[SANS ISC] Extra Tip For Triage Of MALWARE Bazaar’s Daily Malware Batches, (Mon, Aug 16th)

Here’s an extra tip to my diary entry “Simple Tips For Triage Of MALWARE Bazaar’s Daily Malware Batches“.

You can also use YARA rules together with my zipdump tool:

I’m using 2 simples rules to detect Office documents with VBA macros:

rule olevba {
    strings:
        $attribut_e = {00 41 74 74 72 69 62 75 74 00 65}
    condition:
        uint32be(0) == 0xD0CF11E0 and $attribut_e
}

rule pkvba {
    strings:
        $vbaprojectbin = “vbaProject.bin”
    condition:
        uint32be(0) == 0x504B0304 and $vbaprojectbin
}

Rule olevba is for binary (ole) office documents, and rule pkvba is for OOXML documents.

Remark: these rules are designed for triage: they might generate false positives or negatives.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[TheRecord] CISA aims to fill all 50 statewide cyber coordinator posts by year’s end

The Cybersecurity and Infrastructure Security Agency is on track to have 50 statewide coordinators in place across the U.S. by the end of the calendar year, according to a senior official, potentially adding another level of protection against digital threats like ransomware and foreign election interference. Last year’s defense policy bill required the agency to […]

Read More

[HackerNews] Linphone SIP Stack Bug Could Let Attackers Remotely Crash Client Devices

All posts, HackerNews

Cybersecurity researchers on Tuesday disclosed details about a zero-click security vulnerability in Linphone Session Initiation Protocol (SIP) stack that could be remotely exploited without any action from a victim to crash the SIP client and cause a denial-of-service (DoS) condition. Tracked as CVE-2021-33056 (CVSS score: 7.5), the issue concerns a NULL pointer dereference vulnerability in the Source: […]

Read More

[SecurityWeek] Hackers Threaten to Out Israeli LGBTQ Dating Site Users

All posts, Security Week

A hacking group calling itself Black Shadow threatened Sunday to reveal personal details of users of Israeli’s leading LGBTQ dating site, in an attack some cyber experts linked to Iran. “If we have 1 Millions $ in our wallet in the next 48 hours, we will not leak this information and also we will not […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.