Windows Malware Research 

Some other links related to my research (mostly windows related) are as follows :


 1. IDN Homograph Attack Spreading Betabot Backdoor

n this case, researcher Ankit Anubhav said the attackers have registered adoḅe[.]com (note the “b”) and are using it to spread a phony Flash Player download that instead serves up Beta Bot.


  2. US Government Site Was Hosting Ransomware


As recently as Wednesday afternoon, a U.S. government website was hosting a malicious JavaScript downloader that led victims to installations of Cerber ransomware.

Researcher Ankit Anubhav of NewSky Security tweeted the discovery Wednesday, and within hours, the malware link was taken down.


 3. Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection

Exploit Guard, a major new feature of FireEye Endpoint Security (HX), detected the threat and alerted HX customers on infections in the field so that organizations could inhibit the deployment of Cerber ransomware. After investigating further, the FireEye research team worked with security agency CERT-Netherlands, as well as web hosting providers who unknowingly hosted the Cerber installer, and were able to shut down that instance of the Cerber command and control (C2) within hours of detecting the activity.

4. Hancitor (AKA Chanitor) observed using multiple attack approaches


We recently observed Hancitor attacks against some of our FireEye Exploit Guard customers. The malicious document used to deliver the Hancitor executable was observed being distributed as an attachment in email spam. Once downloaded and executed, it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable, which perform data theft and connect to a command and control (C2) server.


5. Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government


FireEye recently observed a sophisticated campaign targeting individuals within the Mongolian government. Targeted individuals that enabled macros in a malicious Microsoft Word document may have been infected with Poison Ivy, a popular remote access tool (RAT) that has been used for nearly a decade for key logging, screen and video capture, file transfers, password theft, system administration, traffic relaying, and more.

6. Uncovering Active PowerShell Data Stealing Campaigns


We recently came across some data stealing campaigns in which nearly all steps of the attack cycle involved simple yet efficient PowerShell commands.