Category: Uncategorized

Strengthening our malware analysis capabilities

Date of publication: 21/02/2019, piotrb

During last year we have collaborated with Hatching.io on improving the open source Cuckoo Sandbox. The main works were focused on porting advanced mechanisms for memory analysis which were developed internally by our team in the previous years. The public release of the onemon marks the last stage of this collaboration. We are proud that results of this work are now available to the security community.
Read more

Detricking TrickBot Loader

Date of publication: 05/02/2019, Michał Praszmo


    TrickBot (TrickLoader) is a modular financial malware that first surfaced in October in 20161. Almost immediately researchers have noticed similarities with a credential-stealer called Dyre. It is still believed that those two families might’ve been developed by the same actor.

    But in this article we will not focus on the core itself but rather the loader whose job is to decrypt the payload and execute it.
    Read more

    Recommendations on mitigation of man-in-the-middle phishing attacks (evilginx2/Modlishka)

    Date of publication: 31/01/2019, Michał Leszczyński

    CERT Polska has observed an interesting phishing technique used in attack against users of a popular Polish content aggregator. We have also noticed the emergence of a new tool called “Modlishka” whose purpose is to simplify and automate phishing attacks. In this article, we describe the way these highly-automated attacks work and present our recommendations for creators of websites for defending about them.Read more

    MWDB – our way to share information about malicious software

    Date of publication: 16/01/2019, CERT Polska

    Analysis of current threats is one of the most common challenges facing almost any organization dealing with cybersecurity. From year to year, it also becomes a harder nut to crack, being undoubtedly influenced by the growing scale of activities undertaken by criminals and the degree of their advancement. In the face of this situation, efficient exchange of information between researchers is a key issue.
    Read more

    Dissecting Smoke Loader

    Date of publication: 18/07/2018, Michał Praszmo

    Smoke Loader (also known as Dofoil) is a relatively small, modular bot that is mainly used to drop various malware families.

    Even though it’s designed to drop other malware, it has some pretty hefty malware-like capabilities on its own.

    Despite being quite old, it’s still going strong, recently being dropped from RigEK and MalSpam campaigns.

    In this article we’ll see how Smoke Loader unpacks itself and interacts with the C2 server.

     

    Read more

    Technical aspects of CTF contest organization

    Date of publication: 09/07/2018, Michał Leszczyński


    CTF competitions often turn out to be a great amusement, but they also play a very important role in training of IT security specialists. Such kinds of challenges are challenging both to contestants and organizers. This article will describe organizational aspects related to such competitions, taking European Cyber Security Challenge 2018 qualifications as an example.

    Read more

    n6 released as open source

    Date of publication: 21/06/2018, pp

    We are happy to announce that another system developed by our team, n6 (Network Security Incident eXchange), has been released to the community on an open source licence.

    Read more

    Backswap malware analysis

    Date of publication: 19/06/2018, Hubert Barc

      Backswap is a banker, which we first observed around March 2018. It’s a variant of old, well-known malware TinBa (which stands for “tiny banker”). As the name suggests, it’s main characteristic is small size (very often in the 10-50kB range). In the summary, we present reasoning for assuming it’s the same malware.
      Read more

      Ostap malware analysis (Backswap dropper)

      Date of publication: 01/06/2018, Paweł Srokosz

        Malicious scripts, distributed via spam e-mails, have been getting more complex for some time. Usually, if you got an e-mail with .js attachment, you could safely assume it’s just a simple dropper, which is limited to downloading and executing malware. Unfortunately, there is a growing number of campaigns these days, where script doesn’t exit after downloading sample. Instead of ending its life – it remains active, waiting for additional commands or more samples to fetch. Some of the examples are: vjw0rm used in Vortex ransomware campaigns and Ostap – the main protagonist of our story.

        This article is an introduction to Backswap malware analysis, which is a second-stage malware downloaded by Ostap. Our analysis of Backswap malware will be published soon!

        Read more

        SECURE 2018 – Call for Speakers

        Date of publication: 30/05/2018, piotrb


        Call for Speakers for SECURE 2018 is now open. If you have an interesting topic and would like to share your ideas with a crowd of Polish and international IT security specialists, please consider submitting your proposal. You will find all applicable information below.
        Read more