Tips & Tricks

PowerWare or PoshCoder? Comparison and Decryption

PowerWare was brought to my attention by Carbon Black via their blog
post. PowerWare is downloaded by a malicious macro-enabled Microsoft
Word document that is distributed via a phishing email campaign. The
malicious document in question attempts to convince the user to enable
macros by informing them that the file is protected by Microsoft Office.
This, of course, is a farce. Once the macro is enabled, the PowerWare
payload will be downloaded and executed. PowerWare, unfortunately, is
hitting healthcare providers.

Using from oletools, we can extract the macro from the
aforementioned document for analysis.
PowerWare based on PoshCoder
Upon examination of the PowerShell file that was downloaded, you may
notice that the programming logic looks familiar. PowerWare seems to be
heavily based on PoshCoder, the ransomware that rose to infamy due to
the fact it destroyed encrypted data using a logic based programming
flaw. The programming style and flow is similar enough that some may
even argue that it's a variant of PoshCoder and not a totally new
PowerShell ransomware family. The following are some of their major

  • Thursday, 26 May 2016
  • Sumber

Monitoring National Internet Traffic

National internet traffic monitoring report featuring weekly traffic reports, monthly traffic reports and annual traffic reports.

System Security & Vulnerability Threat Warning

A collection of articles about the early warnings of security threats and system vulnerabilities.

Security News

Newsgroups of Cyber Security or IT.

Incident Report

Id-SIRTII / CC receives incident reporting from public for later will be coordinate with stakeholders.