Taylor Swift, Grizzly Steppe, Serpent Ransomware - OH MY!

Last week was busy!

DHS' NCCIC released an update on the activity they call Grizzly Steppe. Security researcher Florian Roth cleaned up the formatting of the 60+ yara signatures, performed quality assurance and rewrote signatures that high a high false positive rate! You can download his great work for use in Hipara here: Florian's git repo

Digital Shadows released a report of the Mirai botnet embedding exeutables within a photo of Taylor Swift. We can detect this TTP with the following Yara signature:

rule Mirai_HiddenExe
{ meta: author = "brett@hipara.org" description = "Detects PE payload in JPEG file" reference = "https://www.digitalshadows.com/blog-and-research/an-unusually-swifttay-malware-delivery-tactic" date = "02-12-2017"

strings: $jiff = { ff d8 ff e0 00 10 4a 46 49 46 } // look for JPEG aka JIFF file header $exe = "!This program cannot be run in DOS mode." // look for MS-DOS stub of an executable file

condition: ( $jiff at 0 ) and $exe // ensure JPEG/JIFF file format starts at position 0, then look for executable }

And finally, Proofpoint blogged about Serpent, a new ransomware family. Our testing indicates that Hipara's anti-ransomware behavioral prevention successfully blocked Serpent from encrypting files without a single file lost!

Brett Cunningham

Read more posts by this author.

Subscribe to Hipara Blog

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!