CSCBE Challenge Write-up – Trace Me

This is the first post in a series of write-ups on some of the challenges that were tackled by students during our Cyber Security Challenge¬†Belgium this month. Credits All challenges of the Cyber Security Challenge Belgium are created by security professionals from many different organisations. The TraceMe¬†challenge in particular was created by Vasileios Friligkos, one … Continue reading CSCBE Challenge Write-up – Trace Me

New Hancitor maldocs keep on coming…

Didier Stevens will provide NVISO training on malicious documents at Brucon Spring:¬†Malicious Documents for Blue and Red Teams. For more than half a year now we see malicious Office documents delivering Hancitor malware via a combination of VBA, shellcode and embedded executable. The VBA code decodes and executes the shellcode, the shellcode hunts for the … Continue reading New Hancitor maldocs keep on coming…

.LNK downloader and bitsadmin.exe in malicious Office document

We received a malicious office document (529581c1418fceda983336b002297a8e) that tricks the user into clicking on an embedded LNK¬†file which in its turn uses the¬†Microsoft Background Intelligent Transfer Service (BITS)¬†to download a malicious binary from the internet. The following Word document (in Japanese) claims to be an invoice, the user must click the Word icon to generate … Continue reading .LNK downloader and bitsadmin.exe in malicious Office document

Developing complex Suricata rules with Lua – part 2

In part 1 we showed a Lua program to have Suricata detect PDF documents with obfuscated /JavaScript names. In this second part we provide some tips to streamline the development of such programs. When it comes to developing Lua programs, Suricata is not the best development environment. The "write code & test"-cycle with Suricata can … Continue reading Developing complex Suricata rules with Lua – part 2

Developing complex Suricata rules with Lua – part 1

The Suricata detection engine supports rules written in the embeddable scripting¬†language Lua. In this post¬†we give a PoC Lua script¬†to detect PDF documents with name obfuscation. One of the elements that make up a PDF, is a name. A name is a reserved word that starts with character / followed by alphanumerical characters. Example: /JavaScript. … Continue reading Developing complex Suricata rules with Lua – part 1

Analyzing obfuscated scripts using nothing but a text editor

In this blog post, we will perform an analysis on some obfuscated scripts that we received. These files were already detected by automated scanners but as these are mainly malware droppers, we figured it could be interesting to do some manual analysis to determine where the actual malware is hosted. The first sample we will … Continue reading Analyzing obfuscated scripts using nothing but a text editor