Report an incident
Read in Polish Read in polish
  • About us
  • News
  • FAQ
  • Analyses
  • Publications
  • Contact
Tag #analysis
  • 23 February 2023 Jarosław Jedynak , Michał Praszmo #ransomware #malware #analysis

    A tale of Phobos - how we almost cracked a ransomware using CUDA

    Article thumbnail

    For the past two years we've been tinkering with a proof-of-concept decryptor for the Phobos family ransomware. It works, but is impractical to use for reasons we'll explain here. Consequently, we've been unable to use it to help a real-world victim so far. We've decided to publish our findings and tools, in hope that someone will find it useful, interesting or will continue our research. We will describe the vulnerability, and how we improved our decryptor computational complexity and performance to reach an almost practical implementation.

    Read more
  • 27 October 2021 CERT Polska #malware #analysis #vidar #stealer

    Vidar stealer campaign targeting Baltic region and NATO entities

    Article thumbnail

    While working on our automatic configuration extractors, we came across a rather strange-looking Vidar sample. The decrypted strings included domain names of such organizations as the NATO Strategic Communications Centre of Excellence, Border Guard of Poland, Estonia and Latvia, and Ministry of the Interior of Lithuania. Automatically extracted strings from …

    Read more
  • 13 April 2021 Michał Praszmo #guloader #malware #cloudeye #analysis

    Keeping an eye on CloudEyE (GuLoader) - Reverse engineering the loader

    Article thumbnail

    CloudEye (originally GuLoader) is a small malware downloader written in Visual Basic that's used in delivering all sorts of malicious payloads to victim machines. Its primary function is to download, decrypt and run an executable binary off a server (commonly a legitimate one like Google Drive or Microsoft OneDrive). At …

    Read more
  • 18 February 2020 Michał Praszmo #analysis #malware #emotet

    What’s up Emotet?

    Article thumbnail

    What’s up, Emotet? Emotet is one of the most widespread and havoc-wreaking malware families currently out there. Due to its modular structure, it’s able to easily evolve over time and gain new features without having to modify the core. Its first version dates back to 2014. Back then …

    Read more
  • 19 November 2019 Michał Praszmo #analysis #brushaloader #loader #malware

    Brushaloader gaining new layers like a pro

    Article thumbnail

    Yo dawg, I heard you like droppers so I put a dropper in your dropper On 2019-11-18 we received a report that some of Polish users have began receiving malspam imitating DHL: In this short article, we’ll take a look at the xls document that has been used as …

    Read more
  • 18 July 2018 Michał Praszmo #analysis #malware #smokeloader

    Dissecting Smoke Loader

    Article thumbnail

    Smoke Loader (also known as Dofoil) is a relatively small, modular bot that is mainly used to drop various malware families. Even though it’s designed to drop other malware, it has some pretty hefty malware-like capabilities on its own. Despite being quite old, it’s still going strong, recently …

    Read more
  • 19 June 2018 Hubert Barc #analysis #bank #banker #e-banking #malware

    Backswap malware analysis

    Article thumbnail

    Backswap is a banker, which we first observed around March 2018. It’s a variant of old, well-known malware TinBa (which stands for “tiny banker”). As the name suggests, it’s main characteristic is small size (very often in the 10-50kB range). In the summary, we present reasoning for assuming …

    Read more
  • 01 June 2018 Paweł Srokosz #analysis #banker #botnet #malware

    Ostap malware analysis (Backswap dropper)

    Article thumbnail

    Malicious scripts, distributed via spam e-mails, have been getting more complex for some time. Usually, if you got an e-mail with .js attachment, you could safely assume it’s just a simple dropper, which is limited to downloading and executing malware. Unfortunately, there is a growing number of campaigns these …

    Read more
  • 16 January 2018 Agnieszka Bielec #analysis #android #botnet #malware #trojan

    Analysis of a Polish BankBot

    Article thumbnail

    Analysis of a Polish BankBot Recently we have observed campaigns of a banking malware for Android system, which targets Polish users. The malware is a variant of the popular BankBot family, but differs from the main BankBot samples. Its victims were infected by installing a malicious application from Google Play …

    Read more
  • 19 October 2017 Jarosław Jedynak #analysis #malware #tofsee

    A deeper look at Tofsee modules

    Article thumbnail

    Tofsee is a multi-purpose malware with wide array of capabilities – it can mine bitcoins, send emails, steal credentials, perform DDoS attacks, and more. All of this is possible because of its modular nature. We have already published about Tofsee/Gheg a few months ago – https://www.cert.pl/en/news …

    Read more
1 2 ... 3 »

The CERT Polska team operates within the structures of NASK (Research and Academic Computer Network) — a research institute which conducts scientific studies, operates the national .pl domain registry and provides advanced IT services.

Social media

Facebook Twitter GitHub

Contact

ul. Kolska 12, PL-01-045 Warsaw, Poland
tel.: +48 22 380 82 74
fax: +48 22 380 83 99
ePUAP: /NASK-Instytut/SkrytkaESP

E-mail: [email protected]
Incidents: [email protected]

Co-financed by the Connecting Europe Facility of The European Union
  • © 2023 NASK
  • Privacy policy
  • CSIRT GOV
  • CSIRT MON