Malware

Trojan.Foxy-DES

Today we will take a look at another version of Trojan.Foxy. We first blogged about this Trojan about a year ago, and we continue to see the CPT actors continue to use this Trojan successfully.

Read more

Downloader.BMP

Downloader.BMP       Today I am going to write about an interesting Trojan, whose functionality is nothing special, however the method in which this Trojan receives commands is quite interesting.  We received this sample from a client for analysis on May 22nd, you can see from the compiled date, that the sample was created [...]

Read more

Keylogger.BRKBL

Today I will take a quick look at a keystroke logger whose unpacked version has a much lower detection rate on VT then its UPX packed version, and which uses RC4 encryption and Base64 encoding with a custom alphabet. We picked up this file recently while observing some APT activity on a victim’s network, and [...]

Read more

Trojan.GTalk

Trojan.GTalk Today I am going to write about an interesting Trojan, whose concept (controlling malware via instant messaging) has been used for some time.  However Christmas came early this year and during one of our recent engagements we came across the C2 portion of this Trojan (screen shots are located at the end of this [...]

Read more

Trojan.Prime

Trojan.Prime       Today I am going to write about an interesting Trojan that our company came across.  The dropper/installer file for this sample is a self extracting executable (with a Windows folder icon), which is old news.  The sample itself though it pretty interesting.  The sample works, in principle, the same way that [...]

Read more

Poison Ivy

Poison Ivy   Today I am going to look at a Trojan called Poison Ivy, which is old news for those of you who have worked in this field.  However because of its efficiency this Trojan continues to be used time and time again in attacks.  This specific sample was used in a campaign to [...]

Read more

Trojan.Matryoshka and Trojan.Einstein

Trojan. Matryoshka       Today I am going to look at two different pieces of malware and the carrier file that delivered it all.  The carrier file is pretty straightforward and as designed it will drop a malicious file. I am going to refer to this dropped file as Trojan. Matryoshka, because like nesting [...]

Read more

Trojan.Boxnet

In one of our recent engagements we found an interesting Trojan that we thought was worth blogging about, not because of its capability but rather because of the way it was being controlled.  Jared and I looked at this Trojan together and named it Trojan.Boxnet. Summary Trojan.Boxnet uses the file sharing site www.box.net as a [...]

Read more

Trojan.Cookies

Today I will take a look at a sample that is known internally as Trojan.Cookies. This Trojan is a basic but effective Trojan. This sample is capable of uploading and downloading files as well as a reverse shell. The information for this Trojan is listed below. File Name:  AcroRD32.exe File Size:  147456 bytes MD5:        2c4cabb4ca19ddf87c7f11bad44bdf05 [...]

Read more

Trojan.Foxy

Today I will write about a sample that I will refer to as Trojan.Foxy.  Trojan.Foxy requests and parses .JPG images that contain encoded instructions.  The encoding algorithm used by this Trojan is loosely based off of the Vigenère cipher; however there is a deviation in how the cipher is applied.   The Trojan that will [...]

Read more