Reawakening of Emotet: An Analysis of its JavaScript Downloader

2019-09-24T11:13:05-07:00September 24th, 2019|Threat Research, Threats|

In mid-September 2019, Emotet resumed its activity and we evaluated changes to its operation in a previous blog post by Alex Holland. One of the noticeable changes is that some of the malicious Microsoft Word downloaders drop and execute JavaScript during the initial compromise. The use of a JavaScript downloader delivered within an archive (.zip) [...]

Changes to Emotet in September 2019

2019-09-20T09:12:31-07:00September 19th, 2019|Threat Research, Threat Research NEWS, Threats|

Thank you to Ratnesh Pandey who also contributed to this research. On 16 September 2019, Bromium Labs observed the resumption of Emotet malicous spam (malspam) campaign activity following a hiatus since the beginning of June 2019. Here's a summary of the changes to Emotet's operation that we've seen so far. New Packer We analysed a [...]

Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader

2019-09-11T13:28:08-07:00September 3rd, 2019|Threat Research, Threats|

Introduction For a malicious actor to compromise a system, they need to avoid being detected at the point of entry into the target’s network. Commonly, phishing emails delivering malicious attachments (T1193) serve as the initial access vector.[1] Adversaries also need a way to execute code on target computers without tipping off automated tools and the [...]

Agent Tesla: Evading EDR by Removing API Hooks

2019-08-23T13:36:31-07:00August 23rd, 2019|Threat Research, Threats|

Written by Toby Gray and Ratnesh Pandey. Endpoint detection and response (EDR) tools rely on operating system events to detect malicious activity that is generated when malware is run. These events are later correlated and analysed to detect anomalous and suspicious behaviour. One of the sources for such events are application program interface (API) hooks [...]

Protect Before You Detect: FlawedAmmyy and the Case for Isolation

2019-07-17T10:21:57-07:00July 5th, 2019|Research, Threats|

Posted by Ratnesh Pandey, Alex Holland and Toby Gray. In June 2019, Microsoft issued warnings about a phishing campaign delivering a new variant of the FlawedAmmyy remote access Trojan (RAT), and a spike in the exploitation of CVE-2017-11882 in the wild. In this blog post we take a look at some of the weaknesses of detect-to-protect technologies such [...]

Cryptojacking: An Unwanted Guest

2019-07-17T10:37:36-07:00June 18th, 2019|Threats|

We analyse a cryptojacking attack that mines the Monero cryptocurrency. The value of Monero in US dollars has more than doubled over the first half of 2019, from $46 to $98. The rebound of the cryptocurrencies market means that cryptojacking is an increasingly profitable activity for criminals. The use of freely-available exploits such as EternalBlue and DoublePulsar shows how exploits that were previously only available [...]

Answering Your Emotet Questions from the Webinar, Emotet: Taming a Wild Trojan

2019-06-13T14:16:41-07:00June 13th, 2019|Threats|

On June 12, we hosted a deep-dive technical webinar on Emotet, featuring Robert Bigman, former CISO at the CIA, and James Wright, VP Engineering and Threat Research at Bromium In this blog, we answer your Emotet questions submitted during the webinar If you missed the webinar, you can listen to it on-demand, embedded at the end [...]

Malware Misuses Common Operating System Commands to Perform Targeted Attacks

2019-06-12T13:41:34-07:00June 12th, 2019|Threats|

We previously posted a blog about the Ursnif family of malware using language checks to determine the end user’s location as a means of bypassing sandbox-based endpoint protection during regionally targeted attacks. Since then, we have seen a couple more examples of malware using clever methods to indirectly determine the language of the running machine’s [...]

Now Available: Bromium Threat Insights Report – June 2019 Edition

2019-06-10T19:00:11-07:00June 6th, 2019|Research, Threats|

This month’s most notable threat is Emotet – a rapidly evolving polymorphic banking Trojan If you haven’t yet enabled your Threat Forwarding, we invite you to do so, and join a community of Bromium users who help fuel our unrelenting pursuit of getting ahead of attackers Learn about Emotet and other emerging threats, and join [...]

The Emotet-ion Game (Part 3)

2019-06-11T09:35:33-07:00May 28th, 2019|Research, Threats|

This blog is a continuation of our blog series on the Emotet banking Trojan. So far, we have analysed Emotet’s delivery mechanism and its behaviour through dynamic analysis. The host and network data captured from Emotet found that it escalates its privileges by registering itself as a service, persists in multiple locations on the filesystem [...]

See Bromium in Action

Request a demo and see how Bromium isolation will put an end to malware and attacks once and for all.

By continuing to use the site, you agree to the use of cookies. More information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.