Entries by Rodolfo Saccani

Ramnit apparently still spreading after 9 years

It might be a targeted attack, given that we detected it only in one organization, or it might just be an ancient infection still attempting to propagate. In both cases it is an interesting case. The attack is coming via email, which is interesting given that it is a vbscript attack. Here is how the […]

Tracking pixels can be used to compromise enterprise security

Tracking pixels, or beacons, are widely used in email advertising, but a more subtle and dangerous use is possible. Tracking pixels are basically very small images (usually invisible to the human) embedded in the email, whose content is loaded from a server when the email is opened. When your email client loads this image from […]

Targeted attacks through mobileconfig attachments

We spotted an instance of what appears to be a targeted attack through a phishing email delivering a .mobileconfig file. This is a file format used to deliver configurations to iphones. The attack originates from domain that appears to have been created just for this purpose. This is how the email appears to the recipient: […]

Attaching malware to email replies is very effective

It’s almost one month now that a very effective malspam campaign delivering the ursnif trojan is in progress in Italy. The trick that the malware uses to spread is simple and effective: once run on the victim’s machine it sends replies to existing email threads attaching a copy of the malware itself. This strategy is […]

New DDE exploit variant currently not detected by any AV engine

DDE (Dynamic Data Exchange) is a very old and almost forgotten feature of Microsoft Office. Designed to automate the exchange of data between applications, it can be easily exploited to execute arbitrary code without any macro or other active content. About one month ago, samples of office documents exploiting DDE to spread ransomware have been […]

Web obfuscation technique using invisible spans

In order to delay detection, phishing and malware websites often use some obfuscation technique. Obfuscation techniques are double-edged swords. They hide the malicious content from dumb crawlers, bots and sandboxes, but smarter algorithms that know what to look for can detect the malware just by looking at it’s attempts to hide. This is one of […]

Pragmatic approach to security

This is the presentation that I used in my speech at the 2017 Security Summit in Milan. Security Summit, organized by ClusIt, is the most important security event in Italy. My speech was about protecting from unknown threats delivered via email, the focus was on the relationship between pragmatism and security. In this post I will […]

The Bot

From time to time a chatbot contacts me. If I have time, I enjoy to find out what kind of script the chatbot follows. This time it was on gtalk. As you can see from the following transcript, the chatbot didn’t care at all about my replies, it just waited for any input on my […]

A real email phishing experience

There are many email phishing techniques. Some phishing campaigns are mostly automated: a phishing landing page is created and a mass phishing campaign is launched to send victims to the landing page. On the attacker side, humans start getting involved only after the victims have provided personal information to the phishing landing page. Other phishing […]