GovCERT Blog

Latest GovCERT blog posts

Unflattening ConfuserEx .NET Code in IDA
In this paper Unflattening ConfuserEx .NET Code in IDA we’re studying the ConfuserEx1 obfuscation mechanism of a Ginzo .NET sample. This class of obfuscator is known as code flatteners. We describe how it can dealt with it using a Python script within IDA Pro2, a famous reverse-engineering tool. Code flattening is not new. ConfuserEx is the probably best known implementation of it, but it is around for native x86 samples for well over ten years.
16.09.2022 08:13
Zero-Day Exploit Targeting Popular Java Library Log4j
UPDATE 2021-12-18: log4j version 2.17.0 was just released due to a newly discovered DoS (Denial of Service) attack resulting in a StackOverflowError which terminates the process. Mitigation: Update to log4j version 2.17.0 or In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC). [1] Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.
12.12.2021 19:20
Exchange Vulnerability 2021
Introduction In the past days, there was a lot of press coverage about several critical zero day vulnerabilities in Microsoft Exchange Server that are being tracked under the following CVEs: CVE-2021-26855 CVE-2021-26857 CVE-2021-26858 CVE-2021-27065 Unfortunately, we recently became aware of several hundred organizations in Switzerland that got compromised by a threat actor that exploited the said vulnerability. While Microsoft attributed the initial, in-the-wild observed compromises to a Chinese state-sponsored group called HAFNIUM, several other threat actors quickly got hold of this exploit since the publication of patches by Microsoft.
09.03.2021 13:21
Cyber Security for the Healthcare Sector During Covid19
At the time of writing this blog post (October 27 2020), the Federal Office of Public Health FOPH has announced 5’949 confirmed COVID19 infections in Switzerland within the past 24 hours. After the initial COVID19 measures imposed by the federal council this spring and lifting of these in summer, the upcoming months will probably be challenging again for all of us. However, the pandemic is not only challenging for the Swiss economic and the general public but also the healthcare sector.
27.10.2020 14:19
Security of the Swiss Domain Landscape (ccTLD ch)
Since the introduction of the Domain Name System (DNS) in 1987 (RFC1034 / RFC1035), more than 30 years have passed. The internet became as crucial as food and power supply. Back in 1987, the inventors and engineers of DNS probably never thought that the internet would become such a big and crucial thing for the 21th century. As a result, DNS comes with a handful of weaknesses that can be exploited by threat actors for malicious purposes.
17.09.2020 09:03
Phishing Attackers Targeting Webmasters
Since the beginning of April 2020, we are seeing an increase in phishing attacks against webmasters and domain owners in Switzerland. Unknown threat actors are phishing for credentials for accounts on web admin panels of at least three major hosting providers in Switzerland. In order to gain access to these web admin panels, the perpetrator is sending out many phishing emails that pretend to come from Swiss hosting providers. In fact, they originate from hijacked email accounts abroad or from infrastructures that the perpetrator has rented at hosting providers abroad for exclusively for this purpose.
22.04.2020 12:00
Analysis of an Unusual HawkEye Sample
Introduction Currently, we are observing HawkEye samples being distributed by large malspam waves. HawkEye1 is a keylogger which has been around quite a long time (since 2013) and has evolved since then and gained more functionality. There are several good blog posts about HawkEye in general 2 3. Recently we observed an interesting obfuscation method in a HawkEye binary 4, which we are going to describe in this blog post.
20.02.2020 10:45
Trickbot - An analysis of data collected from the botnet
We are monitoring various threats and in that context we have collected quite some data about the Trickbot botnet in the past few years. This paper is based on an analysis of selected aspects of our Trickbot data collection. Some of our analysis is rather straightforward, yet, we also take the freedom to make some speculative statements, which might turn out to be debatable or plain wrong. In that spirit we are open for discussions and are happy to receive comments by the readers of this article.
