Security Magic

Some of the latest samples I've been seeing for Emotet look like the this  app.any.run report. Using CyberChef , we can decode the powershell from this sample to extract the download links for the malware From_Base64('A-Za-z0-9+/=',true) Remove_null_bytes() Find_/_Replace({'option':'Regex','string':'[`\'+()]'},'',true,false,true,false) Find_/_Replace({'option':'Regex','string':'\\]e1r\\[S'},'http',true,false,true,false) Extract_URLs(false) Find_/_Replace({'option':'Simple string','string':'@'},'\\r',true,false,true,false) > Of course some of the "replace strings" will vary, so this recipe will have to be changed in certain places at times. Some other additional items to look at, from an EDR perspective might be: Rule 1: ParentProcess contains Rundll32.exe AND process contains Rundll32.exe AND ProcessPa...

Just a quick update, I've been hunting this malware for a bit, you can see details on this malware on my previous post or the write-ups from Morphisec or Red Canary . Today, using the same methodology I typically use, I did a google hunt. (site:cdn.shopify.com "free-tempalte"). This often yields some results, it used to get more live results from (site:sites.google.com), but those seem to be dead lately. Quickly I found one called "Hole in One Certificate Template Free" hxxps://cdn[.]shopify[.]com/s/files/1/0499/5570/0887/files/hole-in-one-certificate-template-free[.]pdf?v=1602361119 I notice a lot of these, maybe all of them have the pdf?v=[0-9] pattern. This may be normal for PDFs hosted here though. I was hoping to find some new samples, many I've found lately were leading to the same EXE, incidently, the same DLL and C2. Today however, I found a new sample. It mostly runs the same, however, this time the Icon Hash is no longer mimicing ...

As I continue to hunt for various lures and redirects for the Jupyter Infostealer, outlined in my previous article , I am amazed at the vast array of searches that lead to the malware! I took a game I enjoy and decided to search for that, using known "initial" pages where the redirects have been seen. Oh.... they got Dragon Quest too! This makes me sad.... As it is, I've found several other links just like this and so far all of the ones I've found in the last couple days end up landing on the same file Hash (different name of course) as the one in my previous article . Hash: da2eb36e763ecf1a47532e9f8efeacb7 Again, also many redirects involved, mostly .tk TLDs. I suspect these large droppers are being rotated out on some schedule, monthly perhaps. So maybe I won't run into a new sample dropper and .DLL for a bit. If anyone finds anythign different, please let me know!

*Updated March 10, 2022 (Detection rules for new variant observed March 2022.) I have had the opportunity to track the .NET Backdoor, dubbed by Morphisec as Jupyter Infostealer A.K.A Solarmarker I was excited to see this writeup since this was a malware family that myself and other researchers on twitter were discussing for a couple weeks prior to the Morphisec article, before there was an attributed name to the malware. This was in October, and we were all sharing some bits of information we had on this, since that time I have also been using custom YARA signatures to perform live hunts and retro-hunts in VirusTotal to continue to keep up on this malware. Recently I had seen Red Canary wrote up about this, dubbing it Yellow Cockatoo . Again, I was very excited to see some more attention being paid to this malware, I enjoyed both the writeups. Red Canary and Morphisec provided excellent information! Since I've been tracking this for sometime, and commenting on all new sampl...