FreshRSS

πŸ”’
❌ About FreshRSS
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green

Attack traffic on TCP port 9673, (Fri, May 1st)

I don't know how many of you pay attention to the Top 10 Ports graphs on your isc.sans.edu dashboard, but I do. Unfortunately, the top 10 is pretty constant, the botnets are attacking the same ports. What I find more interesting is anomalous behavior. Changes from what is normal on a given port. So, a little over a week ago, I saw a jump on a port I wasn't familiar with.
  • May 1st 2020 at 00:42
  • β†—

Collecting IOCs from IMAP Folder, (Thu, Apr 30th)

I've plenty of subscriptions to "cyber security" mailing lists that generateΒ a lot of traffic. Even ifΒ we try to get rid of emails, that's a fact: emailΒ remains a key communication channel. Some mailing lists posts contain interesting indicators of compromize. So, I searched for a nice way to extract them in an automated way (and to correlate them with other data). I did not find a solution ready to use that matched my requirements:
  • April 30th 2020 at 05:41
  • β†—

Privacy Preserving Protocols to Trace Covid19 Exposure, (Wed, Apr 29th)

In recent weeks, you probably heard a lot about the "Covid19 Tracing Apps" that Google, Apple, and others. These news reports usually mention the privacy aspects of such an app, but of course, don't cover the protocols in sufficient depth to address how the privacy challenges are being solved.
  • April 29th 2020 at 12:40
  • β†—

Agent Tesla delivered by the same phishing campaign for over a year, (Tue, Apr 28th)

While going over malicious e-mails caught by our company gateway in March, I noticed that several of those, that carried ACE file attachments, appeared to be from the same sender. That would not be that unusual, but and after going through the historical logs, I found that e-mails from the same address with similar attachments were blocked by the gateway as early as March 2019.
  • April 28th 2020 at 06:44
  • β†—

Powershell Payload Stored in a PSCredential Object, (Mon, Apr 27th)

An interesting obfuscationΒ technique to store a malicious payload in a PowerShell script: In aΒ PSCredential object!
  • April 27th 2020 at 06:44
  • β†—

Video: Malformed .docm File, (Sun, Apr 26th)

In diary entry "Obfuscated with a Simple 0x0A", Xavier discovers that a .docm file is a malformed ZIP file.
  • April 26th 2020 at 08:27
  • β†—

MALWARE Bazaar, (Sat, Apr 25th)

When we publish diary entries covering malware, we almost always share the hash of the malware sample.
  • April 25th 2020 at 15:30
  • β†—

Malicious Excel With a Strong Obfuscation and Sandbox Evasion, (Fri, Apr 24th)

For a few weeks, we see a bunch of Excel documents spread in the wild with Macro V4[1]. But VBA macros remain a classic way to drop the next stageΒ of the attack on the victim’s computer. The attacker has many ways to fetch the next stage. HeΒ can download it from a compromised server or a public service like pastebin.com, dropbox.com, or any other service that allows sharing content. The problem is, in this case, that it generates more noise via new network flows and the attack depends on the reactivity of the other party to clean up the malicious content. If this happens, the macro won’t be able to fetch the data and the infection will fail. The other approach is to store the payload in the documentΒ metadata, the document itself or appended to it.
  • April 24th 2020 at 05:16
  • β†—

SpectX: Log Parser for DFIR, (Tue, Apr 21st)

IΒ hope this finds you all safe, healthy, and sheltered to the best of your ability.
  • April 21st 2020 at 02:29
  • β†—

KPOT AutoIt Script: Analysis, (Mon, Apr 20th)

In diary entry "KPOT Deployed via AutoIt Script" I obtained 3 files:
  • April 20th 2020 at 06:56
  • β†—

KPOT Analysis: Obtaining the Decrypted KPOT EXE, (Sun, Apr 19th)

In diary entry "KPOT Deployed via AutoIt Script" I obtained 3 files:
  • April 19th 2020 at 08:03
  • β†—

Maldoc Falsely Represented as DOCX Invoice Redirecting to Fake Apple Store, (Sat, Apr 18th)

This is a phishing document received today pretending to be an invoice (Word Document) from Apple Support but initial analysis shows it is a PDF document.
  • April 18th 2020 at 18:38
  • β†—


Weaponized RTF Document Generator & Mailer in PowerShell, (Fri, Apr 17th)

Another piece of malicious PowerShell script that I found while hunting. Like many malicious activities that occur in those days, it is related to the COVID19 pandemic.Β Its purpose of simple: It checks if Outlook is used by the victim and, if it's the case, it generates a malicious RTF document that is spread to all contacts extracted from Outlook. Let's have a look at it. The script is available on VT (SHA256: 1f7f0d75fe5dace66ec9b5935d28ba02765527f09f58345c2e33e17ab4c91bd7) and has a low score of 8/60[1].
  • April 17th 2020 at 10:35
  • β†—

Using AppLocker to Prevent Living off the Land Attacks, (Thu, Apr 16th)

STI student David Brown published an STI research paper in January with some interesting ideas to prevent living off the land attacks with AppLocker. Living off the land attacks use existing Windows binaries instead of downloading specific attack tools. This post-compromise technique is very difficult to block. AppLocker isn't really designed to block these attacks because AppLocker by default does allow standard Windows binaries to run.
  • April 16th 2020 at 21:31
  • β†—

No IOCs? No Problem! Getting a Start Hunting for Malicious Office Files, (Wed, Apr 15th)

Most of us know that macros in Office documents are one of the most common ways to get malware into an organization.Β  Unfortunately, all to many organizations depend on their AV products to detect these macros and the associated malware.Β  It's sad fact that macro's are easy to write, and it's not too tough to evade AV by being smart about how you write a malicious macro.
  • April 15th 2020 at 12:53
  • β†—

