Displaying items by tag: Malware

When you are hunting, finding out where your target frequents and laying in wait is an often-used tactic. If your information is good, you are going to have a successful hunt. The same is true in cybersecurity, both from an attacker and researcher perspective. These attacks are called watering hole attacks. You are looking for your intended target to come and “take a drink” so you can spring your trap.

Malware delivery and distribution techniques always changing. As blue teams develop an understanding of one type of attack, the attackers shift to something different. Security researchers and security teams follow (or should follow) these methods so they can shift defensive tactics and software to meet the new challenge. This brings us to our topic for today. Researchers over at Proofpoint have identified an unusual packer called DTPacker, a .NET packer that not only obfuscates the payload that it is delivering but can act as both a runtime packer (a self-executing archive) as well as a downloader. This is unusual all on its own, but there are other factors that have been observed in this packer that make it the odd person out.

Dropbox, Google Docs and other cloud storage services are great tools for collaboration and to ensure that your files are kept, relatively, safe. These services can also be used by attackers with the right setup and files. The APT group know as Molerats is just such a group. They have been identified is several attacks that leveraged Dropbox and Google Docs as their C2 and payload sources. In December of 2021 the ThreatLabz team at zscaler noticed some unusual behavior that turned out to be just such an attack.

In a list of things that should be killed with fire, Excel 4.0 Macros are high up. However, the fat that Spamming “services” like Emotet are still using Excel 4.0 Macros tells me that some are not getting the hint. According to recent research from TrendMicro, Emotet is using some very unconventional methods of obfuscating the C2 server IP addresses. The attack patter is the same, email with a poisoned Excel spreadsheet. This spreadsheet contains HTA with the command script, you know the drill.

The Ultimate Kronos Group was the target of a Ransomware attack in Late 2021 coincidentally at the same time the Log4Shell vulnerability was disclosed. Kronos has not disclosed how the ransomware got into their environment, nor has it been revealed who might be behind the attack. Original estimates were that Kronos would be able to restore the impacted systems and be back online in a few weeks. Now, a bit more than a month later, there have been no real updates on the situation and many organizations are still feeling the effects.

APT group 41 also known as Winnti has been tied to a wonderful new piece of malware that does not infect your operating system, but the UEFI firmware on your device. The malware in question has been dubbed MoonBounce by the security researchers at Kaspersky who are responsible for finding it. APT41 has been in operation for a while and is identified by their tactics techniques and protocols (TTPs) which include stealthy attacks meant to maintain a long-term presence for information gathering on the target.

As the title implies, we will be talking about Cylance PROTECT (now wholly owned by Blackberry). Our focus will not be on the inner workings, or any type of vulnerability. Our focus today will be all about Protect’s script control function and why many people do not enable it. If this sounds like a fun read, then you might be one of those security admins that have beat your head against the wall figuring out just how to get this working right in your environment.

It seems that is the time once again to talk about the relationship between software vendors and the security posture of different business verticals. Why are we beating this particular dead horse? Well with the Covid-19 Pandemic, the rush to shift to remote work force and an increase in attacker activity aimed at the remote workforce and healthcare you would think that there would be an increase level of effort to fix vulnerabilities in remote access and healthcare services software. If you thought that, you would be wrong. Instead during this time, we are seeing more software vendors pushing FDA as law and healthcare organizations even refusing opportunities to patch critical software. This on top of an extremely slow response to threat to the remote workplace.

When you think about operating system updates you probably do not think about the security team. Sure, there are security patches and such, but those are on the operations team and not really pushed out by the security team. Well, that is when they are done properly by the OS vendor.

For the last couple of days the world has been buzzing with news about the Petya malware. When the news of the outbreak broke on Tuesday morning, it was all about a new ransomware that was spreading around the globe. References to WannaCry were made and fingers pointed to the use of the same NSA exploit as the attack vector. However, Petya was not really like WannaCry in that there was no “kill-switch”. Wednesday morning the big players in the anti-malware and security markets had sent out their “what you should know emails” and a low-grade form of panic hit many enterprises.