Live Coverage Of A Disinformation Operation Against The 2019 EU Parliamentary Elections

May 24, 2019

Live Coverage Of A Disinformation Operation Against The 2019 EU Parliamentary Elections 2019-05-24 I recently worked with investigative journalists from Yle, attempting to uncover disinformation on social media around the May 2019 European elections. This work was also part of F-Secure’s participation in the SHERPA project, which involves developing an understanding of adversarial attacks against machine learning systems – in this case, recommendation systems on social networks. My contribution to…


Spam Trends: Top attachments and campaigns

May 8, 2019

Spam Trends: Top attachments and campaigns 2019-05-08 Malware authors tend to prefer specific types of file attachments in their campaigns to distribute malicious content.  During our routine threat landscape monitoring in the last three months, we observed some interesting patterns about the attachment types that are being used in various campaigns. In February and March, we saw huge spam campaigns using ZIP files to send out GandCrab ransomware, and  DOC…


Discovering Hidden Twitter Amplification

April 3, 2019

Discovering Hidden Twitter Amplification 2019-04-03 As part of the Horizon 2020 SHERPA project, I’ve been studying adversarial attacks against smart information systems (systems that utilize a combination of big data and machine learning). Social networks fall into this category – they’re powered by recommendation algorithms (often based on machine learning techniques) that process large amounts of data in order to display relevant information to users. As such, I’ve been trying…


Mira Ransomware Decryptor

April 1, 2019

Mira Ransomware Decryptor 2019-04-01 We investigated some recent Ransomware called Mira (Trojan:W32/Ransomware.AN) in order to check if it’s feasible to decrypt the encrypted files. Most often, decryption can be very challenging because of missing keys that are needed for decryption. However, in the case of Mira ransomware, it appends all information required to decrypt an encrypted file into the encrypted file itself. Encryption Process The ransomware first initializes a new…


A Hammer Lurking In The Shadows

March 29, 2019

A Hammer Lurking In The Shadows 2019-03-29 And then there was ShadowHammer, the supply chain attack on the ASUS Live Update Utility between June and November 2018, which was discovered by Kaspersky earlier this year, and made public a few days ago. In short, this is how the trojanized Setup.exe works: An executable embedded in the Resources section has been overwritten by the first-stage payload. The program logic has been…


Analysis of LockerGoga Ransomware

March 27, 2019

Analysis of LockerGoga Ransomware 2019-03-27 We recently observed a new ransomware variant (which our products detect as Trojan.TR/LockerGoga.qnfzd) circulating in the wild. In this post, we’ll provide some technical details of the new variant’s functionalities, as well as some Indicators of Compromise (IOCs). Overview Compared to other ransomware variants that use Window’s CRT library functions, this new variant relies heavily on the less commonly used Boost library. For example, instead…


Analysis Of Brexit-Centric Twitter Activity

March 12, 2019

This is a rather long blog post, so we’ve created a PDF for you to download, if you’d like to read it offline. You can download that from here. Executive Summary This report explores Brexit-related Twitter activity occurring between December 4, 2018 and February 13, 2019. Using the standard Twitter API, researchers collected approximately 24 million tweets that matched the word “brexit” published by 1.65 million users. A node-edge graph…


Why Social Network Analysis Is Important

February 21, 2019

I got into social network analysis purely for nerdy reasons – I wanted to write some code in my free time, and python modules that wrap Twitter’s API (such as tweepy) allowed me to do simple things with just a few lines of code. I started off with toy tasks, (like mapping the time of day that @realDonaldTrump tweets) and then moved onto creating tools to fetch and process streaming…


Phishing Campaign targeting French Industry

November 26, 2018

We have recently observed an ongoing phishing campaign targeting the French industry. Among these targets are organizations involved in chemical manufacturing, aviation, automotive, banking, industry software providers, and IT service providers. Beginning October 2018, we have seen multiple phishing emails which follow a similar pattern, similar indicators, and obfuscation with quick evolution over the course of the campaign. This post will give a quick look into how the campaign has…