Poking malware one at a time.
SolarMarker: Actions-On-Target
SolarMarker malware remains was a common threat but nothing has been published or widely shared about the actor’s actions or objectives—until now. Based on original findings from monitoring an infected computer for months, this blog-post discloses—for the first time—the financial fraud carried out by the SolarMarker actor group.
Keep reading
DeceptionPro: getting ahead of cybercrime
DeceptionPro allows you to monitor cybercrime by creating realistic environments, allowing front row seat to attacker behaviors and post-exploitation activity.
Keep readingQuick abuse reports with certReport
The purpose of this blogpost is to formally introduce the certReport tool. The blog post will explain the tool’s function and give examples as to how to use it.
Keep reading
Impostor Certificates
It is common for malware to be signed with code signing certificates.
How is this possible? Impostors receive the cert directly and sign malware.
In this blog-post, we look at 100 certs used by Solarmarker malware to learn more.
Keep reading
October 2023 SolarMarker
SolarMarker regularly tops the list of threats seen by organizations like VMWare and Red Canary. This post will help you recognize SolarMarker, if you see it within your organization.
Keep reading
Understanding PE Bloat with Malcat
This post is an introduction to the tool for others and demonstrates how the tool can be used to understand portable executables and bloated resources.
Keep reading
Certified Bad
Authenticode Certificates are intended to ensure that software is created by vetted parties and that the software can be trusted; however, malware is often signed with valid Authenticode certificates and the process for signing malware and the implications are often misunderstood within InfoSec. This post takes a deep dive into my research on certificate abuse.
Keep readingSolarmarker: The Old is New
The purpose of this blogpost is to document the PowerShell used by Solarmarker. The PowerShell was first observed between Feb 2022 until May 2022 and then resurfaced in September 2022. The goal of this post is to publish information regarding the PowerShell to enable others to identify and understand what the PowerShell is doing. Detecting…
Keep readingSolarMarker Bloat
The goal of this post is to document SolarMarker malware as seen between May 2022 and September 2022. This malware is also known under other names (Jupyter Infostealer, YellowCockatoo, Polazert). If you are interested in earlier forms of the malware, check out my previous blog posts. The TLDR on SolarMarker is that it has been…
Keep readingSolarmarker: May 2022 Persistence
The purpose of this post is to document the new persistence methods used by Solarmarker. The previous persistence methods were used from July 2021 until May 2022 (read about those here, here and here). Whether this persistence is short lived or is used for the next year, it is my desire to make it publicly…
Keep readingSomething went wrong. Please refresh the page and/or try again.
Follow My Blog
Get new content delivered directly to your inbox.
Squiblydoo.blog 