Last month while onboarding a new customer to Panda EDR with the Orion threat hunting console, WatchGuard Threat Lab discovered an existing advanced persistent threat (APT) on the organization’s network. WatchGuard Threat Lab investigated the incident and were able to identify much of the threat…
This short post will show a real-world phish that DNSWatch caught and how analysts were able to garner further information using trivial open-source tools because of a unique mistake by the attacker.
Recently Amazon, Microsoft, and others have taken a step back to review the use of their own face recognition software. Some users of this technology may use only face recognition to identify a person. This idea that you only need the face recognition software to identify a person doesn’t allow for…
Last week we came across ransomware with unique evasion techniques in a new variant, or possibly a copycat, of the MedusaLocker ransomware. MedusaLocker ransomware, first seen in September 2019, came with a batch file to evade detection. Batch files contain script commands running in a Command…
The other day, a WatchGuard employee received a text alert stating that Chase bank had limited access to their account. They right away knew the message was bogus and offered it to us to investigate. We found the link within the message sends the user to a fake Chase login. Fortunately, the employee…
The other day, a PayPal phish made it into the inbox of my personal email. It is not normal for phishing emails to make their way past my cloud email provider’s spam filter, so I decided to spin up a sandbox just in case any malware was involved and dive in. The phishing hook in the message body…
While reviewing currently surging malware attacks back in January 2020, one in particular stood out: JS:Trojan:Cryxos.2550. Its appearances increased over 457% from the previous week. This isn’t a new malware by any means, as Trojan.Cryxos has been written about many times. However, this variant is…
Moving forward with the picoCTF challenge platform, after completing the General Skills room I opted for the Reverse Engineering room. This room actually stood out first, even before General Skills. I’ve dabbled in reverse engineering (RE) and it’s a fun but complex and challenging process. Fret not…
Intro HTTP Strict Transport Security (HSTS) is an HTTP security mechanism that allows web sites to declare themselves as accessible only via secure connections and for users to direct user agents (UAs), or your browser, to interact with web sites only over a secure connection. A "secure connection"…
In continuation of the Android APK Reverse Engineering series, this post will cover how to actually start digging into an APK’s programming logic. My last blog post detailed how to unzip an APK archive and what contents are within. While it’s useful to an extent, it’s not helpful in reading and…