Labs

Case Study  Catching A Human Operated Maze Ransomware Attack In Action 1

Case Study: Catching a Human-Operated Maze Ransomware Attack In Action

Maze operators tailor attacks to the victim’s environment to evade detection. We show how they operate, and reveal a decoded HDA payload among other IOCs.

Read More
Agent Tesla   Old RAT Uses New Tricks To Stay On Top 4

Agent Tesla | Old RAT Uses New Tricks to Stay on Top

Aside from Dridex, Agent Tesla is the most widely used malware currently targeting businesses. We review its core functionality and latest adaptations.

Read More
Hacking Smart Devices For Fun Profit 3

Hacking Smart Devices for Fun and Profit

Presented at DEF CON 28 (2020), this is the story of how SentinelOne researcher Barak Sternberg found four IoT vulnerabilities in thousands of smart devices.

Read More
Moving From Common Sense Knowledge About UEFI To Actually Dumping UEFI Firmware 6

Moving From Common-Sense Knowledge About UEFI To Actually Dumping UEFI Firmware

The first in a series of posts for researchers on how to emulate, debug and fuzz UEFI modules, we begin with a refresher on how to dump SPI flash memory.

Read More
WastedLocker Ransomware   Abusing ADS And NTFS File Attributes 4

WastedLocker Ransomware: Abusing ADS and NTFS File Attributes

WastedLocker is a relatively new ransomware that has been attacking high-value targets across numerous industries, including several Fortune 500 companies.

Read More
Enter The Maze  Demystifying An Affiliate Involved In Maze Snow 9

Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)

SentinelLabs profiles an affiliate involved with Maze ransomware and details the actor’s involvement with other crimeware families, including TrickBot.

Read More
Breaking EvilQuest Reversing A Custom MacOS Ransomware File Encryption Routine 8

Breaking EvilQuest | Reversing A Custom macOS Ransomware File Encryption Routine

A new macOS ransomware threat uses a custom file encryption routine not based on public key encryption. Jason Reaves shows how we broke it.

Read More
Living Off Windows Land A New Native File  Downldr  13

Living Off Windows Land – A New Native File “downldr”

A newly discovered LOLBin offers an alternative to certutil for helping adversaries download files from a remote server. Meet desktopimgdownldr.exe.

Read More
Thanos Ransomware   A Rapidly Evolving RaaS Targets Legacy AV Backup Solutions 12

Thanos Ransomware | RIPlace, Bootlocker and More Added to Feature Set

Thanos Ransomware has developed rapidly over the last 6 months, offering a customized RaaS tool with an expanding feature set to build unique payloads.

Read More
Inside A “TrickBot” “CobaltStrike” Attack Server 9

Inside a TrickBot Cobalt Strike Attack Server

Analysis of a Cobalt Strike Server leveraged in PowerTrick breaches.

Read More