On the most recent phishing attacks, PowerShell is usually employed to load and execute position-independant shellcode via a macro-enabled Office document. So, in order to know what actions are being carried away the truly interesting part here is the shellcode being executed. However, to slow down analysis or lower detection,
I've recently come across an APT named Dimnie by Palo Alto's Unit42 (full report here). The purpose of Dimnie is to exfiltrate sensitive data to the attacker. The peculiarity about Dimnie is that it does so with a peculiar trick. Dimnie changes the HTTP Host header to point to a
Notice: As noted by @Antelox this is just a loader that drops LokiBot, not LokiBot itself. Preface Loki is a credential harvester bot sold in Russian underground forums and black markets. Goal For this blogpost, the goal will be to defeat/patch Loki's anti measures to be able to properly
Goal In this entry we will have a look at the Bendis maldoc. Bendis is a fairly unknown and simple maldoc that has a dropper functionality. It's only purpose is being a gateway for more mature malware. Word document We are confronted yet again with a Word document which includes
Previous analysis: Palo Alto's Analysis Minerva's Analysis We are presented with a Word document that has macros. The VBA code for the macros is obfuscated but we can clearly see that it is using some interesting Win32 API calls like VirtualAlloc and CallWindowProc, which later renames. Thus, we can just