Diaries by Keyword - SANS Internet Storm Center

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Handler on Duty: Didier Stevens

Threat Level: green

Date	Author	Title
WORD MACRO
2020-03-18	Brad Duncan	Trickbot gtag red5 distributed as a DLL file
2019-12-11	Brad Duncan	German language malspam pushes yet another wave of Trickbot
2019-10-02	Brad Duncan	A recent example of Emotet malspam
2019-09-18	Brad Duncan	Emotet malspam is back
2018-12-18	Brad Duncan	Malspam links to password-protected Word docs that push IcedID (Bokbot)
2018-11-15	Brad Duncan	Emotet infection with IcedID banking Trojan
WORD
2023-02-18/a>	Guy Bruneau	Spear Phishing Handlers for Username/Password
2022-09-16/a>	Didier Stevens	Word Maldoc With CustomXML and Renamed VBAProject.bin
2022-09-15/a>	Xavier Mertens	Malicious Word Document with a Frameset
2022-09-10/a>	Guy Bruneau	Phishing Word Documents with Suspicious URL
2022-08-13/a>	Guy Bruneau	Phishing HTML Attachment as Voicemail Audio Transcription
2022-06-12/a>	Didier Stevens	Quickie: Follina, RTF & Explorer Preview Pane
2022-06-06/a>	Didier Stevens	"ms-msdt" RTF Maldoc Analysis: oledump Plugins
2022-06-05/a>	Didier Stevens	Analysis Of An "ms-msdt" RTF Maldoc
2022-05-30/a>	Xavier Mertens	New Microsoft Office Attack Vector via "ms-msdt" Protocol Scheme (CVE-2022-30190)
2022-05-17/a>	Xavier Mertens	Use Your Browser Internal Password Vault... or Not?
2022-05-09/a>	Xavier Mertens	Octopus Backdoor is Back with a New Embedded Obfuscated Bat File
2022-04-24/a>	Didier Stevens	Analyzing a Phishing Word Document
2022-04-04/a>	Johannes Ullrich	Emptying the Phishtank: Are WordPress sites the Mosquitoes of the Internet?
2022-03-10/a>	Xavier Mertens	Credentials Leaks on VirusTotal
2022-02-22/a>	Xavier Mertens	A Good Old Equation Editor Vulnerability Delivering Malware
2022-02-13/a>	Guy Bruneau	DHL Spear Phishing to Capture Username/Password
2022-02-02/a>	Johannes Ullrich	Finding elFinder: Who is looking for your files?
2021-12-02/a>	Brad Duncan	TA551 (Shathak) pushes IcedID (Bokbot)
2021-11-30/a>	Johannes Ullrich	Hunting for PHPUnit Installed via Composer
2021-11-15/a>	Rob VandenBrink	Changing your AD Password Using the Clipboard - Not as Easy as You'd Think!
2021-08-06/a>	Xavier Mertens	Malicious Microsoft Word Remains A Key Infection Vector
2021-05-14/a>	Xavier Mertens	"Open" Access to Industrial Systems Interface is Also Far From Zero
2021-04-24/a>	Guy Bruneau	Base64 Hashes Used in Web Scanning
2021-02-19/a>	Xavier Mertens	Dynamic Data Exchange (DDE) is Back in the Wild?
2021-02-02/a>	Xavier Mertens	New Example of XSL Script Processing aka "Mitre T1220"
2021-01-28/a>	Daniel Wesemann	Emotet vs. Windows Attack Surface Reduction
2021-01-26/a>	Brad Duncan	TA551 (Shathak) Word docs push Qakbot (Qbot)
2021-01-24/a>	Didier Stevens	Video: Doc & RTF Malicious Document
2021-01-23/a>	Didier Stevens	CyberChef: Analyzing OOXML Files for URLs
2021-01-13/a>	Brad Duncan	Hancitor activity resumes after a hoilday break
2021-01-10/a>	Didier Stevens	Maldoc Analysis With CyberChef
2021-01-09/a>	Didier Stevens	Maldoc Strings Analysis
2021-01-06/a>	Johannes Ullrich	Scans for Zyxel Backdoors are Commencing.