Microsoft April 2020 Patch Tuesday, (Tue, Apr 14th)

This month we got patches for 113 vulnerabilities total. According to Microsoft, three of them are being exploited (CVE-2020-1020, CVE-2020-0938 and CVE-2020-0968) Β and two were previously disclosed (CVE-2020-1020 and CVE-2020-0935).
  • April 14th 2020 at 18:22
  • β†—

Look at the same phishing campaign 3 months apart, (Mon, Apr 13th)

While going through a batch of malicious e-mails, which were caught by my mail filters in March, I noticed a simple phishing e-mail, which carried an entire credential-stealing page in its attachment. This, although interesting in its own way, would not be that unusual[1,2]. While I was analyzing it, however, I found that a nearly identical e-mail message, which was obviously part of the same campaign, was uploaded to Any.Run[3] back in January. Since I had two samples from nearly 3 months apart, I thought it might be interesting to take a look at how much has changed in this phishing campaign over that time.
  • April 13th 2020 at 13:54
  • β†—

Critical Vuln in vCenter vmdir (CVE-2020-3952), (Fri, Apr 10th)

On April 9, VMware published VMSA-2020-0006, a security advisory for a critical vulnerability in vCenter Server that received the maximum CVSSv3 score of 10.0.Β  The vulnerablity, %%cve:2020-3952%% , involves a sensitive information disclosure flaw in the VMware Directory Service (vmdir) which is included with VMware vCenter. Per the advisory, vmdir does not implement proper access controls, which could allow a malicious attacker with network access to obtain sensitive information.Β  This likely can allow the attacker to compromise other services which rely on vmdir for authentication.
  • April 10th 2020 at 22:30
  • β†—

PowerShell Sample Extracting Payload From SSL, (Fri, Apr 10th)

Another diary, another technique to fetch a malicious payloadΒ and execute it on the victim host. I spotted this piece of Powershell code this morning while reviewing my hunting results. It implements a very interesting technique. As usual, all the code snippets below have been beautified.
  • April 10th 2020 at 09:32
  • β†—

Performing deception to OS Fingerprint (Part 1: nmap), (Sat, Mar 28th)

How can you know which operating system is running on a specific remote host? The technique to answer this question corresponds to the fingerprinting of the operating system and is executed by sending a specific set of packages to the remote host and see how it behaves. Each operating system responds differently, which allows it to be identified.Β 
  • April 9th 2020 at 21:58
  • β†—

Password Protected Malicious Excel Files, (Mon, Apr 6th)

We've been seeing quite some malicious Excel files with Excel 4 macros lately.
  • April 6th 2020 at 18:32
  • β†—

Maldoc XLS Invoice with Excel 4 Macros, (Sun, Apr 5th)

This week I got an email claiming to be a YellowPages invoice with an XLS attachment containing an Excel 4.0 macro which has similarity to [1][2].
  • April 5th 2020 at 20:20
  • β†—

New Bypass Technique or Corrupt Word Document?, (Sat, Apr 4th)

I was taking a closer look at Xavier's Word document he analyzed in yesterday's diary entry: "Obfuscated with a Simple 0x0A".
  • April 4th 2020 at 23:07
  • β†—

Obfuscated with a Simple 0x0A, (Fri, Apr 3rd)

With the current Coronavirus pandemic, we continue to see more and more malicious activity around this topic. Today, we got a report from a reader who found a nice malicious Word document part of aΒ Coronavirus phishing campaign. I don't know how the URL was distributed (probably via email) but the landing page isΒ fake White House-themed page. So, probably targeting US citizens.
  • April 3rd 2020 at 08:12
  • β†—

Kwampirs Targeted Attacks Involving Healthcare Sector, (Tue, Mar 31st)

There is no honor among thieves. Even after some ransomware gangs claimed to seize targeting the healthcare sector, attacks continue to happen. But ransomware isn't alone. Last week, the FBI updated an advisory regarding the Kwampirs malware, pointing out the healthcare sector as one of its targets. Kwampirs isn't picky in its targeting. It has been observed going after various sectors (financial, energy, software supply chain, and healthcare, among others). One differentiator of Kwampirs is its modular structure. After penetrating a particular target network, the malware will load appropriate modules based on the targets it encounters. In general terms, Kwampirs is a "Remote Admin Tool" (RAT). It provides access to the target and can be used to execute additional payloads at the attacker's choosing.
  • March 31st 2020 at 00:52
  • β†—

Crashing explorer.exe with(out) a click, (Mon, Mar 30th)

In a couple of my recent diaries, we discussed two small unpatched vulnerabilities/weaknesses in Windows. One, which allowed us to brute-force contents of folders without any permissions[1], and another, which enabled us to change names of files and folders without actually renaming them[2]. Today, we’ll add another vulnerability/weakness to the collection – this one will allow us to cause a temporary DoS condition for the Explorer process (i.e. we will crash it) and/or for other processes. It is interesting since all that is required for it to work is that a user opens a link or visits a folder with a specially crafted file.
  • March 30th 2020 at 06:12
  • β†—

Obfuscated Excel 4 Macros, (Sun, Mar 29th)

2 readers (anonymous and Robert) submitted very similar malicious spreadsheets with almost no detections on VT: c1394e8743f0d8e59a4c7123e6cd5298 and a03ae50077bf6fad3b562241444481c1.
  • March 29th 2020 at 14:53
  • β†—

Covid19 Domain Classifier, (Sat, Mar 28th)

Johannes started a Covid19 Domain Classifier here on our Internet Storm Center site.
  • March 28th 2020 at 11:16
  • β†—
❌