Home Tags Dynamic Link Library

Tag: Dynamic Link Library

Fileless malware attack against US restaurants went undetected by most AV

Ongoing campaign shows more hackers are adopting sneaky attack technique.

The security is still secure

Recently WikiLeaks published a report that, among other things, claims to disclose tools and tactics employed by a state-sponsored organization to break into users' computers and circumvent installed security solutions.

The list of compromised security products includes dozens of vendors and relates to the whole cybersecurity industry.

Unraveling the Lamberts Toolkit

The Lamberts is a family of sophisticated attack tools that has been used by one or multiple threat actors against high-profile victims since at least 2008.

The arsenal includes network-driven backdoors, several generations of modular backdoors, harvesting tools, and wipers.

ATMitch: remote administration of ATMs

In February 2017, we published research on fileless attacks against enterprise networks.

This second paper is about the methods and techniques that were used by the attackers in the second stage of their attacks against financial organizations – basically enabling remote administration of ATMs.

Lazarus Under The Hood

Today we'd like to share some of our findings, and add something new to what's currently common knowledge about Lazarus Group activities, and their connection to the much talked about February 2016 incident, when an unknown attacker attempted to steal up to $851M USD from Bangladesh Central Bank.

PetrWrap: the new Petya-based ransomware used in targeted attacks

This year we found a new family of ransomware used in targeted attacks against organizations.

After penetrating an organization's network the threat actors used the PsExec tool to install ransomware on all endpoints and servers in the organization.

The next interesting fact about this ransomware is that the threat actors decided to use the well-known Petya ransomware to encrypt user data.

Now’s the time to get caught up on Windows and Office...

There were almost no patches from Microsoft in February, and the ones that were released haven’t caused any problems.
So it makes a lot of sense to apply those few patches now, since… who knows what could happen next.A tiny Windows 7 security patch was released in January, and there were no Windows 7 patches at all in February. Meanwhile, the list of problems is growing; two zero-day exploits in IE and Edge were confirmed in February—the gdi32.dll heap boundary error and the CSS token sequence/JavaScript table header bug.

The vulnerability that caused SMBv3 protocol crashes hasn’t been fixed, either. So there is likely a lot of stuff ready to hit the fan.To read this article in full or to leave a comment, please click here

How Security Products are Tested – Part 1

The demand for tests appeared almost simultaneously with the development of the first antivirus programs.

Demand created supply: test labs at computer magazines started to measure the effectiveness of security solutions, and later an industry of specialized companies emerged with a more comprehensive approach to testing methods.

New(ish) Mirai Spreader Poses New Risks

A cross-platform win32-based Mirai spreader and botnet is in the wild and previously discussed publicly. However, there is much information confused together, as if an entirely new IoT bot is spreading to and from Windows devices.

This is not the case.
Instead, an accurate assessment is that a previously active Windows botnet is spreading a Mirai bot variant.

Spam and phishing in 2016

2016 saw a variety of changes in spam flows, with the increase in the number of malicious mass mailings containing ransomware being the most significant.

These programs are readily available on the black market, and in 2017 the volume of malicious spam is unlikely to fall.

KopiLuwak: A New JavaScript Payload from Turla

A new, unique JavaScript payload is now being used by Turla in targeted attacks.

This new payload, dubbed KopiLuwak, is being delivered using embedded macros within Office documents.

Cisco’s WebEx Chrome plugin will execute evil code, install malware via...

Just get rid of it – bin it now Malicious websites can remotely execute commands on Windows systems that have Cisco WebEx's Chrome extension installed.

About 20 million people actively use this broken software. All attackers need to know is a “magic URL” hidden within WebEx, Google Project Zero bug hunter Tavis Ormandy revealed on Monday. We think a secret "magic URL" is the nicest possible way of saying "backdoor," be it deliberate or accidental. Specifically, any URL request – such as a silent request for an invisible iframe on a page – that includes the string cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html opens up WebEx to remote-control execution. Ormandy clocked he could exploit this via Chrome's native messaging system to execute C library and Windows system calls. The Googler quickly produced a proof-of-concept webpage that pops open calc.exe on vulnerable machines that have Cisco's dodgy extension installed.

This demonstrates that a victim just has to browse a website that targets Cisco's plugin to come under attack and find their computer is infected with malware. “I noticed that [Cisco] ships a copy of the CRT (Microsoft's C Runtime, containing standard routines like printf, malloc, etc), so I tried calling the standard _wsystem() routine (like system(), but for WCHAR strings), like this,” wrote Ormandy, before throwing in this JavaScript: var msg = { GpcProductRoot: "WebEx", GpcMovingInSubdir: "Wanta", GpcProductVersion: "T30_MC", GpcUnpackName: "atgpcdec", GpcExtName: "atgpcext", GpcUnpackVersion: "27, 17, 2016, 501", GpcExtVersion: "3015, 0, 2016, 1117", GpcUrlRoot: "http://127.0.0.1/", GpcComponentName: btoa("MSVCR100.DLL"), GpcSuppressInstallation: btoa("True"), GpcFullPage: "True", GpcInitCall: btoa("_wsystem(ExploitShellCommand);"), ExploitShellCommand: btoa("calc.exe"), } “Unbelievably, that worked,” he added. There was a secret URL in WebEx that allowed any website to run arbitrary code. ¯\_(ツ)_/¯ https://t.co/sAqZrDN4ad — Tavis Ormandy (@taviso) January 23, 2017 And PRs wonder why we get uppity when we’re told to install weird extensions during press briefings - PDF + text is fine, thanks. https://t.co/whPRlSXnqX — The Register (@TheRegister) January 23, 2017 Cisco has rushed out WebEx version 1.0.3 to fix the issue, although crypto developer Filippo Valsorda says the patch is incomplete.

Given Cisco's devotion to programming standards, or lack thereof, just delete and forget about the crappy thing entirely. ® Sponsored: Customer Identity and Access Management