#Google has obtained a court order in the US to disrupt the distribution of the information-stealing #malware CryptBot that has infected over 670,000 computers.
Hi everyone. It's the X-Ops team with another research update.
We've been looking at the fallout of an advisory published by #PaperCut, a print-management software company.
The update to their initial posting about CVE-2023-27350 (https://www.papercut.com/kb/Main/PO-1216-and-PO-1219) reported that they're aware of attacks in the wild targeting their PaperCut MF and NG Application and Site Server software, version 8.0 and newer.
We're publishing some research today into attacks we've observed targeting this platform.
#GPECdigital - Innovations-Radar der Inneren Sicherheit.
Prof. Dr. Hummert @DrHu Forschungsdirektor @Cyberagentur betonte in seinem Vortrag: „#Polizei ist heute oft schon innovativer als #Cyberkriminelle, die auch nur Varianten immer der selben #Malware verwenden. Dennoch ist noch viel Platz für #Innovationen.“
Die GPEC ist die Internationale Fachmesse & Konferenzen zur Digitalisierung in der Inneren Sicherheit, Bevölkerungsschutz und Katastrophenhilfe. https://www.gpecdigital.com/ #Cybersicherheit
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #16/2023 is out! It includes, but not only:
-EvilExtractor #malware activity spikes in Europe and the U.S.
-North Korean #3CX Hackers Also Hit Critical Infrastructure Orgs
-China building cyberweapons to hijack enemy satellites, says US leak
-#GitHub Announces New Security Improvements
-Air Force Unit in Document Leaks Case Loses Intel Mission
-Russian hackers exfiltrated data from from #Capita over a week before outage
-#Lazarus hackers now push Linux malware via fake job offers
-3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible
-#Fortra shares findings on #GoAnywhere MFT zero-day attacks
-#Google TAG Warns of Russian Hackers Conducting Phishing Attacks in #Ukraine
-Google patches another actively exploited #Chrome zero-day
-#Microsoft: Iranian hackers behind retaliatory cyberattacks on US orgs
-#Goldoson#Android Malware Infects Over 100 Million Google Play Store Downloads
-Takedown of GitHub Repositories Disrupts RedLine Malware Operations
-Microsoft has shifted to a new naming taxonomy for threat actors
-#YouTube Videos Distributing Aurora Stealer Malware via Highly Evasive Loader
-#Apple’s high security mode blocked NSO #spyware, researchers say
-#Trigona#Ransomware Attacking MS-SQL Servers
-#WhatsApp and other encrypted messaging apps unite against UK law plan
-Mom Says Daughter's Voice Was Cloned with AI in $1 Million Kidnapping #Hoax
-#LockBit ransomware encryptors found targeting Mac devices
📚 This week's recommended book is "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software" by Michael Sikorski and Andrew Honig.
Subscribe to the #newsletter to have it piping hot in your inbox every Sunday ⬇️
Hey there. @threatresearch here again, taking over the X-Ops Mastadon to talk about some research we posted this week.
We stumbled upon a malicious tool earlier this year, while our EDR and incident response teams were called in to perform postmortem investigations of ransomware attacks.
While reviewing logs, we found that the threat actors had used a custom-designed #malware we're calling #AuKill as a way to terminate the #EDR agent and endpoint security software the target had installed.
The #AuKill#malware we found is a custom-built utility that was used by threat actors after they had already gained a foothold inside the target's network, and administrative privileges on one or more machines.
Its singular goal is to sabotage endpoint security tools, preventing antimalware from preventing the criminals from doing harm.
The method by which it does this is somewhat unique: It abuses a now-deprecated, signed driver from Microsoft's Process Explorer to kill process names hardcoded into the malware.
They didn't even bother trying to hide it. The legitimate Process Explorer driver is named procexp152.sys, and the one used by AuKill is named #procexp.sys. It is, in fact, the driver that shipped with version 16.32 of Process Explorer.
Running the tool is fairly simple. The attacker just runs it as an administrator, passing as a command flag a password the creator hardcoded into #AuKill
Then AuKill copies itself into the System folder, drops the hijacked ProcExp.sys driver into the Drivers folder, and registers itself as a Windows service.
