Search this Blog


Tuesday, May 10, 2016

A collection of PHP backdoors

Just a quick post to announce I've set up a GitHub repository with a collection of PHP backdoors for educational and/or testing purposes only:

Feel free to check it out and/or contribute here:

The repository will be updated continuously and gradually.

If you're interested in analysing a PHP backdoor, check out my post on PHP/C99shell:
C99Shell not dead

Additionally, find tools to deobfuscate PHP backdoors here:
PHP tools

Wednesday, May 4, 2016

SteamStealer IP visualisations

Just for fun I decided to visualise all SteamStealer IPs I've encountered (till now). They are hosting multiple fake screenshot websites, fake voice communication software, fake streaming websites, fake Steam websites and others. They may also be a C&C for the malware, or fake gambling/lottery websites.

Any additional information can also be found on my blog:
Malware spreading via Steam chat

Additionally, be sure to read the paper I wrote with Santiago from Kaspersky about SteamStealers here: The evolution of malware targeting Steam accounts and inventory

Now for the fun part:

View SteamStealer IPs in a full screen map

Alternatively, check out the following map and stats:


Russian Federation163
United Kingdom19
United States14
Czech Republic1
Virgin Islands, British1
Moldova, Republic of1

As you can see, most of them are hosted in Russia; while the United Kingdom and The Netherlands rank second and third respectively.

Note: CloudFlare is gaining popularity in 'hiding' the real server IP address. CloudFlare IPs are not included.

That's about it, hope you enjoyed! Please find below tools used to create the mapping.



SteamStealer IPs IOCs

Thursday, April 21, 2016

Nemucod ransomware information

This is a quick post on the recent Nemucod ransomware. Nemucod is (normally) a downloader which uses JavaScript  JScript (thanks Katja) to enter an unsuspecting user's machine and download additional malware (depends on campaign usually).

There's a blog post by Fortinet which explains Nemucod ransomware, so I'm not going to repeat much here: Nemucod Adds Ransomware Routine

It came to our attention that a new, rather peculiar version of Nemucod has been recently landing on users. Nemucod is a well-known JavaScript malware family that arrives via spam email and downloads additional malware to PCs.

This particular campaign is using the lure of a court appeal to spread:

The mail reads:

Notice to Appear,
You have to appear in the Court on the April 22.Please, prepare all the documents relating to the case and bring them to Court on the specified date.Note: If you do not come, the case will be heard in your absence.
The Court Notice is attached to this email.
Yours faithfully,Brian Snider,District Clerk.

It seems Nemucod ransomware got another update, as it now uses 7-zip to actually encrypt the files.

Another change is the slight drop in price. Whereas before it was 0.60358 bitcoins ($267.14 or €236.43), it's now 0.49731 bitcoins ($220.11 or €194.80).

New message reads:

Nemucod ransomware message

Nemucod encrypting a whole plethora of filetypes, appending the .crypted extension


If you have opened a .JS file (JScript file) from an unknown sender, open Task Manager immediately and stop all the following processes (at least in this version of Nemucod):

a0.exe (actually 7-zip disguised)

The faster you do this, the less files will be encrypted. Run a scan with your antivirus program and a scan with another antivirus program to verify the malware has been removed.

Note: It's always useful to keep a copy of the ransomware note handy, as it's easier to identify the ransomware and if it can be decrypted.


I'm only briefly reporting on this for those in need, but currently, the known decryptors are suited for this version. However, Fabian from Emsisoft is already working hard to make a decryptor available, so please have patience!

If you have an older version of Nemucod, you can try one of either decryptors:
Emsisoft Decrypter for Nemucod 
nemucod_decrypter (you will need to install Python for this)

You can also try restoring files with Shadow Explorer. (alternate link)

For more information, please visit the following Bleeping Computer topic
.crypted Ransomware (Nemucod) - Decrypt.txt Support and Help Topic


In particular for Nemucod, don't open any JScript/JavaScript files from unknown senders.

For more tips on ransomware prevention, be sure to check out this page I've set up:
Ransomware Prevention


Same as with all malware: don't open attachments from unknown senders!

Please find below IOCs and additional resources.


.crypted Ransomware (Nemucod) - Decrypt.txt Support and Help Topic
ID ransomware
JavaScript-toting spam emails: What should you know and how to avoid them?
Nemucod ransomware IOCs
Ransomware overview
Ransomware Prevention
TrojanDownloader: JS/Nemucod

Thursday, March 24, 2016

Ransomware prevention

Very short blog post to let you know I now also have an English version of my article 'preventie van ransomware', on how to prevent ransomware.

You can find it as a page (see top of my blog) or here:
Ransomware Prevention

Translations are available in Dutch (Nederlands) and French (fran├žais).

Thanks to @WawaSeb for the French translation. If you would like to translate this page in your own language, feel free to do so and send me the link so it can be added.

Tuesday, March 15, 2016

All your creds are belong to us

In the past, I've blogged about Steam Stealers (malware that specifically targets gamers and users of Valve's platform) before (see 1, 2), but this blog post will be a bit different.

Working together with Santiago Pontiroli, Security Researcher at Kaspersky Lab Global Research and Analysis Team, we've written a paper on these infamous Steam Stealers.

Check out our blog post here or directly download the PDF from here.