Notes on Linux/BillGates
In a previous blog post, I wrote some (extensive) notes on Linux/Xor.DDoS, also known as just Xor.DDoS, an interesting type of Linux malware.You can find that particular blog below, in which I give...
View ArticleStorageCrypt ransomware, a coinminer and more
Lawrence over at Bleeping Computer posted an interesting blog yesterday:StorageCrypt Ransomware Infecting NAS Devices Using SambaCryIn that blog, Lawrence pointed out quite some users had issues with a...
View ArticleQuickpost: SteamStealers via Github
Back in 2014, I created a blog post named 'Malware spreading via Steam chat', where I analysed and discussed one of the first 'SteamStealers' - malware that is exclusively targeting gamers, or at least...
View ArticleMalware Analysis, Threat Intelligence and Reverse Engineering: workshop slides
Last month, when I was in-between jobs, I gave a workshop for a group of 20-25 enthusiastic women, all either starting in infosec, or with an interest to start in this field.The event, now obviously...
View ArticleClik here to view.
Fake Steam Desktop Authenticator steals account details
In this blog post, we'll have a quick look at fake versions of Steam Desktop Authenticator (SDA), which is a "desktop implementation of Steam's mobile authenticator app".Lava from SteamRep brought me...
View ArticleClik here to view.
Maktub ransomware: possibly rebranded as Iron
In this post, we'll take a quick look at a possible new ransomware variant, which appears to be the latest version of Maktub ransomware, also known as Maktub Locker.Hasherazade from Malwarebytes has,...
View ArticleClik here to view.
CryptoWire ransomware not dead
CryptoWire is an "open-source" ransomware based on the AutoIT scripting language, and has been around since 2016. For some background, read the following post on Bleeping Computer:"Proof of Concept"...
View ArticleClik here to view.
This is Spartacus: new ransomware on the block
In this blog post, we'll analyse Spartacus, one of many new ransomware families popping up in 2018.AnalysisThis instance of Spartacus ransomware has the following properties:MD5;...
View ArticleClik here to view.
Satan ransomware adds EternalBlue exploit
Today, MalwareHunterTeam reached out to me about a possible new variant of Satan ransomware.Satan ransomware itself has been around since January 2017 as reported by Bleeping Computer.In this blog post...
View ArticleClik here to view.
Ransomnix ransomware variant encrypts websites
Ransomnix is a (supposedly Jigsaw, but not really) ransomware variant that holds websites for ransom, and encrypts any files associated with the website.This ransomware was discovered in the second...
View ArticleClik here to view.
Vietnamese test-ransomware wants you to add credit to a mobile phone
In this quick blog post we'll have a look at BKRansomware, a Vietnamese ransomware that wants you to top up its phone.Update: 2018-05-06, scroll down for the update, added to the...
View ArticleClik here to view.
PSCrypt ransomware: back in business
PSCrypt is ransomware first discovered last year, in 2017, targeting users and organisations alike in Ukraine, and the malware itself is based on GlobeImposter ("GI") ransomware.I've written about...
View ArticleClik here to view.
RedEye ransomware: there's more than meets the eye
A rather anonymous account reached out to me on Twitter asking to check out a "scary & really nasty" sample.It turned out to be RedEye ransomware, a new strain or variant by the same creator of...
View ArticleClik here to view.
MAFIA ransomware targeting users in Korea
A new ransomware family was discovered and sent to me by MalwareHunterTeam, which we'll call MAFIA due to the extension it uses to encrypt files. The ransomware appears to target users in Korea, and...
View ArticleClik here to view.
Analysing a massive Office 365 phishing campaign
Last week, a friend of mine reached out with a query: a contact in his address book had sent him a suspicious email. As it turns out, it was. In this blog post, we'll have a quick look at an Office 365...
View ArticleClik here to view.
Run applications and scripts using Acer's RunCmd
This weekend I was cleaning up an old Acer laptop of mine and discovered a hidden folder on the root drive, C:\OEM.Inside's a bunch of interesting files, one of these is a tool called...
View ArticleClik here to view.
Monero download site and binaries compromised
IntroductionEarlier this evening I saw a tweet appear which claimed Monero has been hacked and a malicious binary (instead of the real one) has been served:Warning Monero users: If you downloaded...
View ArticleClik here to view.
Satan ransomware rebrands as 5ss5c ransomware
The cybercrime group that brought us Satan, DBGer and Lucky ransomware and perhaps Iron ransomware, has now come up with a new version or rebranding named "5ss5c".In a previous blog post, Satan...
View ArticleClik here to view.
Blue Team Puzzle
Several years ago, I created a "malware puzzle" - basically, a crossword puzzle but with terms related to malware. You can find that puzzle here:...
View ArticleClik here to view.
Digital artists targeted in RedLine infostealer campaign
In this post, we'll look at a campaign, that targeted multiple 3D or digital artists using NFT, with malware named RedLine. This malware is a so called "infostealer" or "information stealer" that is...
View ArticleClik here to view.
Yara rules collection
Quite a while ago, I've published some of my private Yara rules online, on Github. They can be found here:https://github.com/bartblaze/Yara-rulesThere's two workflows running on that Github...
View ArticleClik here to view.
Fara: Faux YARA
FARA, or Faux YARA, is a simple repository that contains a set of purposefully erroneous Yara rules. It is meant as a training vehicle for new security analysts, those that are new to Yara and even...
View ArticleClik here to view.
Analyse, hunt and classify malware using .NET metadata
IntroductionEarlier last week, I ran into a sample that turned out to be PureCrypter, a loader and obfuscator for all different kinds of malware such as Agent Tesla and RedLine. Upon further...
View ArticleClik here to view.
New North Korean based backdoor packs a punch
 In recent months, North Korean based threat actors have been ramping up attack campaigns in order to achieve a myriad of their objectives, whether it be financial gain or with espionage purposes in...
View ArticleClik here to view.
Microsoft Word and Sandboxes
Today's post is a brief one on some Microsoft Word and sandbox detection / discovery / fun.Collect user name from Microsoft OfficeMost sandboxes will trigger somehow or something if a tool or malware...
View Article