November 11, 2019Blog
James QuinnJames Quinn is a SOC Analyst for Binary Defense. When he is not working at Binary Defense, he works as a freelance malware analyst and produces IOCs for the Cryptolaemus Emotet Group.
August 29, 2019Blog
Binary Defense has noticed a recent uptick in Ursnif distributed using Reply-Chain attacks and password protected .zip files across multiple clients. Inside of the .zip files will be documents containing macros which execute and reach out to a Ursnif distribution server to download the payload. The Reply-Chain attacks are carried out by infecting one victim, accessing their emails, locating […]
August 23, 2019Blog
During the past few weeks, my team and I (The Binary Defense Security Operations Center Threat Hunters), have been tracking a TrickBot gtag that has been behaving differently compared to the other TrickBot gtags. In those weeks, we observed differences in its: Distribution Runtime Post-infection High-level TrickBot Exploitation Flow TrickBot’s actions in runtime Let’s look […]
June 20, 2019Blog
Since early December, 2018, I’ve been seeing a new type of Gh0stRAT-like malware being distributed over SMB. This sample has been dubbed Gh0stCringe by @James_InThe_Box on twitter. While the network communications of this new malware is very similar to that of Gh0stRAT, there are some key differences: Instead of the use of Zlib compression on […]