2020-12-24/a>	Xavier Mertens	Malicious Word Document Delivering an Octopus Backdoor
2020-10-14/a>	Brad Duncan	More TA551 (Shathak) Word docs push IcedID (Bokbot)
2020-09-18/a>	Xavier Mertens	A Mix of Python & VBA in a Malicious Word Document
2020-08-19/a>	Xavier Mertens	Example of Word Document Delivering Qakbot
2020-08-07/a>	Brad Duncan	TA551 (Shathak) Word docs push IcedID (Bokbot)
2020-07-26/a>	Didier Stevens	Cracking Maldoc VBA Project Passwords
2020-07-15/a>	Brad Duncan	Word docs with macros for IcedID (Bokbot)
2020-07-13/a>	Didier Stevens	VBA Project Passwords
2020-06-10/a>	Brad Duncan	Job application-themed malspam pushes ZLoader
2020-05-20/a>	Brad Duncan	Microsoft Word document with malicious macro pushes IcedID (Bokbot)
2020-04-06/a>	Didier Stevens	Password Protected Malicious Excel Files
2020-03-18/a>	Brad Duncan	Trickbot gtag red5 distributed as a DLL file
2020-01-22/a>	Brad Duncan	German language malspam pushes Ursnif
2019-12-11/a>	Brad Duncan	German language malspam pushes yet another wave of Trickbot
2019-11-01/a>	Didier Stevens	Tip: Password Managers and 2FA
2019-10-02/a>	Brad Duncan	A recent example of Emotet malspam
2019-09-18/a>	Brad Duncan	Emotet malspam is back
2019-07-18/a>	Xavier Mertens	Malicious PHP Script Back on Stage?
2019-06-10/a>	Xavier Mertens	Interesting JavaScript Obfuscation Example
2019-01-24/a>	Brad Duncan	Malspam with Word docs uses macro to run Powershell script and steal system data
2018-12-18/a>	Brad Duncan	Malspam links to password-protected Word docs that push IcedID (Bokbot)
2018-12-17/a>	Didier Stevens	Password Protected ZIP with Maldoc
2018-11-15/a>	Brad Duncan	Emotet infection with IcedID banking Trojan
2018-10-26/a>	Xavier Mertens	Dissecting Malicious Office Documents with Linux
2018-08-22/a>	Deborah Hale	Email/password Frustration
2018-07-12/a>	Johannes Ullrich	New Extortion Tricks: Now Including Your Password!
2018-06-13/a>	Xavier Mertens	A Bunch of Compromized Wordpress Sites
2018-01-09/a>	Jim Clausing	Are you watching for brute force attacks on IPv6?
2017-11-28/a>	Xavier Mertens	Apple High Sierra Uses a Passwordless Root Account
2017-11-07/a>	Xavier Mertens	Interesting VBA Dropper
2017-08-17/a>	Xavier Mertens	Maldoc with auto-updated link
2017-05-17/a>	Richard Porter	Wait What? We don?t have to change passwords every 90 days?
2017-05-05/a>	Xavier Mertens	HTTP Headers... the Achilles' heel of many applications
2017-04-26/a>	Johannes Ullrich	If there are some unexploited MSSQL Servers With Weak Passwords Left: They got you now (again)
2017-04-23/a>	Didier Stevens	Malicious Documents: A Bit Of News
2017-04-10/a>	Didier Stevens	Password History: Insights Shared by a Reader
2017-02-07/a>	Johannes Ullrich	My Password is [taco] Using Emojis for Stronger Passwords
2017-02-04/a>	Xavier Mertens	Detecting Undisclosed Vulnerabilities with Security Tools & Features
2016-12-07/a>	Xavier Mertens	The Passwords You Should Never Use
2016-09-15/a>	Xavier Mertens	In Need of a OTP Manager Soon?
2016-07-21/a>	Didier Stevens	Practice ntds.dit File
2016-06-20/a>	Xavier Mertens	Using Your Password Manager to Monitor Data Leaks
2015-12-06/a>	Mark Hofman	Malware SPAM a new run has started.
