Updates Added Malware Bazaar to the Obtaining samples article. Added Malware Bazaar and MalShare as options to download samples from for the following posts: Browser plug-in, Dot Net RAT, Android SMS Stealer, LNK & ISESteroids Powershell dropper, Emotet droppers, Corona DDoS bot, and Automatic string formatting deobfuscation. To contact me, you can e-mail me at … Read more
In March 2019, I started within the threat intelligence team of ABN AMRO. In this blog, I’ll look back onto my first year of working as a threat intelligence analyst. Before diving into that, I’ll provide some background on what I looked for in a job, and what working in a threat intelligence team embodies. … Read more
This is the fourth blog with details on the activities of MageCart 12. In this article, yet another part of their ongoing campaign is uncovered. The amount of infected sites for this campaign is higher than in the previous cases. Before diving into the infected sites, and the rough duration of the infections, information regarding … Read more
This research is a follow up on the two previous articles about MageCart 12. At first, two infected ticket resellers were found, after which multiple other infected websites were caught by Jacob and me. RiskIQ also followed up on our findings with additional research where they found two popular websites to be infected with a … Read more
Additions Added the workstation set-up article to the introduction chapter To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit or DM me on Twitter @LibraAnalysis.
Previously, I wrote about my joint research with Jacob Pimental regarding two ticket resellers that were infected with a credit card skimmer. Based on the domain name of the skimmer’s gate (opendoorcdn[.]com) and URLScan, Jacob and I found 9 more infected webshops. Some of them are still linking to the skimmer’s domain at the moment … Read more
First and foremost I’d like to thank Jacob Pimental since he posted the initial lead, after which we joined forces to dive into this case. In his now deleted Tweet, he asked if anybody could help out with a potential credit card skimmer on the OlympicTickets2020 website. Background information Before diving into this case, I’ll … Read more
Additions Added a new chapter named Documentation, where articles with tips regarding documentation are placed Added the Article structure article to the Documentation chapter Added a new chapter named Analysis scripts, where articles regarding automatic analysis scripts are placed Moved the Automatic string formatting deobfuscation article from the Malware analysis chapter to the Analysis scripts … Read more
Additions A new practical case, named Crack Me 0x03, has been added to the Assembly Basics chapter. Updates A small error in the Corona DDoS bot post has been fixed based upon the feedback of Nikhil Hegde A clarification has been added to Practical case: Crack Me 0x01 based upon the feedback of OtarieBambelle To … Read more
Additions The analysis of a Linux based DDoS tool named Corona has been added to the malware analysis chapter. To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit or DM me on Twitter @LibraAnalysis.