25.09.2019 08:40
Severe Ransomware Attacks Against Swiss SMEs
As we have seen an ever-increasing number of ransomware cases that show a rather sophisticated modus operandi, we are publishing a warning via MELANI Newsletter along with this blog post, documenting technical details about the recent ransomware attacks against Swiss small and medium enterprises (SMEs). The goal of this blog post is to give you a better understanding of the various modus operandi of the most common ransomware families we have encountered hitting Swiss targets in the past months.
09.05.2019 11:15
Reversing Retefe
Introduction Approximately one year ago, we have published our blog post The Retefe Saga. Not much has changed since last year except that we have seen a rise of malspam runs in the last couple of weeks and we want to use the opportunity to show how to reverse engineer the Retefe malware. Let's start with a graph of the Retefe malspam runs, we have seen the past 3 years.
08.11.2018 10:20
Leaked Accounts
MELANI/GovCERT has been informed about potentially leaked accounts that are in danger of being abused. MELANI/GovCERT provides a tool for checking whether your account might be affected: We would like to give some technical information about the tool: We only transfer a SHA256 hash that is created on the client side using JavaScript. Thus we don't know the queried eMail addresses or account name. No eMail addresses or account names are stored on the server, just the hashes.
29.08.2017 10:00
The Retefe Saga
Surprisingly, there is a lot of media attention going on at the moment on a macOS malware called OSX/Dok. In the recent weeks, various anti-virus vendors and security researchers published blog posts on this threat, presenting their analysis and findings. While some findings where very interesting, others were misleading or simply wrong. We don’t know where the sudden media interest and the attention from anti-virus vendors on this threat actor are coming from.
03.08.2017 13:15
Notes About The NotPetya Ransomware
NotPetya Ransomware A new ransomware, currently named NotPetya, has begun spreading yesterday. There are many victims, especially in Ukraine, but also large companies have been hit hard such as Maersk or Merck. There are infections in Switzerland as well. As many others we have analyzed the malware and tried to harden evidence about its functioning. As there are many good papers already published, we do not want to repeat all these things but to highlight a few important facts that now can be considered being hardened evidence.
28.06.2017 02:00
WannaCry? It is not worth it!
On Friday, May 12th 2017, a ransomware called “WannaCry” hit the cyber space. Among the victims are hospitals in UK, the national telecom provider in Spain and U.S delivery service FedEx. But WannaCry did not only hit the internet, the ransomware was also very present in newspapers worldwide. It also kept us and our partners from abroad very busy during the last weekend, analyzing the malware, reevaluating the current situation in Switzerland and world-wide, communicating with National Critical Infrastructure, and talking to the press.
15.05.2017 10:30
When Gozi Lost its Head
After our automated unpacking procedure recently failed on a Gozi binary (MD5 c1a73ff8fb2836fe47bc095b622c6c50), we were forced to perform a manual analysis - and indeed we found some interesting new features in the first layer of the packer… An initial challenge – not yet too unusual though – was the waiting loop in the packer near the start: Initial waiting loop (click to enlarge) The code uses the MMX instruction set and basically increments MM7 (initialized with 0, while MM0 is initialized with 1) until it reaches MM2 (realized by the PXOR), which itself is set to a value set by the RDTSC instruction.
04.04.2017 10:15
Taking a Look at Nymaim
Nymaim is active worldwide since at least 2013 and is also responsible for many infections in Switzerland. Sinkhole Data shows that Nymaim is responsible for about 2% of infected de- vices 1 in Switzerland that hit sinkholes the last few days. When we looked at the Nymaim trojan in January, we were stunned by their powerful code obfuscation techniques and wrote an IDAPython script to deobfuscate the code using the debugger engine.
03.03.2017 11:50
The Rise of Dridex and the Role of ESPs
Last week, we have warned Swiss citizens about a new malspam run targeting exclusively Swiss internet users. The attack aimed to infect them with Dridex. Dridex is a sophisticated eBanking Trojan that emerged from the code base of Bugat / Cridex in 2014. Despite takedown attempts by the security industry and several arrests conducted by the FBI in 2015, the botnet is still very active. In 2016, MELANI / GovCERT.
20.02.2017 11:53
Sage 2.0 comes with IP Generation Algorithm (IPGA)
On Jan 20, 2017, we came across a malware that appeared to be a new Ransomware family called Sage 2.0. Within a couple of days we were able to collect more than 200 malware binaries across our sensors associated with this new Ransomware. Last week, Brad Duncan also wrote a SANS InfoSec Diary entry on Sage 2.0, noticing some strange UDP packets sent to over 7'000 different IPs:
30.01.2017 10:25
Tofsee Spambot features .ch DGA - Reversal and Countermesaures
Today we came across an interesting malware sample that appeared in our malware zoo. The malware, which we identified as Tofsee, has tried to spam out hundreds of emails within a couple of minutes. However, this wasn’t the reason why it popped up on our radar (we analyze thousands of malware samples every single day, many of which are spambots too). The reason why this particular sample caught our attention were the domains queried by the malware.
22.12.2016 12:30
When Mirai meets Ranbyus
When we read the blog post about Mirai’s new DGA feature, a recommended read, we decided to try to re-implement its DGA. This was quite a challenge, as we’re not too familiar with the MIPS architecture and could not easily find any x86 sample with DGA. The main DGA generation loop did not look too difficult to implement. Here is a copy of it, with some register renaming we did to facilitate a Python implementation:
15.12.2016 10:30
SMS spam run targeting Android Users in Switzerland
MELANI / received several reports today about malicious SMS that have been sent to Swiss mobile numbers. The SMS is written in German and claims to come from the Swiss Post. But in fact, the SMS has been sent by hackers with the aim to infect Smartphones in Switzerland with a Trojan horse. Malicious SMS pretends to come from the Swiss Post (click to enlarge) The SMS contains a link to a website.
13.07.2016 16:00
Dridex targeting Swiss Internet Users
In the past weeks, we have seen a rise of malicious Microsoft office documents that are being spammed out to Swiss internet users with the aim to infect them with a malicious software (malware) called Dridex. Dridex is an ebanking Trojan which is already around for some time now. The attackers are operating various botnets with Dridex infected computers. While most of these botnets do have a strong focus on financial institutions from abroad (such as US or UK), one particular botnet is also targeting financial institutions in Switzerland.
08.07.2016 14:35
Technical Report about the RUAG espionage case
After several months of Incident Response and Analysis in the RUAG cyber espionage case, we got the assignment from the Federal Council to write and publish a report about the findings. The following is a purely technical report, intending to inform the public about Indicators of Compromise (IOCs) and the Modus Operandi of the attacker group behind this case. We strongly believe in sharing information as one of the most powerful countermeasures against such threats; this is the main reason we publish this report not only within our constituency, but to the public as well.
23.05.2016 10:00 Malvertising Incident
With this blog post we would like to share Indicators Of Compromise (IOCs) related to the attacks against, a popular newspaper website in Switzerland which got compromised and abused by hackers to infect visitors with an ebanking Trojan called Gozi ISFB. The IOCs shared in this blogpost may be used to spot infections within corporate networks. The compromise of is just one part of a bigger malvertising campaign that is targeting Swiss internet users since at least spring 2015, The goal of the campaign is to infect Swiss citizens with Gozi ISFB and committing ebanking fraud (see Swiss Advertising network compromised and distributing a Trojan and Gozi ISFB - When A Bug Really Is A Feature).
08.04.2016 11:38
Leaked Mail Accounts
MELANI/GovCERT has been informed about potentially leaked eMail Accounts that are in danger of being abused. MELANI/GovCERT provides a tool for checking whether your account might be affected: We would like to give some technical information about the tool: We only transfer a SHA256 hash that is created on the client side using JavaScript. Thus we don't know the queried eMail addresses. No eMail addresses are stored on the servers, just the hashes.