2015-06-26/a>	Daniel Wesemann	Cisco default credentials - again!
2015-05-09/a>	Didier Stevens	Malicious Word Document: This Time The Maldoc Is A MIME File
2015-03-13/a>	Guy Bruneau	Blind SQL Injection against WordPress SEO by Yoast
2015-02-20/a>	Tom Webb	Fast analysis of a Tax Scam
2014-11-20/a>	Johannes Ullrich	Critical WordPress XSS Update
2014-09-19/a>	Guy Bruneau	Added today in oclhashcat 131 Django [Default Auth] (PBKDF2 SHA256 Rounds Salt) Support - http://hashcat.net/hashcat/
2014-08-22/a>	Richard Porter	OCLHashCat 1.30 Released
2014-08-06/a>	Johannes Ullrich	All Passwords have been lost: What's next?
2014-07-22/a>	Daniel Wesemann	WordPress brute force attack via wp.getUsersBlogs
2014-06-19/a>	Tony Carothers	WordPress and Security
2014-05-22/a>	Rob VandenBrink	Another Site Breached - Time to Change your Passwords! (If you can that is)
2014-03-14/a>	Richard Porter	Word Press Shenanigans? Anyone seeing strange activity today?
2014-03-12/a>	Johannes Ullrich	Wordpress "Pingback" DDoS Attacks
2013-11-22/a>	Rick Wanner	Tales of Password Reuse
2013-07-21/a>	Guy Bruneau	Ubuntu Forums Security Breach
2013-06-11/a>	Swa Frantzen	Store passwords the right way in your application
2013-05-14/a>	Jim Clausing	So what passwords are those ssh scanners trying?
2013-03-18/a>	Kevin Shortt	Cisco IOS Type 4 Password Issue: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4
2013-01-18/a>	Russ McRee	Interesting reads for Friday 18 JAN 2013
2013-01-04/a>	Daniel Wesemann	Blue for Reset?
2012-11-15/a>	Jim Clausing	Another month another password disclosure breach
2012-07-16/a>	Jim Clausing	An analysis of the Yahoo! passwords
2012-06-06/a>	Jim Clausing	Potential leak of 6.5+ million LinkedIn password hashes
2012-05-22/a>	Johannes Ullrich	nmap 6 released
2012-04-21/a>	Guy Bruneau	WordPress Release Security Update
2012-01-05/a>	Russ McRee	WordPress 3.3.1 fixes 15 issues with WordPress 3.3 including XSS. Download 3.3.1 or visit Dashboard --> Updates in your site admin panel.
2012-01-03/a>	Rick Wanner	Analysis of the Stratfor Password List
2011-10-10/a>	Tom Liston	What's In A Name?
2011-08-10/a>	Johannes Ullrich	Theoretical and Practical Password Entropy
2011-06-30/a>	Guy Bruneau	WordPress 3.1.4 Security Update - http://wordpress.org/news/2011/06/wordpress-3-1-4/
2011-06-28/a>	Johannes Ullrich	Hashing Passwords
2011-06-22/a>	Guy Bruneau	WordPress Forces Password Reset
2011-05-30/a>	Johannes Ullrich	Allied Telesis Passwords Leaked
2011-04-18/a>	John Bambenek	Wordpress.com Security Breach
2011-02-08/a>	Mark Hofman	WordPress 3.0.5 (and 3.1 RC4) are out
2010-12-30/a>	Johannes Ullrich	Critcal Wordpress Security Update http://wordpress.org/news/2010/12/3-0-4-update/
2010-12-28/a>	John Bambenek	Mozilla Notifies of Relatively Minor Security Breach
2010-12-15/a>	Manuel Humberto Santander Pelaez	HP StorageWorks P2000 G3 MSA hardcoded user
2010-12-13/a>	Deborah Hale	Gawker Media Breach of Security
2010-12-02/a>	Kevin Johnson	SQL Injection: Wordpress 3.0.2 released
2010-11-26/a>	Mark Hofman	Using password cracking as metric/indicator for the organisation's security posture
2010-08-27/a>	Mark Hofman	FTP Brute Password guessing attacks
2010-05-19/a>	Kyle Haugsness	Wordpress blog attacks... again
2010-05-10/a>	Toby Kohlenberg	Another round of WordPress Attacks
2010-03-30/a>	Pedro Bueno	Sharing the Tools
2010-02-25/a>	Chris Carboni	Pass The Hash
2010-02-05/a>	Jim Clausing	WordPress iframe injection?
