Thanks to the incredibly talented community of threat researchers that participated in LabyREnth, the Unit 42 Capture the Flag (CTF) challenge. Now that the challenge is closed, we can finally reveal the solutions of each challenge track. We’ll be rolling out the solutions for one challenge track per week. Next up, the Unix track. …Continue reading
The Hancitor downloader has been relatively quiet since a major campaign back in June 2016. But over the past week, while performing research using Palo Alto Networks AutoFocus, we noticed a large uptick in the delivery of the Hancitor malware family as they shifted away from H1N1 to distribute Pony and Vawtrak executables. In parallel, we received reports from other firms and security researchers seeing similar activity, which pushed us to look into this further.
Figure 1 AutoFocus view of new sessions of Hancitor since July 2016
The delivery method for these documents remained consistent to other common malicious e-mail campaigns. Lures contained subjects related to recent invoices, or other matters requiring the victim’s attention, such as an overdue bill. These lures were expected, until we started digging into the actual documents attached and saw an interesting method within the Visual Basic (VB) macros in the attached documents used for dropping the malware.
This blog will review in detail the dropping technique, which isn’t technically new, but this was the first time we’ve seen it used in this way. The end goal is to identify where the binary was embedded, but we’ll cover the macro and the embedded shellcode throughout this post. …Continue reading
This post is the first in a series by Unit 42 covering the cybercrime underground. Cybercrime persists as an epidemic that continues to worsen every year, with associated impacts and losses steadily growing. In this series, we’ll explore actors, motivations, and the current threat landscape.
Some of what contributes to the growth of the cybercrime underground is the convenience, speed, and anonymity the Internet provides to enable online crimes. Advances in the sophistication of cyberattacks over the past decade closely correlate with two major evolutions: …Continue reading