Posts

Showing posts from 2016

Analysis of a Dridex maldoc pre-Locky

Image
The latest trends on the security threat landscape have mainly been Ransomware distributed via infected websites, and Banking Trojans distributed via malicious documents attached to phishing emails. In particular, Dridex banking trojan has been one of the most active threats. Last week the two threats merged and Dridex began distributing Locky ransomware as well.
In this post we will go through the analysis of a malicious office document delivering Dridex banking Trojan, spreading just the day before it switched to Locky and we will the similarities between the two actors that make us believe the same is behind the two.

Introduction On Friday February 12th, we observed a big wave of phishing attempts, over 700, which looked like the following:
Sender: fpo.cc.XX@vosa.gsi.gov.uk
Subject: DVSA RECEIPT
Attachment: Fixed Penalty Receipt.docm
MD5 Checksum: 50e1c94e43f05f593babddb488f1a2f9

Where XX are two random digits. Few days later, on Monday February 15th, we observed a second bigger wave, …

Windows ReVaulting

Image
Windows Vaults and Credentials allow the user to store sensitive information such as user names and passwords , that can be later used to log on web site, services and computers. In this post it will be shown how such data is protected and how you can decrypt it offline.

This post is a very late debriefing of the talk I had at SANS DFIR Summit Prague 2015 and it's the first of two posts. You can download the slides from SANS Summit Archives or from SlideShare.


introduction
I've never used Vault/Credential facility on purpose, even if the system used it without my knowledge : it's worthwhile to know that Windows autonomously uses it almost every day. In any case, we can find sensitive information there, and this is the reason I started this research, as to have a little more strings to my ODI (Offensive Digital Investigations) bow.

Windows provides two utilities to manage such credentials, the graphical Credential Manager and the command line vaultcmd: you can see them in the n…