Pythons and Unicorns and Hancitor…Oh My! Decoding Binaries Through Emulation

This blog post is a continuation of my previous post, VB Dropper and Shellcode for Hancitor Reveal New Techniques Behind Uptick, where we analyzed a new Visual Basic (VB) macro dropper and the accompanying shellcode. In the last post, we left off with having successfully identified where the shellcode carved out and decoded a binary

AutoFocus Lenz: Taking the Blue (Team) Pill

The Palo Alto Networks AutoFocus threat intelligence services accelerates analysis and response workflows for unique, targeted attacks. The services further make an immense set of threat intelligence available via the AutoFocus API, which can enrich existing security systems or workflows. Today, security teams can easily build scripts on top of this data using the AutoFocus

Python-Based PWOBot Targets European Organizations

We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.

Click-Fraud Ramdo Malware Family Continues to Plague Users

Be the first to receive the latest news, cyber threat intelligence and research from Unit 42. Subscribe Now.  Ramdo is a family of malware that performs fraudulent website ‘clicks.’ Ramdo malware activity first surfaced in late 2013 and has since continued to infect machines worldwide, primarily through the use of exploit kits. In this blog

NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails

It seems every mainstream news event or holiday has an accompanying phishing campaign. Opportunistic actors hoping to capitalize on the public’s attention are often seen sending phishing e-mails with themes related to the news or the season.. It happened this last holiday season and will likely continue to occur as long as email is around.