Based on gossi's blog on the reported code execution in MS Office abusing msdt.exe, I've created an Expert Rule for Trellix customers to detect/block suspicious files abusing this: github.com/advanced-threa…

and a more generic rule to cover more suspicious #lolbins being fired up by Word: github.com/advanced-threa…

Good news for the MISP (@[email protected])'s user community! Now you can export your VT Graph into a MISP event (Download as>MISP Event) including all relationships and (optionally) the VT report for all the indicators.

Exploitation of Follina — A Microsoft Office Code Execution Vulnerability appears to be hitting 23 countries, details/IoCs via @TrellixLabs trellix.com/en-us/threat-c… #cybersecurity #malware H/T Jeffrey Sman The Brofessor Alfred Alvarado Tim Hux John Fokker João Marques

We made the unfortunate decision to let go of 20% of our team. They are extremely talented, please do not hesitate to hire them. Here's a spreadsheet with their names: C:/MyDocuments/Accenture2022/bottom_20_underperformers_v6_FINAL.xlsx

Finished my presentation at Black Hat NJ's Arsenal! Had an absolutrle blast presenting! DotDumper is now live, find it here: github.com/advanced-threa…

Here’s her gofundme legal fund. Internet do your thing. Thanks to priyadesai for the find. gofundme.com/f/teen-arreste…

“Don’t focus on flashy visualization - choose the way that fits. We are not in a casino - sometimes a simple spreadsheet may be the best visualization of data. It needs to make sense for the user.” A reality check by John Fokker - Trellix Advanced Research Center during #cyberconf22

Email tracking protection is now available on the Proton Mail iOS app too! Learn more here: proton.me/blog/improved-…

This week VMware observed ransomware actors targeting CVE-2021-21974, a remote code execution vuln allowing an attacker to exploit the OpenSLP protocol. More on the global ESXiArgs ransomware campaign on the blog. bit.ly/3JViwXO

Check out our newest blog post on linking and tracking UAC-0056 tooling through code reuse analysis. threatray.com/blog/linking-a… #threatintel #malware #graphiron

John Fokker, Alfred Alvarado, Tim Hux, Jeffrey Sman, & João Marques shared our take on the global ESXiArgs ransomware attack, exploiting CVE-2021-21974. More: bit.ly/3JViwXO

Threat actors’ use of Microsoft OneNote to spread Qakbot marks a novel malware distribution strategy. Our researchers detail how they deobfuscated and unpacked it, and extracted its configurations. Read more. bit.ly/3mlVyPV

Malware Analyst Max 'Libra' Kersten provides a technical look at the “Read The Manual” (RTM) Locker gang, including a deep dive into their Windows ransomware executable, on the blog. bit.ly/3KrAnEo

Head of Threat Intelligence John Fokker shares our observations on cybercriminal behavior from over a year virtually staked out in the Genesis Marketplace — these insights ultimately assisted law enforcement in the market’s takedown. Hear more. bit.ly/43pvfsz

Despite takedown attempts in 2021, Emotet resurfaced, and threat actors continue to use it today. Trellix Advanced Research Center’s Adithya Chandra, João Marques, and Raghav Kapoor explore its evolution and current TTPs. Read to learn more. bit.ly/3PnExkI

In June, we debuted Ghidra scripts for analyzing Go-based malware. Max 'Libra' Kersten, in collaboration with Dorka Palotay, updated the scripts to now include: ➡️ Support for Golang 1.20 ➡️Support for MachO files ➡️Resolved to-do segments Find the scripts here: bit.ly/46Pd55d

Over two years, our team analyzed & enhanced threat intelligence for Operation Morpheus. Learn about the data we shared with law enforcement to assist in the dismantling of Cobalt Strike's infrastructure from John Fokker, joao marcelo, & Leandro Velasco. bit.ly/4cOOYpZ

Very difficult situation for many customers across the world. CrowdStrike support is overwhelmed. I have mobilized our Trellix Customer Support team to assist any CrowdStrike customers who need assistance with restoring their endpoints. #TrellixThrive #StandTogether

It’s been a busy couple of days at Trellix, with many of our teams working through the weekend to help customers: recover from the outage, understand what went wrong at CrowdStrike, and update them on the latest adversarial intelligence.