Rats of a different ilk

Yesterday, I pushed the publish button on some additional research I assisted Markel Picado with on RATicate, an actor that had been sending tailored malicious emails to victims loaded with malware installers. They appear to be a Malware as a Service operation.

The interesting thing is that they appear to have been using the same commercial crypting/packing tool as the actors behind GuLoader malware tracked by CheckPoint–this thing called CloudEyE Protector, the successor to DarkEyE Protector. The operators of that crypter-as-a-service shut it all down when people came asking about their malware distribution, and swore they would ban the bad actors.

Welp, they’re back in business, and they’re following some very rigorous (lol) vetting of customers. Sebastiano and Ivano pinky promise to very closely monitor usage and look out for shenanigans. The problem with grey tools like this–which have a legitimate use as an obfuscator and license protection scheme–are always going to have abusers. The only way to tell the bad from the good is behavior-based detection.

Ironically, one of the features they instituted to lock down their tools was a “hardware ID grabber” app they built with their own tool. And Windows Defender (and 16 others, including Sophos) detect it as malware.

Random Ranting

Obligatory rant post

I think there are a significant number of us who predicted that this year, like the last three, would be a continued slide into the apocalypse. And it looks like we were all too optimistic at this point, weren’t we? We’re all trapped on the bus in Speed, except that the Donald is both the driver and the bomber and Keanu Reeves is definitely not coming to help.

The reason that we all drastically underestimated the damage that Orange Julius Caesar could do is because our assumptions were made pre-pandemic. And even if we had known about the pandemic, we would not have been able to forsee the germophobe-in-chief pulling the counter-programming move he’s pulled unless we believed he deliberately wanted to kill hundreds of thousands of people off–which he apparently does–or that no one in a position to do anything to convince him to act decisively would succeed (or even try, until it was too late).

I say this from a position of entitlement–I have a job that allows me to work from home. But my wife and kids all have jobs that touch the public, and the premature push to be “open for business” has now endangered them (and me as a result). My eldest works for Apple retail; his store re-opened under strict guidelines, and is now closed again because of COVID-19 cases among the staff. Apple had testing in place; other employers don’t. Our governor flew to South Korea to get more tests, and yet testing lags here like it does for most of the country.

People would probably have died in the thousands no matter who was in the White House. But this asshole has gone big on buffoonery and will kill another hundred thousand easily before this is done. The stress on families weighing between the benefits of earning an paycheck and the risks posed to their health (and lives, even) by working are real, and Ivanka is posing with cans of Goya black beans.

We have at least until next January with this asshole, barring some sort of miracle. It’s enough to make even atheists pray.


Sextortion still happens, apparently

I collaborated with Tamas Kocsir and the folks at CipherTrace on a report on the economics of sextortion spam.


Malware Phishing

Who wants Coronavirus with the Trickbot?

My first official threat report is now posted.



A lot of things have happened since I first took up the nom de plume “The Packet Rat” in 1994. For 15 years, I wrote a rumors/thinly-veiled-autobiography/surrealist tech column under the byline “R. Fink” for Government Computer News, before a redesign (and some significant corporate consolidation at 1105 Media) ended that run. In the meantime, my actual packet hunting (and other information security) exploits had continued in research and lab ops at InformationWeek, Ziff Davis, a fever-dream of a year at Tech Target, and various other exploits before landing at 1105 to run Defense Systems (and having to give up the freelance check for The Rat).

Since then, I’ve been doing cyber shit at Ars Technica. But now I’m fully down the infosec rabbit hole in a threat research role, and embarking on a book about deep packet inspection with Dave Porcello, late of Pwnie Express and other ventures.