mkYARA – Writing YARA rules for the lazy analyst

Writing YARA rules based on executable code within malware can be a tedious task. An analyst cannot simply copy and paste raw executable code into a YARA rule, because this code contains variable values, such as memory addresses and offsets. The analyst has to disassemble the code and wildcard all the pieces in the code … Continue reading mkYARA – Writing YARA rules for the lazy analyst →

PsiXBot: The Evolution Of A Modular .NET Bot

PsiXBot: The Evolution Of A Modular .NET Bot Summary In this blog we will share our analysis of a modular piece of malware which is referred to by the author as PsiXBot. The malware first surfaced in 2017 but has recently undergone significant developments of its core and modules, which include the logging of keystrokes … Continue reading PsiXBot: The Evolution Of A Modular .NET Bot →

Identifying Cobalt Strike team servers in the wild

How an anomalous space led to fingerprinting Summary On the 2nd of January 2019 Cobalt Strike version 3.13 was released, which contained a fix for an "extraneous space". This uncommon whitespace in its server responses represents one of the characteristics Fox-IT has been leveraging to identify Cobalt Strike Servers, with high confidence, for the past … Continue reading Identifying Cobalt Strike team servers in the wild →

Bokbot: The (re)birth of a banker

This blogpost is a follow-up to a presentation with the same name, given at SecurityFest in Sweden by Alfred Klason. Summary Bokbot (aka: IcedID) came to Fox-IT’s attention around the end of May 2017 when we identified an unknown sample in our lab that appeared to be a banker. This sample was also provided by … Continue reading Bokbot: The (re)birth of a banker →