![]() In the meantime we have removed weak signatures, as the family is not common these days. The signatures for this family are among the oldest on the platform and we have far more capabilities available now to improve detection. In addition we have begun a review of our Teslacrypt signatures to prevent further false positives for the family. We have deployed an update to address this issue and support for non-Latin characters should be more robust now. On investigation we identified some limitations in our ransomnote handling which were affecting this analysis due to the note being in Russian. We also observed that the ransomnote was not being detected and extracted as expected. This resolves some issues with the family using multiple stages of loaders and causing them to not be processed properly.Ī version of Hakbit was recently brought to our attention which was incorrectly identified as Teslacrypt by Triage. We have now expanded the config extractor to parse the PX structure within the samples and extract the primary loader. This week our update addresses the handling of loaders for the family based on a recent sample we observed which did not follow the usual pattern. Gozi RM3 has been another regular on the blog recently, with us making a few improvements and updates in recent weeks. You can find some examples featuring the new tag below. This should make it simple to quickly find additional samples using the same payload. To aid with tracking campaigns in this way, we have added a botnet ID tag to our CobaltStrike extractor which parses the watermark value and indexes it for searching within Triage. Scripts.general-aerospacede/updates.rssįull list from April (100+) Michael Koczwara April 19, 2021 We have recently observed users online sharing samples and using the watermark value from the config to identify samples. CobaltStrike Configuration Extractor UpdateĬobaltStrike makes another appearance in the blog this week, with a tweak our end making it easier to track and identify campaigns using the malware. In the meantime, let’s take a look at some of the other updates which have been pushed this week. We’ll be sharing much more detailed information with you at the time of release. These feed directly into our existing signature system for simple integration. To provide visibility on the VM for analysis we have developed a custom kernel agent which monitors all relevant activity like file and network operations, new processes etc. They will also include common software, like Office, to support most malware delivery methods. The initial release will support analysis machines running macOS 10.15 Catalina and, like our Windows VMs, will support most types of executables, scripts and files with embedded macros/code. Although really it is only the beginning of our plans for Triage, it represents a major milestone for us and the platform. macOS is the last of the core platforms Triage was designed to work with, having begun with Windows initially and adding Linux and Android support over the course of 2020. Not signed up yet? Head over to tria.ge to register for a free account.Īdding support for analysis in macOS environments has been a central aim for Triage since its initial design, and we are very excited to finally be bringing it to reality. You can reach us directly through the website, on Twitter, or using the Feedback option on an analysis report page. You can find more information on this in a Short Guide blogpost we published at the start of the week - Short Guide: Using Magic Links.Īs always, a huge thank you to all those who send us feedback and suggestions - as a small team your comments are invaluable in helping us keep on top of an ever-changing malware landscape. Magic Links are now available to make it easy to share analyses outside of registered Triage users. If you missed it earlier in the week, we also released a new feature for our Private Cloud customers. Added initial signatures for Beapy cryptocurrency miner.Added family detection for Jormungand ransomware.New FickerStealer configuration extractor.Improved handling for Hakbit ransomware.Updated Gozi RM3 configuration extractor.CobaltStrike configuration extractor tweak.There have also been a few detection updates since our last blogpost so we’ll briefly cover those below: We still aren’t quite ready to put our latest feature in your hands yet but we’re delighted to say that macOS analysis is almost ready and will be coming to Triage soon™! In today’s post we’ll give a bit of a preview of what’s coming for our macOS support. ![]() Welcome to another entry in our Triage Thursday update blog series! We’re back with a few updates today, after missing a blogpost last week to focus on work in progress.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |