Contact Us

1 (800) 723-1166 |

Security Labs

HomeSecurity Labs
HomeSecurity Labs

Forcepoint Security Labs™ brings together researchers, engineers and thought leaders from around the world to discover, investigate, report and – ultimately – protect our customers from sophisticated, evasive and evolving Web- and email-based threats.

Find out more about the work we do through our blogs, annual reports, conference presentations and podcasts.

Click here for part one of this series: ‘Security, Performance, Obfuscation & Compression’.

Since its introduction the majority of malware authors have shunned .NET as a development platform, despite its relative popularity as a platform for developing legitimate Windows software. There are numerous potential reasons for this, but two in particular that likely have a significant influence on malware authors are .NET code’s reliance on external libraries (few people are likely to want to install a specific version of the .NET Framework in order to support someone trying to steal their banking details) and – as... Read more

Recently, Forcepoint Security Labs have encountered a strain of scam emails that attempts to extort money out of users from Australia and France, among other countries. Cyber-extortion is a prevalent cybercrime tactic today wherein digital assets of users and organizations are held hostage in order to extract money out of the victims. Largely, this takes in the form of ransomware although data exposure threats - i.e. blackmail - continue to become popular among cyber crooks.

In light of this trend, we have observed an email campaign that claims to have stolen sensitive information from recipients and demands 320 USD payment in... Read more

Historically, the majority of traditional AV solutions have relied on static signatures to identify known malware. As a result, malware authors naturally started employing a range of tools to obfuscate the underlying code of their software in order to avoid such signature based detection and to hinder (human) static analysis.

These obfuscation tools have proliferated over the past years, with numerous commercial offerings available as even legitimate software authors look to at least hinder the reverse-engineering of their products. While the methods and results vary, the ultimate intention is now usually to make the code... Read more

In January 2016 Forcepoint Security Labs reported an email campaign delivering the Ursnif banking Trojan which used the ‘Range’ feature within its initial HTTP requests to avoid detection.

In July 2017 we discovered a malicious email sample delivering a new variant of Ursnif, attached within an encrypted Word document with the plaintext password within the email body. As recorded in several other Ursnif campaigns reported since April 2017, this Word document contains several obfuscated VBS files which load malicious DLLs through WMI.

However, these samples appear to exhibit new features including anti-sandboxing features... Read more

The June 2017 Petya (Petna, Petrwrap, etc.) outbreak injected some much un-needed excitement into an IT sector just starting to come to terms with the implications of the WannaCry outbreak a few weeks beforehand.

In the immediate wake of WannaCry there was a discussion around what could have been done to reduce the impact of the outbreak, but even without the benefit of hindsight it was easy to point to slow patching cycles and the questionable architectural/configuration decision of allowing SMB traffic from external addresses past the network boundary.

However, as discussed in our earlier blog post, June 2017’s Petya... Read more

Please note:​ This is an update to our original analysis posted on June 27, 2017.

Forcepoint Security Labs will continue to refer to this as a Petya outbreak, although other vendors have chosen to apply additional or alternative names to it.

In straightforward terms, the samples analysed have passed the ‘duck test’ as Petya which has previously been seen to:

Encrypt files on disk without changing the file extension; Forcibly reboot the machine upon infection; Encrypt the Master Boot Record on affected machines; Present a fake CHKDSK screen as... Read more

Microsoft Security Advisory 4025685 [1] was released on Tuesday 13 June 2017 and quickly gathered a large amount of attention for fixing a significant number of SMB exploits in supported versions of Windows and for Microsoft's decision, once again, to provide patches for now-unsupported versions of their operating systems.

While Microsoft rate the SMB vulnerabilities as Important rather than Critical, it should be borne in mind that vulnerabilities within network services such as these are inherently 'wormable' as demonstrated by WannaCry's rapid spread via the exploitation of an SMB vulnerability just last month (see https://... Read more

At around 09:00 BST yesterday, Forcepoint Security Labs™ observed a significant malicious email campaign from the Necurs botnet. Necurs is a prevalent botnet that is known to spread Locky ransomware, pump-and-dump stock scams, and more recently the Jaff ransomware.

This time, however, Necurs has been observed spreading the Trickbot banking Trojan for the first time. The malicious email campaign ended at around 18:00 yesterday and nearly 9.6M related emails were captured and stopped by our system. The following is a sample screenshot of a related email:

In addition, below are details of this campaign:

... Read more

A week on from the WannaCry outbreak, a huge number of articles have been written on the topic. These have covered everything from in-depth analyses of WannaCry itself to discussion pieces about the EternalBlue and DoublePulsar exploits and, latterly, warnings about other pieces of malware using the same propagation techniques as WannaCry.

Forcepoint™ customers are protected against the underlying EternalBlue exploit via NGFW at the following stages of attack:

Stage Four (Exploit Kit) - The EternalBlue exploit attempts are blocked.

For threats where communication or distribution is performed via... Read more

Many of the technical aspects of the WannaCry ransomworm outbreak on Friday 12 May 2017 are well documented by this point: the primary means by which the malware spread appears to have been the use of the DoublePulsar and EternalBlue code released by the Shadow Brokers earlier this year and patched as part of Microsoft's MS17-010 update on 14 March 2017.

As we noted in our initial blog post on the topic (, WannaCry's ability to self-propagate marks something of a watershed moment in the evolution of ransomware. Whereas previous variants... Read more