Skip to main content

Posts

Showing posts from November, 2016

QuickSand += structhash

We are pleased to announce version 2 of QuickSand.io's structural hashing algorithm "structhash" which can be used to fingerprint the structure of an office document or RTF.

Typical weaponization of malware document's use a skeleton exploit doc as part of the exploit builder process. Usually this skeleton exploit document is specific to to the kit or group behind an attack campaign. The structural hash we've developed takes into account the different streams and any XOR or ROL encoding to build a campaign specific fingerprint. You can then search for the structhash to find additional samples likely related to your campaign.

Early 0 day usage usually follows this model with one group's zero day being outed and other groups replacing the original payload with their own - so the structhash can help find additional samples of a zero day for further analysis.

Despite changes in payloads the underlying core of a malicious document doesn't change that much, the …