Why UEBA Might Have Sent Johnny to Jail

Strange title, I know. But hang with me. In my previous blog, I mentioned three research projects that Cyphort recently completed, which revealed growing dissatisfaction among SIEM users. Their two […]

May 23rd, 2017 by Franklyn Jones

EternalBlue Exploit Actively Used to Deliver Remote Access Trojans

During the WannaCry pandemic attack, Cyphort Labs discovered that other threat actors have been using the same EternalBlue exploit to deliver other malware. This malware is not a ransomware and is not […]

May 17th, 2017 by Paul Kimayong

Cyphort identifies harder to kill WannaCry Ransomware

In the course of our research on the massive WannaCry ransomware campaign that affected more than a hundred countries since Friday May 12, Cyphort researchers have come across a sample […]

May 15th, 2017 by Mounir Hahad

Threat Insights


Donoff is a type of malicious office document that contains macro.  This type malware usually arrives as an attachment or a direct link in spam mails.  For instance, we have seen this malware being distributed in the following spam mail.   The url “” is actually a hyperlink leading to the following download url: http://walden[.]co[.]jp/wp/divorce/divorce[.]php?id=ZWxlZTNAdHJpYnVuZW1lZGlhLmNvbQ== The…

April 6th, 2017 by Paul Kimayong


Kuluoz Malware family is known to spread through Spam emails. The general email subject or spam attachments would come by names related to parcel deliveries, Airline tickets, applications, resumes etc. They come with a Microsoft Word Document associated icon. The malware checks whether it runs in the context of a debugger by using ‘IsDebuggerPresent’ API…

March 13th, 2017 by Marci Kusanovich


Gamarue is a worm that can be distributed by exploit kits, spam emails, USB drive or dropped by another malware.   Gamarue performs a multi-level process hollowing to hide itself. It executes its code by mapping into wuauclt.exe rather than changing the entry point using setThreadContext() like most process hollowing techniques. Here’s a dump of how that is achieved:…

March 13th, 2017 by Marci Kusanovich

Malware’s Most Wanted

Topic: The Rise and Fall of Angler

We have talked about the recent ransomware resurgence and now Cyphort Labs wants to spend some time on one of the most effective methods of delivering ransomware and that is exploit kits. In this edition we’ll, cover:

  • The evolution of exploit kits such as Angler, Nuclear, Rig and Neutrino
  • Show real examples of drive-by exploits in popular websites discovered in our crawler
  • Examine the relationship between exploits, kits and payload
  • Watch on-demand:
Director of Threat Operations
Nick Bilogorskiy
Date and time
On Demand

MMW Archive

Ransomware Resurgence: Locky and Other “New Cryptolockers”

Date and Time: On-Demand

Ransomware has come a long way from non-encrypting lockscreen FBI scare warnings like Reveton. In 2016 alone, there have been new ransomware families popping up and we expect that to only pick up steam over the summer. In this edition of MMW, Nick Bilogorskiy, Nick will discuss, Locky, the new “it” ransomware and how it works and other new ransomware families and why it’s becoming the preferred monetization method for attackers. Attendees may opt in to receive a special edition t-shirt.

Malware Self-protection Matrix: From Anti-reversing to Anti-sandboxing

Date and Time: On-Demand

In this Malware’s Most Wanted Cyphort Lab’s Marion Marschalek sheds light on malware self-protection. The audience gets an overview of how malware evasion evolved over the years and how malware defense evolved with it, or vice versa as it occasionally happens in the digital arms race. The various observed anti-analysis tricks are put in relation to the respective counter measures in order to showcase challenges of modern day security products.

Machine Learning: The Gold Standard for Threat Detection

Date and Time: On-Demand

Machine learning is a powerful tool with many well-suited applications for malware detection, classification, and risk quantification. Despite its reputation as a “black box” component to an enterprise security solution, designing a robust machine learning model for malware detection is an involved process: its success hinges on understanding the problem you’re trying to solve, the underlying data you utilize, and most importantly, its limitations. In this Malware Most Wanted session, we analyze working models discuss the strengths, pitfalls, and high-level trade-offs of using machine learning for successful malware detection.

Cybersecurity – Getting Down To Implementation Practice

Date and Time: On-Demand

NIST Cybersecurity Framework is a good starting point for many enterprises to harden their security posture against advanced threats. In this webinar, we will share the major take-aways from the framework. More importantly, we will explain the 5 critical factors in implementing cybersecurity defense, and how to handle them with best practice.

See the Anti-SIEM in Action.

Schedule a live demo at your convenience, and we’ll present the detection, analytics, and mitigation capabilities of the platform.