VERY IMPORTANT

Finding and investigating new malware families or campaigns is a lot like pulling a loose thread from an article of clothing. Once you start tugging gently on the thread, everything starts to unravel. In this particular case we began by investigating a new malware family, which we are calling SquirtDanger based on a DLL, SquirtDanger.dll, used in the attacks. There is strong evidence to indicate that this malware family was created by a prolific Russian malware author that goes by the handle of ‘TheBottle’. By pulling on a few strings we were eventually led to TheBottle’s unraveling. In this post we will delve into how we unraveled TheBottle’s activities and his newest malware family.