InfoSec Week 10, 2017

Posted on 11 March 2017

People around the Azerbaijan human rights activist and lawyer received spear phishing messages. Multi-year investigation by the Amnesty Global Insights. Keyloggging, screenshots, etc.

New Linux ARM malware ELF_IMEIJ.A (by Trend Micro) exploits a CGI Directory vulnerability in devices from CCTV\IP Cam technology vendor AVTech.

A rather amateurish ransomware has been analysed by the Palo Alto Networks. The only interesting part is, that it is actually not asking for money, instead: "RanRan does not ask for direct payment. Instead, prior to any negotiations regarding payment, the victim must create a subdomain with a seemingly politically inflammatory name as well as a Ransomware.txt file hosted on this subdomain. The hosted file must include a statement of ‘Hacked’ and an email address. By performing these actions, the victim, a Middle Eastern government organization, has to generate a political statement against the leader of the country. It also forces the victim to publicly announce that they have been hacked by hosting the Ransomware.txt file."

Kaspersky Lab published report about the newly discovered disk wiper called StoneDrill. It's targeting organizations in Saudi Arabia and is somehow correlated to the Shamoon disk wiper. The malware uses memory injection into the victim’s browser, and provides also RAT functionality.

Errata Security published short analysis of the Wikileaks CIA/#vault7 refuting some claims published by Wikileaks.
There are a few interesting points in the Wikileaks dump, like one TODO list containing this insane note: "Research into embedding a CRL into a self signed cert as a method of stealthy remote beaconing". Nice.

IOActive research discovers multiple security vulnerabilities in Confide messaging application. Confide was not using authenticated encryption on a protocol level, and also was not validating server SSL cert.

SessionGopher is a PowerShell tool that uses WMI to extract saved session information for the remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop.

gargoyle - a technique for hiding program’s executable code in non-executable memory. At some programmer-defined interval, gargoyle will wake up – and with some ROP trickery – mark itself executable and do some work...

Comments !