Malware Debugs Itself to Prevent Analysis

2019-04-09T07:20:55+00:00April 9th, 2019|Threats|

We recently encountered a piece of malware via a tweet, which caught our eye because it appeared to be searching for folders related to our product. During analysis we discovered that this malware employs a novel technique to prevent reverse engineering via a debugger, and we felt that it was worth writing about, in case [...]

Mapping Out a Malware Distribution Network

2019-04-04T02:58:06+00:00April 4th, 2019|Breaking News, Threats|

More than a dozen US-based web servers were used to host 10 malware families, distributed through mass phishing campaigns. Malware families include Dridex, GandCrab, Neutrino, IcedID and others. Evidence suggests the existence of distinct threat actors: one responsible for email and malware hosting, and others that operate the malware. Indications that the servers are part [...]

The Social Engineering Behind Operation Sharpshooter, Rising Sun

2019-04-03T10:24:26+00:00April 3rd, 2019|Threats|

We are learning more about Operation Sharpshooter, an espionage campaign that targeted financial services, government and critical infrastructure primarily focused in German, Turkey, the UK and the US.  It is important to show how easily this attack was delivered to end users and how quickly it can infect your enterprise. Despite millions invested in user [...]

Application Isolation in the Spotlight

2019-03-21T15:32:21+00:00March 21st, 2019|End Users, Threats|

Two major announcements bring application isolation into the spotlight Microsoft and HP elevate the importance of isolation in the endpoint security stack Isolate risky browser activity, but don’t forget files are risky too This week, two major announcements came out highlighting the need for application isolation in the security stack for endpoint security – HP [...]

Location-Aware Malware Targets Japanese and Korean Endpoints

2019-04-04T06:11:20+00:00March 14th, 2019|Threats|

New malware samples use location awareness to specifically target Japanese and Korean endpoints. The malware uses two techniques to determine the location in which it is being executed and ensures that the payload will only be triggered in these regions. This approach matches two trends: 1) docs performing regional checks in targeted attacks, and 2) [...]

Threat Forwarding Augments Threat Intelligence with Automated Triage and Categorization

2019-03-11T07:51:07+00:00March 10th, 2019|Threats|

Bromium customers have long had the option to securely transmit their proprietary threat data to Bromium analysts either manually or using our one-way Cloud Connector. Now, with Bromium Secure Platform 4.1.5, we've improved upon Threat Forwarding, introducing a two-way connection from the customer's Bromium Controller directly to Bromium Cloud Services. This allows for automatic threat [...]

Tricks and COMfoolery: How Ursnif Evades Detection

2019-03-07T10:31:04+00:00March 7th, 2019|Breaking News, Threats|

Ursnif is one of the main threats that is effectively evading detection right now (at publication) The dropper uses a COM technique to hide its process parentage WMI is used to bypass a Windows Defender attack surface reduction rule Fast evolution of delivery servers means detection tools are left in the dark In February we [...]

Disabling Anti-Malware Scanning

2019-02-20T12:54:55+00:00February 20th, 2019|Threats|

This post follows on from the previous blog post, Preview Pane, looking at the later parts of the kill chain for the same malicious document. Here I will detail a technique for disabling the Antimalware Scan Interface (AMSI). This is an interface provided as part of Microsoft Windows for scanning data with anti-malware software installed [...]

Preview Pain: Malware Triggers in Outlook Preview Without User Opening Word Document

2019-02-13T20:43:41+00:00February 13th, 2019|Threats|

A recent malware sample forwarded to our Threat Intelligence service had some very interesting properties which we think would be useful to share. The sample itself is a Word document which is emailed as part of a phishing attack. If the user interacts with the document, it would download a payload to run on the [...]

Super Mario Oddity

2019-02-22T12:47:43+00:00February 8th, 2019|Threats|

A few days ago, I was investigating a sample piece of malware where our static analysis flagged a spreadsheet as containing a Trojan but the behavioural trace showed very little happening. This is quite common for various reasons, but one of the quirks of how we work at Bromium is that we care about getting malware to run and [...]

See Bromium in Action

Request a demo and see how Bromium isolation will put an end to malware and attacks once and for all.

Request a Demo

By continuing to use the site, you agree to the use of cookies. More information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.