7 min
Research
Stories from the SOC Part 2: MSIX Installer Utilizes Telegram Bot to Execute IDAT Loader
In part one of our blog series, we discussed how a Rust based application was used to download and execute the IDAT Loader. In part two of this series, we will be providing analysis of how an MSIX installer led to the download and execution of the IDAT Loader.
10 min
Malware
Stories from the SOC Part 1: IDAT Loader to BruteRatel
Rapid7’s Managed Detection and Response (MDR) team continuously monitors our customers' environments, identifying emerging threats and developing new detections.
7 min
Velociraptor
How To Hunt For UEFI Malware Using Velociraptor
UEFI threats have historically been limited in number and mostly implemented by
nation state actors as stealthy persistence. However, the recent proliferation
of Black Lotus on the dark web, Trickbot enumeration module (late 2022), and
Glupteba (November 2023) indicates that this historical trend may be changing.
With this context, it is becoming important for security practitioners to
understand visibility and collection capabilities for UEFI threats
[https://www.rapid7.com/info/understanding
3 min
Threat Intel
Network Access for Sale: Protect Your Organization Against This Growing Threat
Vulnerable network access points are a potential gold mine for threat actors. We look at the techniques they use and best practices for prevention.
12 min
Malware
Infostealer Malware Masquerades as Windows Application
Rapid7's Managed Detection and Response (MDR) team recently identified a malware campaign whose payload installs itself as a Windows application.
5 min
News
Update on SolarWinds Supply-Chain Attack: SUNSPOT, SUNSHUTTLE and New Malware Family Associations
New research has been published that expands the security community’s understanding of the breadth and depth of the SolarWinds attack.
3 min
Malware
The BadRabbit Ransomware Attack: What You Need To Know
What’s Up?
Rapid7 has been tracking reports of an expanding ransomware campaign dubbed
BadRabbit. Russian news outlets and other organizations across Europe have
reported being victims of this malware and the “outbreak” is continuing to
spread.
The BadRabbit attackers appear to have learned some lessons from previous
outbreaks earlier this year and have both limited the external spreading
capabilities of the ransomware as well as made the payments a bit harder for
researchers, responders and au
6 min
Malware
The CIS Critical Controls Explained- Control 8: Malware Defenses
This is a continuation of our CIS critical security controls
[/2017/04/19/the-cis-critical-security-controls-series] blog series.
Workstations form the biggest threat surface in any organization. The CIS
Critical Security Controls
[https://www.rapid7.com/fundamentals/cis-critical-security-controls/] include
workstation and user-focused endpoint security in several of the controls, but
Control 8 (Malware Defenses) is the only control to strictly focus on antivirus
and malware across the organiza
3 min
Incident Detection
Introspective Intelligence: Understanding Detection Techniques
To provide insight into the methods devised by Rapid7, we'll need to revisit the
detection methods implemented across InfoSec products and services and how we
apply data differently. Rapid7 gathers volumes of threat intelligence on a daily
basis - from new penetration testing tools, tactics, and procedures in
Metasploit, vulnerability detections in Nexpose, and user behavior anomalies in
InsightIDR. By continuously generating, refining and applying threat
intelligence, we enable more robust dete
3 min
Malware
Malware and Advanced Threat Protection: A User-Host-Process Model
In today's big data and data science age, you need to think outside the box when
it comes to malware and advanced threat protection. For the Analytic Response
team at our 24/7 SOC in Alexandria, VA, we use three levels of user behavior
analytics to identify and respond to threats. The model is defined as
User-Host-Process, or UHP. Using this model and its supporting datasets allows
our team to quickly neutralize and protect against advanced threats with a high
confidence rate.
What is the User-
3 min
Malware
Ransomware FAQ: Avoiding the latest trend in malware
Recently, a number of Rapid7's customers have been evaluating the risks posed by
the swift rise of ransomware as an attack vector. Today, I'd like to address
some of the more common concerns.
What is Ransomware?
Cryptowall [http://www.theregister.co.uk/2015/11/09/cryptowall_40/] and
Cryptolocker [https://www.us-cert.gov/ncas/alerts/TA13-309A] are among of the
best known ransomware criminal malware packages today. In most cases, users are
afflicted by ransomware by clicking on a phishing link o
2 min
Malware
What exactly is Duqu 2.0?
Overview:
Duqu, a very complex and modular malware platform thought to have gone dark in
late 2012, has made its appearance within the environment of Kaspersky Labs.
[https://threatpost.com/duqu-resurfaces-with-new-round-of-victims-including-kaspersky-lab/113237]
Dubbed “Duqu 2.0” by Kaspersky, the level of complexity found within the malware
represents a high level of sophistication, skill, funding and motivation seen by
nation-sponsored actors. Infections related to this malware have reveale
9 min
Malware
ByeBye Shell and the targeting of Pakistan
Asia and South Asia are a theater for daily attacks and numerous ongoing
espionage campaigns between neighboring countries, so many campaigns that it's
hard to keep count. Recently I stumbled on yet another one, which appears to
have been active since at least the beginning of the year, and seems mostly
directed at Pakistani targets.
In this article we're going to analyze the nature of the attacks, the
functionality of the backdoor - here labelled as ByeBye Shell - and the quick
interaction I h
15 min
Malware
Skynet, a Tor-powered botnet straight from Reddit
While wandering through the dark alleys of the Internet we encountered an
unusual malware artifact, something that we never observed before that gave us
fun while we meticulously dissected it until late night.
The more we spent time looking at it, the more it started to look unusually
familiar. As a matter of fact it turned out being the exact same botnet that an
audacious Reddit user of possible German origin named “throwaway236236”
described in a very popular I Am A thread you can read here
[
13 min
Malware
Analysis of the FinFisher Lawful Interception Malware
It's all over the news once again: lawful interception malware discovered in the
wild being used by government organizations for intelligence and surveillance
activities. We saw it last year when the Chaos Computer Club unveiled a trojan
being used by the federal government in Germany, WikiLeaks released a collection
of related documents in the Spy Files, we read about an alleged offer from Gamma
Group to provide the toolkit FinFisher to the Egyptian government, and we are
reading once again now