Lastline Labs

Party like it’s 1999: Comeback of VBA Malware Downloaders [Part 3]

Posted by Clemens Kolbitsch on 11/10/16 2:25 PM

Authored by:  Clemens KolbitschAlexander Sevtsov, and Arunpreet Singh

Read More

Topics: Lastline Labs, lastline, vba, vba downloaders

Evasive JScript

Posted by Marco Cova on 11/3/16 12:44 PM

One of the characteristics of malware that we follow closely is its use of evasion techniques; that is, techniques that the malware uses to hide its true malicious nature from traditional sandboxes, until it reaches a specific target machine. In other posts, we have discussed the adoption of different evasive techniques in binary programs, and, more recently, we have looked at the use of evasion in malicious Office documents through VBA macros. Here we examine the use of evasion in JScript scripts.

Read More

Topics: evasive jscript, VBA Macros, ECMAScript, COM Object Emulation Detection, Timebombs, stalling code, Execution Environment

Party like it’s 1999: Comeback of VBA Malware Downloaders [Part 2]

Posted by Alexander Sevtsov on 10/6/16 11:02 AM

Authored by: Alexander Sevtsov and Arunpreet Singh

Find more details on this series in Part 1 and Part 3.

Read More

Topics: Lastline Labs, lastline, vba, vba downloaders

Building Static and Dynamic Analyses Using Lastline's Process Snapshotting

Posted by Arunpreet Singh on 9/16/16 12:57 PM

Learn how Lastline’s process snapshotting supports malware analysis by capturing snapshots at various points throughout a malware program’s execution, allowing for deeper manual malware analysis by security researchers.

Read More

Topics: Lastline Enterprise, Email Security, Process Snapshotting, Advanced Persistent Threats, Data Breach, malware, lastline, anti malware, deep manual analysis, static analysis, web security, dynamic analysis, malware protection

Party like it’s 1999: Comeback of VBA Malware Downloaders [Part 1]

Posted by Alexander Sevtsov on 8/31/16 12:22 PM

Authored by: Alexander Sevtsov and Arunpreet Singh.

Find more details on this series in Part 2 and Part 3.

Read More

Topics: Lastline Labs, lastline, vba, vba downloaders

Hunting for Ransomware with LLKB

Posted by Gregoire Jacob on 8/11/16 8:00 AM

Leveraging the new clustering feature of the Lastline Knowledge Base to study recent ransomware threats

Read More

Topics: Ransomware, lastline knowledge base, clustering

Lastline: It’s as easy as A-P-I

Posted by Dr. Giovanni Vigna on 4/18/16 9:19 AM

Lastline’s solutions analyze network traffic, programs, documents, and other artifacts to identify and block advanced malware in enterprise networks.

In order to be able to easily integrate its functionality in the security workflow of the enterprise, Lastline products provide access to their functionality through APIs.

Read More

Topics: Lastline Enterprise, Integration, Lastline Labs, APIs

ModPOS: A Framework Lurking in Point-of-Sale System Kernels

Posted by Subrat Sarkar on 4/7/16 5:00 AM

Authored by: Subrat Sarkar, Arunpreet Singh, and Clemens Kolbitsch

Diving deeply into the ModPOS malware framework using sandbox process snapshotting

Point-of-sale (POS) systems are amongst the most valuable targets for attackers today: with direct access to systems processing payment information, miscreants are able to circumvent any encryption between point-of-sale devices and the payment processor, allowing them to spy on - or even tamper with - sensitive payment information.

With ModPOS malware authors have developed a system that not only compromises payment processes at the origin device, but, at the same time, it does so from the kernel of these systems, well outside the reach of most security solutions.

As we will describe in this post, the ModPOS malware is much more than a system for compromising POS systems: it is a versatile framework that allows an  attacker to leverage a practically unlimited range of tools to interfere with a compromised system. Even more, this malware works on any 32-bit Microsoft Windows system (many POS systems on the market today are still running on Microsoft Windows XP) allowing to use this malware on more than just POS systems.

Read More

Three interesting changes in malware activity over the past year

Posted by Dr. Christopher Kruegel on 3/31/16 5:00 AM

Every day, our Lastline sensors observe millions of files that our customers download from the Internet or receive as email attachments. These files are analyzed and, in many cases, executed or opened inside our sandbox. The sandbox is a secure, instrumented analysis environment where we can safely look for interesting behaviors that indicate bad intentions and outright malice. 

Every once in a while, we take a step back and look at the malicious behaviors that we have seen. Malware authors always look for new ways to make money, get access to sensitive data, and evade detection. They introduce new behaviors, refine ideas that they have tried in the past, and add tricks to bypass security controls. By looking over the data collected over the last year, we discovered a few interesting trends that show some of the directions that malware authors take. In this research note, we discuss three findings that struck us as interesting and worth reporting. As a forth bonus item, we also revisit evasive behaviors, something that we have been tracking for many years.

Read More

Topics: Evasive Malware, Bank Malware, Lastline Labs, Banking Trojan, Browser Modification, Code Signing

A Peek Behind the Cryptowall

Posted by Arunpreet Singh on 1/28/16 8:00 AM

Bridging static and dynamic analysis using Lastline process snapshotting

Read More

Topics: Sandboxing, FUSE, APT, Just-In-Time Decryption, Cryptowall, Ransomware

Subscribe to Email Updates