cker payload leveraged numerous…

This blog was authored by Paul Rascagneres and Warren Mercer. Introduction .NET is an increasingly important component of the Microsoft ecosystem providing a shared framework for interoperability between different languages and hardware platforms. Many Microsoft tools, such as PowerShell, and other…

This blog was authored by Paul Rascagneres Executive Summary We recently wrote about the KONNI Remote Access Trojan (RAT) which has been distributed by a small number of campaigns over the past 3 years. We have identified a new distribution campaign which took place on 4th July. The malware used in…

Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execut…

Malware is one of the most prevalent and most insidious forms of cyber attack.  Identifying and eliminating them are critical in minimizing the impact of a breach.  As a cybersecurity incident responder, I always end up performing some level of malicious file analysis.  In this blog, I’ll share some…

The few last days, a malware sample named EyePyramid has received considerable attention, especially in Italy. The Italian police have arrested two suspects and also published a preliminary report of the investigation. This malware is notable due to the targeting of Italian celebrities and politicia…

This is the third and final installment in our technical analysis of the H1N1 loader. In case you missed it, my colleague Josh Reynolds peeled apart the latest variant of H1N1 and analyzed its obfuscation tactics and techniques in the first blog, and in the second blog provides deep technical analys…

This is the second blog in a 3 part series that provides an in-depth technical analysis on the H1N1 malware. You can read the first entry here where I covered the evolution of H1N1, its infection vector and obfuscation techniques. This blog will provide an overview of its execution. H1N1 Execution E…