After that, the #malware just persistently runs in the background, looking for any running program that has a name matching the hardcoded list it carries with it. When it sees one of those programs (mostly Sophos endpoint security and Microsoft Defender) it sends a command to try to terminate the program.
We looked at what we suspect are six incremental stages of the #AuKill#malware's development. Each new version added a few different features. And as time went on, we also saw the creators add new programs to the kill list.
Oddly, most of the programs added to the kill list in later versions were not EDR or antimalware utilities. One version is designed to kill the Windows version of the ElasticSearch application.
A few others included an enterprise remote-access tool called Splashtop to the kill list. One version targeted software called Aladdin HASP - a now-defunct tool designed to help manage software licensing over a network.
U.K. and U.S. #cybersecurity agencies have warned of Russian nation-state actors exploiting flaws affecting Cisco networking equipment to deploy #malware and conduct reconnaissance.
Do you sometimes just want one tool from the #AndroidSDK in a container or VM, and don't want to deal with the whole pain of setting up #Java and everything? Try the #FDroid sdkmanager instead of the official one. For example, apt-get install sdkmanager then sdkmanager platform-tools. Plus this verifies all packages using apt-get style GPG-signed index with SHA256 values. Useful in #research on #Android#malware#tracking etc. In pypi, Debian, Ubuntu, and https://gitlab.com/fdroid/sdkmanager/
I am faculty at TU Eindhoven in NL 🇳🇱. I am interested in studying emergent #cyberthreats and attack innovation (from #malware to #socialEngineering), and how to integrate this into our defenses. I am the scientific director of the ESH-Security Operation Center (our own @TUEindhoven commercial #SOC, https://www.eindhovensecurityhub.nl supporting ed. & res.).
Professionally right now I work as an SME in a #PenTesting group for a regulatory company, but it's really not my bag of tea in the long run. That I can feel. I much prefer to be in an investigatory and tool-making field for something related to #DFIR . I was especially happy doing #ReverseEngineering of #malware .
I'm into reverse engineering, assembly languages like #IA32 and recently #ARM / #ARM64, programming (old classics like C/C++ / #Python but learning the newer stuff like #RustLang ), big into #forensics, #RasPi and #Arduino projects and such.
Still trying to figure out what I am career wise, though, like job title and such! It's all great fun to me, just haven't found the direct niche to sink into.
Hobby wise, I'm also really into #GuildWars2! Long time gamer at heart.
Starting a small thread of malware analysis tools for those times when you NEED INDICATORS YESTERDAY, ie tools I have used that are easy to use and give good leads for further analysis with minimal effort.
This tool displays the values of objects and relationships between objects inside the .NET runtime’s managed heap memory. It can either work off a memory dump file, or snapshot a running process at regular intervals. It also capture stack traces, and a list of loaded assemblies.
I have done all of the following with it:
Look at all System.Byte[] objects and grab those with values that have the PE headers at the beginning. There’s actually a built in menu option for this (along with tons of other useful searches, such as just grabbing everything that looks remotely like an URL)
Look for “interesting” object types like HttpWebRequest or anything under System.Security.Cryptography, and look at the parents or children of those objects to either find plain text indicators, or to get an idea of how indicators are obfuscated / encrypted
Snapshot a process every 20ms, and look at the list of loaded assemblies in each snapshot to see if / when the binary starts delivering another payload assembly.
Use as a very rough tracing tool by snapshotting at regular intervals, and seeing how the stack trace changes for each snapshot.
Also it persists all of the values of parsed objects to a plain SQLite database :awesome: So you can just do arbitrary SQL queries on the results as well. I haven’t even begun exploring this yet.
A try at my #introduction in English...
First a few keywords: #gendarmerie (one of France's national #LawEnforcement) #forensics#malware#botnets#science.
Organizer - together with a great team of volunteers of #Botconfhttps://www.botconf.eu (The International Botnet & Malware Ecosystems Fighting Conference) @botconf since 2013 & #coriin (conference on incident response and digital investigations).
To know me better, you can find more info in my profile and of course by chatting with me 🗨️ 😀