The Fiesta Exploit Kit – Not So Festive After All

Exploit kits (EK) are a very popular with attackers to compromise a target system. The ease of use and its success rate compared to other infection vectors are among the reasons attackers are attracted to using these kits. In recent years, exploit kits were used to deliver ransomware, the most famous of which was the…

Why Malware Installers Use TMP files and The Temp folder when infecting Windows

Ever wonder why there are too many TMP files detected on an infected system? Even if they have different names, the file are exact copies of one another, why? The first thing a malware installer (first stage of infection) does when executed on a target system – be it a dropper or downloader – is…

Browser Locked? Call This Number.

A new form of browser locker has recently surfaced.  Browser-lockers are websites or pop-ups that redirect the browser to a website that locks-up the browser.  The user is prevented from continuing any normal operation including closing the offending browser window, opening a new page, or closing the application itself. This new browser locker calls itself…

More Than Meets The Eye (Part 2): Solving the Browser Lock Ransom Page

In the original More than Meets the Eye blog, we discussed attackers’ ability to hide in plain sight.  A very successful campaign that utilizes this approach is the fake FBI ransom webpage; a fraudulent website that claims to be an FBI property, but then attempts to extort the victim. Figure 1: Fake FBI website This…

More than Meets the Eye

In Arlington, VA, there is a center that focuses on cyber attack mitigation, where close to 100 specialists monitor what’s going on in the world. This is the Department of Homeland Security (DHS) cybersecurity center. It is located in a suburban area in a building with no government seals or signs. In short, it is…

Jigsaw – Just Another Piece of the Puzzle in an Attack Campaign #INTH3WILD

E-mail has long been used as an effective attack vector for delivering malware and conducting phishing attacks. We get unsolicited and potentially malicious emails like this in our inbox nearly every day, but what really makes an e-mail attack successful has more to do with trust than anything else. If an e-mail appears to be…

The Carberp Code Leak

By Christopher Elisan, Prinicipal Malware Scientist, RSA FirstWatch The source code for Carberp, reportedly selling for $40,000 a pop, is now out. A report of its leak started spreading a week ago and RSA FirstWatch were able to confirm through our own digging and research that the code is really available online.  As days gone by,…

The Assembly Line Approach to Creating Malware

By Christopher Elisan, Prinicipal Malware Scientist, RSA FirstWatch The rate at which new and unique malware samples are discovered on a daily basis is staggering. The graph from AV-TEST below shows how much malware has been discovered annually. It is only half of 2013 but it has already surpassed the number of total malware seen in…

The Evolution of Malware Encryption Part I: Basic Malware Encryption

By Christopher Elisan, Prinicipal Malware Scientist, RSA FirstWatch We, the RSA FirstWatch team, are always at the forefront of solving the latest malware problems –one of those is malware encryption. Malware encryption is not new. It has been around since the DOS days, but has simply evolved to address the antivirus solutions designed to beat…

Dark Side of Shamoon

By Christopher Elisan, Principal Malware Scientist, RSA FirstWatch team Recently, there has been some media noise generated by a new malware reportedly attacking targets in the Middle East such as Saudi Aramco. But what exactly does this attack look like once the malware compromised the system? Most malware nowadays, especially those used in targeted attacks,…