Posts by nex

9 min

Upcoming G20 Summit Fuels Espionage Operations

The international policy and financial community is in ferment for the upcoming G-20 summit, scheduled to kick-off in St Petersburg, Russia, in two weeks from now. The "Group of Twenty" consists of political leaders, finance ministers and bank governors from 19 economically-prominent countries, along with representatives of European Union institutions. The group has been meeting regularly every year since 2008 in private meetings where the participants discuss and agree on international fina

9 min Malware

ByeBye Shell and the targeting of Pakistan

Asia and South Asia are a theater for daily attacks and numerous ongoing espionage campaigns between neighboring countries, so many campaigns that it's hard to keep count. Recently I stumbled on yet another one, which appears to have been active since at least the beginning of the year, and seems mostly directed at Pakistani targets. In this article we're going to analyze the nature of the attacks, the functionality of the backdoor - here labelled as ByeBye Shell - and the quick interaction I h

4 min Malware

Cuckoo Sandbox approaching 1.0

Somewhere around one year ago Cuckoo Sandbox was awarded as one of the winners of the first round of sponsorship through the Magnificent7 program [] . Since then the project progressed and grew up quickly: when we started the program we were somewhere around release 0.3 and as of now we are developing what it's hopefully going to be version 1.0! The amount of improvements is countless. We restructured heavily the pro

10 min

KeyBoy, Targeted Attacks against Vietnam and India

In our never-ending quest to spot and expose the nastiest of the Internet, me [] and Mark [] this time incidentally stepped into a targeted attacks campaign apparently directed at a distributed and diversified base of victims. In this blog post we'll analyze two specific incidents apparently targeting victims in Vietnam and in India and we'll describe the capabilities of the custom backdoor being used that for convenience (and to our knowled

9 min

Spying on the Seven Seas with AIS

If you have not read HD Moore's research on serial port servers, DO IT NOW []. It gives you a shocking perspective on the reality of things: the security industry has been historically blabbing and making consumers concerned about the most recent, complex, intriguing and fashionable threats and attacks, while IT as a whole keeps failing the same old basic precautions since networks were born. Long story short, the state of the Internet hasn't changed:

6 min Malware

Fooling malware like a boss with Cuckoo Sandbox

After several months of work, we finally released Cuckoo Sandbox 0.6 []. This release represents an important step forward in the growth of the project; several new features have been introduced, along with extensive work to improve the overall stability and quality of the sandbox and the results it's now able to produce. Some of this closes down a few of the last milestones we had left in our plan for the Magnificent7 program, some othe

4 min Malware

Botnets and the War on Bitcoin

If you've been reading the most recent news from the interwebs, you probably heard that Bitcoin is on a rollercoaster. If you're not familiar with it, Bitcoin is a global online currency, the cash of the Internet. It has no central regulator and no authority: it's a decentralized system where technology is in control. Bitcoins are generated by the people part of its network. Generating, or better "mining", Bitcoins requires your computer to perform an expensive cryptographic computation that,

15 min Malware

Skynet, a Tor-powered botnet straight from Reddit

While wandering through the dark alleys of the Internet we encountered an unusual malware artifact, something that we never observed before that gave us fun while we meticulously dissected it until late night. The more we spent time looking at it, the more it started to look unusually familiar. As a matter of fact it turned out being the exact same botnet that an audacious Reddit user of possible German origin named “throwaway236236” described in a very popular I Am A thread you can read here [

13 min Malware

Analysis of the FinFisher Lawful Interception Malware

It's all over the news once again: lawful interception malware discovered in the wild being used by government organizations for intelligence and surveillance activities. We saw it last year when the Chaos Computer Club unveiled a trojan being used by the federal government in Germany, WikiLeaks released a collection of related documents in the Spy Files, we read about an alleged offer from Gamma Group to provide the toolkit FinFisher to the Egyptian government, and we are reading once again now

4 min Malware

Cuckoo Sandbox 0.4 Simplifies Malware Analysis with KVM support, Signatures and Extended Modularity

That's right, the much anticipated and long awaited 0.4 release is finally here []! Just like divas arrive late at the gala, we took some more time than expected, but are now worthy of a triumphant entrance. If you're not familiar with Cuckoo Sandbox [], it's an open source solution for automating malware analysis. What does that mean? Simply that you can throw any suspicious file at it and after a few seconds it will give you back det