2010-02-02/a>	Johannes Ullrich	Twitter Mass Password Reset due to Phishing
2009-12-04/a>	Daniel Wesemann	The economics of security advice (MSFT research paper)
2009-11-30/a>	Bojan Zdrnja	Distributed Wordpress admin account cracking
2009-11-02/a>	Daniel Wesemann	Password rules: Change them every 25 years
2009-10-23/a>	Johannes Ullrich	Little new tool: reversing md5/sha1 hashes http://isc.sans.org/tools/reversehash.html
2009-10-21/a>	Pedro Bueno	WordPress Hardening
2009-08-11/a>	Swa Frantzen	Wordpress unauthenticated administrator password reset
2008-11-11/a>	Swa Frantzen	Phishing for Google adwords
2008-09-22/a>	Jim Clausing	Lessons learned from the Palin (and other) account hijacks
2008-09-09/a>	Swa Frantzen	wordpress upgrade
2008-07-17/a>	Mari Nichols	Adobe Reader 9 Released
2008-07-09/a>	Johannes Ullrich	Unpatched Word Vulnerability
2008-04-23/a>	Mari Nichols	What's New, Old and Morphing?
MACRO
2022-04-20/a>	Brad Duncan	"aa" distribution Qakbot (Qbot) infection with DarkVNC traffic
2022-03-25/a>	Xavier Mertens	XLSB Files: Because Binary is Stealthier Than XML
2022-01-22/a>	Xavier Mertens	Mixed VBA & Excel4 Macro In a Targeted Excel Sheet
2021-12-20/a>	Jan Kopriva	PowerPoint attachments, Agent Tesla and code reuse in malware
2021-12-02/a>	Brad Duncan	TA551 (Shathak) pushes IcedID (Bokbot)
2021-09-23/a>	Xavier Mertens	Excel Recipe: Some VBA Code with a Touch of Excel4 Macro
2021-09-01/a>	Brad Duncan	STRRAT: a Java-based RAT that doesn't care if you have Java
2021-08-06/a>	Xavier Mertens	Malicious Microsoft Word Remains A Key Infection Vector
2021-04-23/a>	Xavier Mertens	Malicious PowerPoint Add-On: "Small Is Beautiful"
2021-03-03/a>	Brad Duncan	Qakbot infection with Cobalt Strike
2021-02-23/a>	Jan Kopriva	Qakbot in a response to Full Disclosure post
2021-02-05/a>	Xavier Mertens	VBA Macro Trying to Alter the Application Menus
2021-02-03/a>	Brad Duncan	Excel spreadsheets push SystemBC malware
2021-02-02/a>	Xavier Mertens	New Example of XSL Script Processing aka "Mitre T1220"
2021-01-26/a>	Brad Duncan	TA551 (Shathak) Word docs push Qakbot (Qbot)
2021-01-20/a>	Brad Duncan	Qakbot activity resumes after holiday break
2021-01-14/a>	Bojan Zdrnja	Dynamically analyzing a heavily obfuscated Excel 4 macro malicious file
2021-01-13/a>	Brad Duncan	Hancitor activity resumes after a hoilday break
2020-12-09/a>	Brad Duncan	Recent Qakbot (Qbot) activity
2020-11-09/a>	Xavier Mertens	How Attackers Brush Up Their Malicious Scripts
2020-10-26/a>	Didier Stevens	Excel 4 Macros: "Abnormal Sheet Visibility"
2020-10-14/a>	Brad Duncan	More TA551 (Shathak) Word docs push IcedID (Bokbot)
2020-09-23/a>	Xavier Mertens	Malicious Word Document with Dynamic Content
2020-09-18/a>	Xavier Mertens	A Mix of Python & VBA in a Malicious Word Document
2020-09-10/a>	Brad Duncan	Recent Dridex activity
2020-08-26/a>	Xavier Mertens	Malicious Excel Sheet with a NULL VT Score