18.03.2016 10:30
Armada Collective is back, extorting Financial Institutions in Switzerland
UPDATE 2016-04-27 07:00 UTC A new wave of extortion emails has arrived in different Swiss Onlineshops. We have strong indications, that those extortioner are a copycat of Armada Collective. Our recommendations regarding these extortion emails in Switzerland are the same as last year: Do not pay the ransom ------------------------------------------- In September 2015, we’ve blogged about a hacker group called Armada Collective that was blackmailing hosting providers in Switzerland ("DDoS for bitcoin"
11.03.2016 11:30
Gozi ISFB - When A Bug Really Is A Feature
Gozi ISFB is an eBanking Trojan we already know for quite some time. Just recently, a new wave was launched against financial institutions in Switzerland. Similar to the attack we had already reported in September 2015, Cybercriminals once again compromised a major advertising network in Switzerland daily visited by a large number of Swiss internet users; they all become potential victims of the Gozi eBanking Trojan. The Gozi Domain Generation Algorithm (DGA) One of the commonly known features of Gozi is its Domain Generation Algorithm (DGA).
05.02.2016 14:00
TorrentLocker Ransomware targeting Swiss Internet Users
On Wednesday, Jan 20 2016, we have noticed a major spam campaign hitting the Swiss cyberspace, distributing a ransomware called TorrentLocker. We have already warned about similar TorrentLocker attacks against Swiss internet users last year via Twitter. TorrentLocker is one of many ransomware families that encrypts any local file on a victim’s computer and demands that the victim pays a ransom to have his files decrypted again. Since some ransomware families do not only encrypt files stored locally on the infected machine but also on any mapped network share, ransomware also represent a serious threat to corporate networks.
21.01.2016 14:00
Ads on popular Search Engine are leading to Phishing Sites and Reporting and Analysis Centre for Information Assurance (MELANI) are aware of an ongoing phishing campaign that is targeting a large credit card issuer in Switzerland. What makes this phishing campaign somehow unique is the way how the phishers are advertising their phishing sites: while traditionally phishing sites are being promoted through phishing emails that are usually being sent to a large audience, the phishers are using advertisements (Ads) on a popular search engine to promote their phishing sites.
23.11.2015 10:10
Update on Armada Collective extort Swiss Hosting Providers
UPDATE 2016-04-27 A new wave of extortion emails has arrived in different Swiss Onlineshops. We have strong indications, that those extortioner are a copycat of Armada Collective. Our recommendations regarding these extortion emails in Switzerland are the same as last year: Do not pay the ransom ------------------------------------------- UPDATE 2015-11-08 During the recent days and weeks, various Hosting Providers in Switzerland have been blackmailed by a hacking group that calls themselves Armada Collective.
08.11.2015 09:35
Armada Collective blackmails Swiss Hosting Providers
UPDATE 2016-04-27 A new wave of extortion emails has arrived in different Swiss Onlineshops. We have strong indications, that those extortioner are a copycat of Armada Collective. Our recommendations regarding these extortion emails in Switzerland are the same as last year: Do not pay the ransom ------------------------------------------- Earlier this year, we warned about DD4BC, a hacker group that tried to extort money from high value targets in Switzerland and abroad.
22.09.2015 10:00
Swiss Advertising network compromised and distributing a Trojan
On September 11, 2015, MELANI / got informed by security researcher Kafeine about a popular advertising network in Switzerland that obviously got compromised by cybercriminals, leading to an exploit kit called Niteris. What are Exploit Kits? Exploit kits are very popular among cybercriminals to infect innocent internet users, using malvertising campaigns. To do so, cybercriminals compromise websites and inject malicious Java-Script code or an iframe that leads to a 3rd party site hosting an Exploit Kit (EK).
22.09.2015 09:30
Analysing a new eBanking Trojan called Fobber
Some weeks ago we read an interesting blog by Malwarebytes about Fobber, a new e-banking focussed malware in the arena that seems to be a Tinba spinoff. We decided to have a closer look at it to find out whether Swiss critical infrastructures are targeted by it. We'd like to share our findings with you, because it contains some interesting advanced techniques that at the same time are implemented in a comparably simple way; we think this makes Fobber an ideal case study.
