🔍New Blog: JustAskJacky -- AI brings back classical trojan horse malware

https://www.gdatasoftware.com/blog/2025/08/38247-justaskjacky-ai-trojan-horse-comeback

#GDATA #GDATATechblog

🦔 📹 New Video: There is more than Clean and Malicious

➡️ 7 file analysis verdicts and what they mean

#MalwareAnalysisForHedgehogs #Verdicts
https://www.youtube.com/watch?v=XwT23XVtAw0

Great analysis of the malware distributed with the esling-config-prettier NPM package compromise on Friday: https://c-b.io/2025-07-20+-+Install+Linters%2C+Get+Malware+-+DevSecOps+Speedrun+Edition

By c-b.io on Bluesky / cyb3rjerry on Twitter :D

#malwareanalysis #reverseengineering #infosec #npm #npmsecurity #malware #reversing

During a recent incident response case, we observed the following file access: \\localhost\C$\@ GMT-2025.06.21-10.53.43\Windows\NTDS\ntds.dit

This is a clever method of accessing a Volume Shadow Copy (VSS) snapshot. Many EDR and detection systems typically monitor for commands such as 'vssadmin list shadows', and may trigger alerts based on their use.

However, by leveraging the "Previous Versions" feature in Windows (see screenshot), attackers can select a snapshot, view its properties, and enter the '@ GMT' path directly in Explorer. This allows them to browse the snapshot's contents without needing to use the command line.

Because this technique doesn't rely on typical shadow copy commands, it may evade detection by your EDR or SIEM solution. You might want to test it in your environment to identify and close this potential detection gap 🦸‍♂️🦸‍♀️

Ever heard of shellbags? Like in the example here:
My Computer -> ? -> Users -> <compromised_used> -> ADRecon-Report-20250225235831

Shellbags are a subset of data found within UsrClass.dat and sometimes in the NTUSER.DAT hive. They are used by Windows to remember folder view settings for Explorer. Each time a user opens a folder, Windows stores metadata about how that folder was viewed, including its path, icon size, window position, and view mode (such as details or thumbnails). This applies to both local and external directories, including removable drives or network shares.

From a forensic standpoint, Shellbags are highly valuable. They can reveal folders that were accessed or created by the user, even if those folders or drives no longer exist.

Like in the example above, from a recent Incident Response case. We did not find evidence of execution from ADRecon; however, the shellbags clearly showed that the attacker browsed this folder; at the same time, the timestamp from the report file was generated, providing evidence that the tool had run, despite the absence of other evidence.

An artefact you don't want to miss in your investigation. 🕵

🦔 📹 Virut Part III: File infection analysis and bait file creation

#MalwareAnalysisForHedgehogs #Virut
https://www.youtube.com/watch?v=FcXPSpBh4ps

Blog: "Supper is served"
Excellent analysis article of the backdoor Supper

https://c-b.io/2025-06-29+-+Supper+is+served