Threat Research
Stay on top of the latest IT malware, risk and vulnerability information from Juniper threat researchers and experts.
Latest Articles
Wave of Spam Uses RTF Exploit, Delivers a Trojan-Spyware

Wave of Spam Uses RTF Exploit, Delivers a Trojan-Spyware

During the early weeks of February 2018, Juniper Threat Labs detected several malicious email campaigns involving a malicious MS Office file. The file attachment is an RTF file that includes an exploit. As we discovered, the RTF is exploiting CVE 2017-8570. This exploit is related to CVE-2017-0199, but a little less popular. Back in April 2017, CVE-2017-0199, considered a zero-day attack, was actively exploited in the wild. In an attack scenario, Microsoft Office documents can be embedded with OLE objects such as “EXE, VBS, JS, ZIP, HTA, SCT, etc.”


Juniper Employee
New Gootkit Banking Trojan variant pushes the limits on evasive behavior

New Gootkit Banking Trojan variant pushes the limits on evasive behavior


On January 19, 2018, Juniper Threat Labs detected a Gootkit banking trojan at one of our customers sites. The file was hosted on a compromised golfing site, namely “carolinalakesgc[.]com”.  This malware uses some unique anti-analysis and anti-sandboxing tricks. It also employs a new persistence method taking advantage of the Pending GPO feature. The malware spawns a suspended mstsc.exe (Remote Desktop Process) and injects itself into it. Before installing itself into the system, it performs several checks related to sandboxes and tools associated with malware analysis.




Juniper Employee
Underground Malware Marketplaces

Underground Malware Marketplaces

On message boards and dark web marketplaces, vendors offer everything from custom malware to on-demand distributed-denial-of-service (DDoS) attacks. Hidden tools to track someone’s every online move or access to their Instagram account? Weaponized exploits for extortion and espionage? The computing power of thousands of hacked “zombie” computers? It’s all available for the right price. In this article we’ll take a walk through the cybercrime black market to see what’s for sale.


Juniper Employee
LockPoS goes fashionable

LockPoS goes fashionable

U.S.-based fashion retailer, Forever 21, recently reported that its POS (point of sSale) machines) were infected by LockPoS malware. We also saw  LockPoS in the news in mid- 2017 for targeting Brazilian companies. This blog  will share additional detail about some of the latest variants of LockPoS.


Technical Analysis



The malware has multiple levels of obfuscation. It often has  an executable stored in encrypted form in a resource named “CORE”.


Fig 1 -  “CORE” resource having encrypted biary


This resource is loaded into memory using FindResourceW(),sizeOfResource() and LoadResourceW().



Fig 2 - resource loaded in memory


The resource is then loaded into memory then decrypted using the Microsoft Cryptograpy APIs CryptAcquireContextW(),CryptImportKey(),CryptDecrypt().



Fig 3 - decrypted data from resource


The deobfuscation doesn’t end here. This data is again put in a compressed format and is uncompressed in memory using RtlDecompressBuffer(). The result is an executable that contains the string “dropper.pdb”.



Fig 4 -  Dropper.pdb see in the decompressed file


This executable has yet another executable in an encrypted format in its resource section named “XXXX”. This is again decrypted and decompressed with the same process mentioned above. The decryption happens in memory and post-decryption the control is transferred to the decrypted code. This code further maps a part of its decrypted memory into explorer.exe where the final payload is decrypted.


Sandbox Evasion

The malware maps dlls into its own memory and calls the ntdll functions through it using CreateFileW(), createFileMappingW(), MapViewOfFile() APIs. This technique can bypass hooks created by sandboxes and makes it more difficult to spot the malicious behavior.



Fig 5 - map ntdll to memory


The malware, while injecting into explorer, does not call the windows APIs involved directly. Instead, it uses a system call using INT 2E to carry out the functionality. User mode API logging won’t work in this case. This is sometimes an extra overhead for malware reverse engineers.

The code injected into explorer.exe further decrypts the actual payload. The final payload is a dll that is responsible for POS malicious activities.



Fig 6 - The dll has a string named “lock.pdb”.


The dll has a string named “lock.pdb”. It also contains the Command and Control (CnC) server list hard coded in its resource section. It can be used as part of a Yara-type signature for this malware variant along with the strings “chrome.exe”,”_x/update.php”.



Fig 7 - url’s in resource section


The malicious dll searches for credit card patterns in memory.


Fig 8 - malware code looks for credit card patterns


After stealing the data, the malware sends it to its CnC server using HTTP POST method.The user agent used is “lock”, and can be easily detected by a Snort-type rule.



Fig 9 - Http Request with User-Agent “lock”


List of CnC server:



Both Cyphort (now a Juniper Networks company) and Juniper Sky ATP detect LockPOS, as can be seen in the screenshots below.


Screen Shot 2018-01-10 at 11.30.38 AM.png

Thanks to Anoop Saldanhna and the rest of the threat research team for their help in writing this blog.


Juniper Employee
Remote Code Execution Vulnerability on Huawei Devices

Remote Code Execution Vulnerability on Huawei Devices

Every device that is directly accessible from the internet is under constant attack. By exposing a honeypot on the internet, you can peer into lots of interesting types of activities. A trained eye can identify known exploits fairly easily, and once in a while run into something new: an exploitation attempt using a zero-day vulnerability.


Juniper Employee
Top Kudoed Authors
Latest Comments
threatresearch | 01-18-2018
Re: Meltdown & Spectre: Modern CPU vulnerabilities
threatresearch | 01-07-2018
Re: Meltdown & Spectre: Modern CPU vulnerabilities
By  spuluka
threatresearch | 01-06-2018
Re: Meltdown & Spectre: Modern CPU vulnerabilities