PsiXBot: The Evolution Of A Modular .NET Bot

PsiXBot: The Evolution Of A Modular .NET Bot Summary In this blog we will share our analysis of a modular piece of malware which is referred to by the author as PsiXBot. The malware first surfaced in 2017 but has recently undergone significant developments of its core and modules, which include the logging of keystrokes … Continue reading PsiXBot: The Evolution Of A Modular .NET Bot

Identifying Cobalt Strike team servers in the wild

How an anomalous space led to fingerprinting Summary On the 2nd of January 2019 Cobalt Strike version 3.13 was released, which contained a fix for an "extraneous space". This uncommon whitespace in its server responses represents one of the characteristics Fox-IT has been leveraging to identify Cobalt Strike Servers, with high confidence, for the past … Continue reading Identifying Cobalt Strike team servers in the wild

FAQ on the WanaCry ransomware outbreak

Last updated: May 16th 2017 A ransomware variant known as WanaCry/WanaCrypt0r has spread on a massive scale around the world since the 12th of May 2017. For more information about the context with regards to this WanaCry variant, see also our earlier blog. The section below outlines the frequently asked questions and corresponding answers. Q: … Continue reading FAQ on the WanaCry ransomware outbreak

Massive outbreak of ransomware variant infects large amounts of computers around the world

Today, May 12th 2017, a ransomware variant known as WanaCry is being spread on a massive scale around the world. Once a computer is infected it will attempt to infect other machines on the same network using a recently patched vulnerability in the Windows SMB protocol. Update: We have published an FAQ to answer additional … Continue reading Massive outbreak of ransomware variant infects large amounts of computers around the world

Snake: Coming soon in Mac OS X flavour

Summary Snake, also known as Turla, Uroburos and Agent.BTZ, is a relatively complex malware framework used for targeted attacks1. Over the past year Fox-IT has been involved in multiple incident response cases where the Snake framework was used to steal sensitive information. Targets include government institutions, military and large corporates. Researchers who have previously analyzed … Continue reading Snake: Coming soon in Mac OS X flavour

Turkish hacktivists targeting the Netherlands: high noise, low impact

As a result of increased political tensions between The Netherlands and Turkey, a surge in activity from several Turkish hacker groups has been observed by Fox-IT. Most activities observed thus far appear to be aimed at defacement and disruption of online Dutch infrastructure. Most of the methods and techniques used to achieve this goal are … Continue reading Turkish hacktivists targeting the Netherlands: high noise, low impact

Ziggo ransomware phishing campaign still increasing in size

Introduction Fox-IT's Security Operations Center (SOC) observed fake Ziggo invoice e-mails, since October 6th 2016, linking to a ransomware variant known as TorrentLocker. The group behind TorrentLocker has previously been observed using fake Dutch postal service emails imitating PostNL, back in 2014.  This distribution method of abusing local postal service names was seen in a lot of … Continue reading Ziggo ransomware phishing campaign still increasing in size