Posts created by: Brad Duncan

When reviewing packet captures (pcaps) of suspicious activity, security professionals may need to export objects from the pcaps for a closer examination.This tutorial offers tips on how to export different types of objects from a pcap. The instructions assume you understand network traffic fundamentals. We will use these pcaps of network traffic to practice extracting objects using Wireshark. The instructions also assume you have customized your Wireshark column display as previously demonstrated in this tutorial.

Our latest research into Shade ransomware shows attackers recently targeted high-tech firms, wholesalers and educational institutions in U.S., Japan, India, Thailand and Canada in early 2019 with English-language malspam.

When a host is infected or otherwise compromised, security professionals need to quickly review packet captures of suspicious network traffic to identify affected hosts and users. This tutorial offers tips on how to gather pcap data using Wireshark, the widely used network protocol analysis tool.

Redaman is banking malware first noted in 2015 that targets recipients who conduct transactions using Russian financial institutions. We have found versions of Redaman in Russian language mass-distribution campaigns during the last four months of 2018.

As a Threat Intelligence Analyst for Palo Alto Networks Unit 42, I often use Wireshark to review packet captures (pcaps) of network traffic generated by malware samples. To better accomplish this work, I use a customized Wireshark column display as described my previous blog about using Wireshark. Today’s post provides more tips for analysts to

Unit 42 investigates a recent Fake Flash update pushing cryptocurrency mining software. Get the full report.

Unit 42 shares a lesson on customizing Wireshark to better meet security researcher needs.

Unit 42 examines Emotet and Trickbot, best known as banking malware and information stealers targeting Windows-based computers.

What a difference a year makes! As the dominant exploit kit (EK) in our current threat landscape, Rig EK has gone through significant changes. How much has Rig EK changed? In order to find out, we compared activity levels, malware payloads, and network traffic characteristics from January of 2017 with January of 2018. The contrast

Unit 42 tracks how attackers use fraudulent accounts and compromise infrastructures of legitimate businesses to deliver Hancitor malware.

Unit 42 investigates Boleto Mestre, a malspam campaign impersonating invoice documents of a popular Brazilian payment method.

Unit 42 uncovers HoeflerText popups delivering RAT malware to Google Chrome users.

Unit 42 examines the evolution of malspam targeting Microsoft windows hosts in Brazil.

Unit 42 investigates recent developments in the EITest & pseudo-Darkleech campaigns contributing to the decline of Rig exploit kits.

Unit 42 identifies a new malicious spam campaign using United States Postal Service themed emails redirecting to fake Microsoft Word online sites.