2020-08-19/a>	Xavier Mertens	Example of Word Document Delivering Qakbot
2020-08-07/a>	Brad Duncan	TA551 (Shathak) Word docs push IcedID (Bokbot)
2020-08-06/a>	Xavier Mertens	A Fork of the FTCode Powershell Ransomware
2020-08-03/a>	Xavier Mertens	Powershell Bot with Multiple C2 Protocols
2020-07-15/a>	Brad Duncan	Word docs with macros for IcedID (Bokbot)
2020-07-10/a>	Brad Duncan	Excel spreasheet macro kicks off Formbook infection
2020-06-12/a>	Xavier Mertens	Malicious Excel Delivering Fileless Payload
2020-06-10/a>	Brad Duncan	Job application-themed malspam pushes ZLoader
2020-06-01/a>	Didier Stevens	XLMMacroDeobfuscator: An Update
2020-05-20/a>	Brad Duncan	Microsoft Word document with malicious macro pushes IcedID (Bokbot)
2020-04-05/a>	Guy Bruneau	Maldoc XLS Invoice with Excel 4 Macros
2020-03-29/a>	Didier Stevens	Obfuscated Excel 4 Macros
2020-03-18/a>	Brad Duncan	Trickbot gtag red5 distributed as a DLL file
2020-03-09/a>	Didier Stevens	Malicious Spreadsheet With Data Connection and Excel 4 Macros
2020-03-06/a>	Xavier Mertens	A Safe Excel Sheet Not So Safe
2020-02-24/a>	Didier Stevens	Maldoc: Excel 4 Macros and VBA, Devil and Angel?
2020-02-23/a>	Didier Stevens	Maldoc: Excel 4 Macros in OOXML Format
2020-02-21/a>	Xavier Mertens	Quick Analysis of an Encrypted Compound Document Format
2020-01-22/a>	Brad Duncan	German language malspam pushes Ursnif
2020-01-09/a>	Xavier Mertens	Quick Analyzis of a(nother) Maldoc
2019-12-11/a>	Brad Duncan	German language malspam pushes yet another wave of Trickbot
2019-12-04/a>	Jan Kopriva	Analysis of a strangely poetic malware
2019-10-02/a>	Brad Duncan	A recent example of Emotet malspam
2019-09-18/a>	Brad Duncan	Emotet malspam is back
2019-06-18/a>	Brad Duncan	Malspam with password-protected Word docs pushing Dridex
2019-03-17/a>	Didier Stevens	Video: Maldoc Analysis: Excel 4.0 Macro
2019-03-16/a>	Didier Stevens	Maldoc: Excel 4.0 Macros
2019-03-13/a>	Brad Duncan	Malspam pushes Emotet with Qakbot as the follow-up malware
2019-01-24/a>	Brad Duncan	Malspam with Word docs uses macro to run Powershell script and steal system data
2018-12-18/a>	Brad Duncan	Malspam links to password-protected Word docs that push IcedID (Bokbot)
2018-11-15/a>	Brad Duncan	Emotet infection with IcedID banking Trojan
2018-08-24/a>	Xavier Mertens	Microsoft Publisher Files Delivering Malware
2018-05-25/a>	Xavier Mertens	Antivirus Evasion? Easy as 1,2,3
2018-05-01/a>	Xavier Mertens	Diving into a Simple Maldoc Generator
2017-12-19/a>	Xavier Mertens	Example of 'MouseOver' Link in a Powerpoint File
2017-12-16/a>	Xavier Mertens	Microsoft Office VBA Macro Obfuscation via Metadata
2017-11-15/a>	Xavier Mertens	If you want something done right, do it yourself!
2017-02-26/a>	Guy Bruneau	It is Tax Season - Watch out for Suspicious Attachment
2016-09-30/a>	Xavier Mertens	Another Day, Another Malicious Behaviour
2015-02-19/a>	Daniel Wesemann	Macros? Really?!

WORD MACRO

WORD

MACRO