Digital Forensics Magazine Welcomes Mobile Forensics Industry Expert

DFM is delighted to welcome Yuval Ben Moshe, the Senior Director of Forensic Technologies at Cellebrite as a guest writer to the Magazine and Blog. Having such a world class industry expert in forensic for mobile devices ranging from smartphones and tablets to portable GPS devices, will allow DFM readers access to Yuval’s unique and intimate insights within the forensics community of law enforcement agencies worldwide.

Click here to find Yuval’s first article advising on how critical the collection and analysis of mobile data in civil litigation cases is.



Decoding ZeuS Disguised as an RTF File

In a recent blog post, Ronnie Tokazowski – senior researcher at PhishMe warns of a nasty phishing email currently circulating.

Ronnie warns, “I came across a particularly nasty looking phishing email that had a .doc attachment. At first when I detonated the sample in my VM, it seemed that the attackers weaponised the attachment incorrectly. After extracting and decoding the shellcode, I discovered a familiar piece of malware that has been used for some time.” Ronnie identified that the originating IP address is 212.154.192[d]150. The reply-to field is also interesting, as this is the address of a long-time 419 scammer.

Having investigated the message, Ronnie describes it as a ‘Camel case’ – changing the casing of things is one way to help bypass AV or other signature detection.
Looking at its malicious payload, he concludes, “Based off of the shellcode and other artifacts of the code, this is associated with CVE-2012-0158 – an older but very reliable exploit. The malware installs to the following directory: C:\Users\ \AppData\Roaming\Ritese\quapq.exe. From a forensics perspective, searching for exe files in this directory or the Roaming directory are golden, as this shouldn’t happen. For the malware on the network side of things, it makes many requests to ‘file.php’ and ‘gate.php’. The IP address of 116.193.77[d]118 is also listed on ZeuS tracker. Even though CVE-2012-0158 is three years old, attackers are still using it to this day. Even once they obfuscate these documents, it’s still possible to get back to their true intentions.”

You can see Ronnie’s blog in its entirety