11.09.2015 10:00
Cantonal IP space in Switzerland hijacked by Spammers
In June 2015, was informed about Border Gateway Protocol (BGP) IP hijacking of IP space that is owned by a cantonal administration in Switzerland. We received the initial hint from The Spamhaus Project, an international non-profit organization that fights spam. MELANI / informed the affected canton immediately after being informed by Spamhaus. During our investigation, we noticed that the IP space has been hijacked at least since January 2015.
13.08.2015 09:05
Joining the DNSSEC Day in Germany
Today, our colleagues at the German Bundesamt für Sicherheit in der Informationstechnik (BSI) and the registry for ccTLD .de (DENIC) are hosting a DNSSEC day in Germany. The focus of the event are the benefits and use cases of DNSSEC for internet users and system administrators. We at would like to join our colleagues efforts in Germany and publish a blog post on the current situation of DNSSEC in the Swiss name space .
30.06.2015 11:05
Outdate WordPress: Thousands of websites in Switzerland are vulnerable
The internet has grown very fast in the past 15 years. Thousands of new websites are going online every day. According to Netcraft, there are currently more than 850'000'000 active websites in the internet (May 2015). One of the reasons why the number of websites has grown that much is the use of content management systems (CMS), for example WordPress, Typo3, Joomla and Durpal. By using a CMS, you can easily publish content in the internet without needing IT knowledge.
08.06.2015 12:48
Increase in DDoS extortion (DD4BC)
In the past days MELANI / has received several requests regarding a Distributed Denial of Service (DDoS) extortion campaign related to 'DD4BC'. The DD4BC Team (that is how the attackers call themselves) started its DDoS extortion campaigns in 2014. While these attacks have targeted foreign organisations in the past months, we have seen an increase of activity of DD4BC in Europe recently. Since earlier this week, the DD4BC Team expanded their operation to Switzerland.
08.05.2015 13:00
e-Banking Trojan Retefe still spreading in Switzerland
In July 2014, Trend Micro published a report about a threat called Retefe, an ebanking Trojan that is targeting financial institutions in Switzerland, Austria, Sweden and Japan. In fact, Retefe is already around since November 2013. Back then, MELANI already took appropriate action together with the affected financial institutions and ISPs in Switzerland to mitigate the threat. However, Retefe is still being distributed in recent spam campaigns, targeting Swiss Internet users.
01.05.2015 15:15
Critical vulnerability in Magento: Many Swiss websites are still vulnerable
In February 2015, Magento (a popular eCommerce software for webshops) released a security patch addressing a critical vulnerability in its product. The vulnerability allows an attacker to send a special prepared HTTP request to any website running a vulnerable version of Magento in order to execute malicious code on the remote webserver (a so called Remote Code Execution RCE vulnerability). More than two months later, MELANI / still sees a fairly big amount of websites in Switzerland running an old, vulnerable version of Magento, exposing themselves and its visitors to cyber-attacks from the internet.
30.04.2015 14:55
Microsoft patches three zero-day vulnerabilities - what does that mean to you?
The facts On Tuesday, Oct 14 2014, Microsoft published 8 patches that fix several vulnerabilities in the Windows operating system. An overview of the patches and their severity is available on the Microsoft website and the ISC Handler Diary Blog. Microsoft Security Bulletin Summary for October 2014: InfoSec Handlers Diary Blog (incl. ISC rating on the released patches): Several patches released by Microsoft are being classified by Microsoft and the Internet Storm Center (ISC) as critical.
15.10.2014 09:00
Detecting And Mitigating GameOver ZeuS (GOZ)
Today, the U.S. Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) announced the takedown of two botnets: GameOver ZeuS (GOZ) and CryptoLocker. Both botnets have been around since quite a while and were also present in Switzerland, infecting computers in order to commit ebanking fraud or to blackmail Swiss citizens. has been aware of GameOver ZeuS (which is also known as P2P ZeuS) for years and has already taken measures against this threat together with Swiss Internet service providers since July 2013.
02.06.2014 17:20

Last modification 28.03.2022

Top of page