Tag PowerShell

InfoSec Week 3, 2018

Notoriously known Necurs spam botnet is sending millions of spam emails that are pumping shitcoin cryptocurrency named Swisscoin. Attackers are probably invested and are expecting to do pump-and-dump scheme.
https://www.bleepingcomputer.com/news/cryptocurrency/worlds-largest-spam-botnet-is-pumping-and-dumping-an-obscure-cryptocurrency/

Nice article on Russia's hacking capabilities against the foreign critical infrastructure.
https://www.fastcompany.com/40515682/the-other-scary-foreign-hacking-threat-trump-is-ignoring

Taiwanese police has handed malware-infected USB sticks as prizes for cybersecurity quiz. The malware was some old sample trying to communicate with non-existing C&C server in Poland. The thumb drives were infected by third-party contractor.
https://www.theregister.co.uk/AMP/2018/01/10/taiwanese_police_malware/

New research is analyzing usage of the Certificate Authority Authorization (CAA) DNS records. CAA records enable domain owners to explicitly tell which certificate authority may issue digital certificates for their domain. Only 4 of the large DNS operators that dominate the Internet’s DNS infrastructure enabled their customers to configure CAA records, but things are getting better after this audit.
https://caastudy.github.io/

Lenovo engineers have discovered a backdoor affecting RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System). The company already released firmware updates.
The backdoor was added to the source code in 2004 when it was maintained by Nortel.
https://www.bleepingcomputer.com/news/security/lenovo-discovers-and-removes-backdoor-in-networking-switches/

Nice technical report about PowerStager, Python / C / PowerShell malware used in the Pyeongchang Olympic themed spear phishing attack.
https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/

InfoSec Week 15, 2017

Interesting blog about the generic unpacking of the Locky malware using Radare r2pipe, python and the Windows 7 VM.
http://blog.devit.co/unpacking-with-r2pipe/

More information about the Shadow Brokers NSA hacking toolkit dump are coming out after analysis.
Kudelski Security research published the overview of an Equation Group exploitation arsenal for the Windows platform. Good to note, that this dump has also implicated that the NSA compromised a SWIFT system.
https://research.kudelskisecurity.com/2017/04/14/shadow-brokers-april-2017-release-2/
http://securityaffairs.co/wordpress/58006/hacking/nsa-hacked-swift.html

Symantec researchers linked the CIA hacking tools (Vault 7) to a cyber attacks launched in recent years by a Longhorn group gang specialising in the intelligence gathering operations.
https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7
https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/

Black hats have robbed at least 8 ATMs in Russia and stole $800,000 in one night using a ATMitch "fileless" malware.
http://securityaffairs.co/wordpress/57881/cyber-crime/atmitch-fileless-malaware.html

FireEye documented a campaign leveraging the CVE-2017-0199 vulnerability, which enabled attackers to "download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit." It delivers so called FINSPY and LATENTBOT samples, targeting mostly Russian speaking users.
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html https://arstechnica.com/security/2017/04/microsoft-word-0day-was-actively-exploited-by-strange-bedfellows/

I wrote about the Broadcom’s Wi-Fi stack exploit last week, this is the second part of a series of Google Project Zero team.
https://googleprojectzero.blogspot.sk/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html

InfoSec Week 9, 2017

Cisco Talos analyzed PowerShell trojan "DNSMessenger" that communicates with the command and control server using DNS TXT record queries.
http://blog.talosintelligence.com/2017/03/dnsmessenger.html

IRC Botnet named GhostAdmin spreading as a fake security product, borrowing its name and icon from the Symantec, Avira, Avast.
https://www.alienvault.com/blogs/security-essentials/ghostadmin-the-invisible-data-thief-notes-from-the-underground

Nice analysis of an admin panel used by spambot "Onliner". It was used for spreading Ursnif in the Italy and Canada.
https://benkowlab.blogspot.ch/2017/02/spambot-safari-2-online-mail-system.html

The group known as the APT28, attributed to the Russia, is behind the spear phishing operation against the Japan. They have used PowerShell payload, which downloads additional DLL malware later.
https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html

New exploit kit called Nebula is up for a sale on the internet. Different payload is served according to the victim location.
http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html

German and Czech Android users are getting served with a banking Trojan directly through SMS messages.
https://www.helpnetsecurity.com/2017/02/28/germans-czechs-banking-malware/

Teddy bear seller CloudPets Mongo database full of customers' info leaked online.
https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/

This is from the beginning of February, some provoking thoughts on the cyber conflict around French elections.
https://medium.com/@thegrugq/opening-cyber-salvo-in-the-french-elections-e677447b91dc

Eset & Kaspersky released a decryption tool for the Dharma ransomware.
http://www.computerworld.com/article/3176688/security/free-decryption-tools-now-available-for-dharma-ransomware.html

Matthew Green wrote about the use of advanced cryptography in the ransomware development. This is interesting, and partially related to my december blog.
https://blog.cryptographyengineering.com/2017/02/28/the-future-of-ransomware/

Researchers from the Graz University of Technology published attack against the Intel Software Guard Extensions enclaves. From the paper: "In this paper, we demonstrate fine-grained software-based side-channel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. [...] In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces within 5 minutes."
https://arxiv.org/abs/1702.08719

whoishere.py - Identify people by assigning a name to a device performing a wireless probe request
https://github.com/hkm/whoishere.py