Showing posts from April, 2017

OLE: Not to beat a dead horse...

Since I keep seeing new malicious OLEs, I wanted to do a few posts about writing yara signatures for them. I don't have the time right now for a full post, but I'll share a few preliminary links that I'll be referencing for metadata extraction.

[MS-OLEPS]: SummaryInformation

[MS-OLEPS]: FILETIME (Packet Version)


Operation Cloud Hopper

Although long, a highly recommended read:

One thing I want to call out is Table 3, where PWC clearly demonstrated an interesting composite indicator of a TTP that appears to be specific to this operation. Specifically, the use of registrants and ITITCH nameservers. If you have the ability to pivot on this TTP, then you're likely to find a significant number of other similar domains.

Happy hunting, y'alls!

Your report is bad and you should feel bad

Kaspersky Labs published a report today discussing overlap between Turla and Moonlight Maze.

From their conclusion:
An objective view of the investigation would have to admit that a conclusion is simply premature.

For shame, Kaspersky.