InfoSec Week 9, 2017

Posted on 05 March 2017
SUBSCRIBE TO A WEEKLY NEWSLETTER!

Cisco Talos analyzed PowerShell trojan "DNSMessenger" that communicates with the command and control server using DNS TXT record queries.
http://blog.talosintelligence.com/2017/03/dnsmessenger.html

IRC Botnet named GhostAdmin spreading as a fake security product, borrowing its name and icon from the Symantec, Avira, Avast.
https://www.alienvault.com/blogs/security-essentials/ghostadmin-the-invisible-data-thief-notes-from-the-underground

Nice analysis of an admin panel used by spambot "Onliner". It was used for spreading Ursnif in the Italy and Canada.
https://benkowlab.blogspot.ch/2017/02/spambot-safari-2-online-mail-system.html

The group known as the APT28, attributed to the Russia, is behind the spear phishing operation against the Japan. They have used PowerShell payload, which downloads additional DLL malware later.
https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html

New exploit kit called Nebula is up for a sale on the internet. Different payload is served according to the victim location.
http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html

German and Czech Android users are getting served with a banking Trojan directly through SMS messages.
https://www.helpnetsecurity.com/2017/02/28/germans-czechs-banking-malware/

Teddy bear seller CloudPets Mongo database full of customers' info leaked online.
https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/

This is from the beginning of February, some provoking thoughts on the cyber conflict around French elections.
https://medium.com/@thegrugq/opening-cyber-salvo-in-the-french-elections-e677447b91dc

Eset & Kaspersky released a decryption tool for the Dharma ransomware.
http://www.computerworld.com/article/3176688/security/free-decryption-tools-now-available-for-dharma-ransomware.html

Matthew Green wrote about the use of advanced cryptography in the ransomware development. This is interesting, and partially related to my december blog.
https://blog.cryptographyengineering.com/2017/02/28/the-future-of-ransomware/

Researchers from the Graz University of Technology published attack against the Intel Software Guard Extensions enclaves. From the paper: "In this paper, we demonstrate fine-grained software-based side-channel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. [...] In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces within 5 minutes."
https://arxiv.org/abs/1702.08719

whoishere.py - Identify people by assigning a name to a device performing a wireless probe request
https://github.com/hkm/whoishere.py


Comments !