Martijn Lammerts
My own digital place with a little of everything

A Machine Learning Model to Detect Malware Variants

When malware is difficult to discover — and has limited samples for analysis — we propose a machine learning model that uses adversarial autoencoder and semantic hashing to find what bad actors try to hide. We, along with researchers from the Federation University Australia, discussed this model in our study titled “Generative Malware Outbreak Detection.”

The post A Machine Learning Model to Detect Malware Variants appeared first on .

Continue reading...

From Fileless Techniques to Using Steganography: Examining Powload’s Evolution

In some of the recent Powload-related incidents we saw, we noticed significant changes to some of the attachments in the spam emails: the use of steganography and targeting of specific countries. Figure 2 shows the difference. For example, the samples we analyzed in early 2018 had more straightforward infection chains. These updates added another stage to the execution of malicious routines as a way to evade detection.

The Powload variants that use these techniques drop and execute the Ursnif and Bebloh data stealers. We did not see any notable differences in the payloads’ routines. The distribution tactics also resemble a spam campaign we uncovered last year, which delivered the same information stealers but distributed via the Cutwail botnet.

The post From Fileless Techniques to Using Steganography: Examining Powload’s Evolution appeared first on .

Continue reading...

Cybersecurity Insurance Not Paying for NotPetya Losses

This will complicate things: To complicate matters, having cyber insurance might not cover everyone's losses. Zurich American Insurance Company refused to pay out a $100 million claim from Mondelez, saying that since the U.S. and other governments labeled the NotPetya attack as an action by the Russian military their claim was excluded under the "hostile or warlike action in time...
Continue reading...

New SLUB Backdoor Uses GitHub, Communicates via Slack

We discovered a malware that uses three different online services -- including Slack and GitHub-- as part of its routine. Analysis of the attacker's tools, techniques, and procedures lead us to believe that this might be a targeted attack from very capable threat actors.

The post New SLUB Backdoor Uses GitHub, Communicates via Slack appeared first on .

Continue reading...

Fileless Banking Trojan Targeting Brazilian Banks Downloads Possible Botnet Capability, Info Stealers

We analyzed a fileless banking trojan targeting three major banks in Brazil and their customers, downloading info stealers, keyloggers and a hack tool. Infected machines can be used for a botnet and mass mailed targeted attacks, and our telemetry recorded the highest infection attempts from Brazil and Taiwan.

The post Fileless Banking Trojan Targeting Brazilian Banks Downloads Possible Botnet Capability, Info Stealers appeared first on .

Continue reading...

Exposed Docker Control API and Community Image Abused to Deliver Cryptocurrency-Mining Malware

Through data analysis of the container honeypots we’ve set up to monitor threats, we’ve uncovered notable activities of undesired or unauthorized cryptocurrency miners being deployed as rogue containers using a community-contributed container image published on Docker Hub. The image is being abused as part of a malicious service that delivers cryptocurrency-mining malware. Networking tools are retrieved to carry out lateral movement on other exposed containers and applications.

The activities we uncovered are also significant in that they don’t need to exploit vulnerabilities and don’t depend on any version of Docker. Identifying a misconfigured and thus exposed container image is all it could take for attackers to infect many exposed hosts.

The post Exposed Docker Control API and Community Image Abused to Deliver Cryptocurrency-Mining Malware appeared first on .

Continue reading...

Recommendations for deploying the latest Attack surface reduction rules for maximum impact

The keystone to good security hygiene is limiting your attack surface. Attack surface reduction is a technique to remove or constrain exploitable behaviors in your systems. In this blog, we discuss the two attack surface reduction rules introduced in the most recent release of Windows and cover suggested deployment methods and best practices. Software applications

Read more

The post Recommendations for deploying the latest Attack surface reduction rules for maximum impact appeared first on Microsoft Secure.

Continue reading...