3.1 C
London
Saturday, November 18, 2017
Home Tags Dynamic Link Library

Tag: Dynamic Link Library

An untrusted search path vulnerability in the Cisco Immunet antimalware installer could allow an authenticated, local attacker to execute arbitrary code via DLL hijacking if a local user with administrative privileges executes the installer in the ...
The authors of malware use various techniques to circumvent defensive mechanisms and conceal harmful activity. One of them is the practice of hiding malicious code in the context of a trusted process.

Typically, malware that uses concealment techniques injects its code into a system process, e.g. explorer.exe.

But some samples employ other interesting methods. We're going to discuss one such type of malware.
The latest Patch Tuesday (17 October) brought patches for 62 vulnerabilities, including one that fixed СVE-2017-11826 – a critical zero-day vulnerability used to launch targeted attacks – in all versions of Microsoft Office.

The exploit for this vulnerability is an RTF document containing a DOCX document that exploits СVE-2017-11826 in the Office Open XML parser.

Bad Rabbit ransomware

On October 24th we observed notifications of mass attacks with ransomware called Bad Rabbit.
It has been targeting organizations and consumers, mostly in Russia but there have also been reports of victims in Ukraine.
On October 10, 2017, Kaspersky Labrsquo;s advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in the wild against our customers.

The exploit was delivered through a Microsoft Office document and the final payload was the latest version of FinSpy malware. We have reported the bug to Adobe who assigned it CVE-2017-11292 and released a patch earlier today.
While some criminals blow up ATMs to steal cash, others use less destructive methods, such as infecting the ATM with malware and then stealing the money. We have written about this phenomenon extensively in the past and today we can add another family of malware to the list – Backdoor.Win32.ATMii.
A vulnerability in the routine that loads DLL files in Cisco Meeting App for Windows could allow an authenticated, local attacker to run an executable file with privileges equivalent to those of Cisco Meeting App. The vulnerability is due to incom...
We're already used to the fact that complex cyberattacks use 0-day vulnerabilities, bypassing digital signature checks, virtual file systems, non-standard encryption algorithms and other tricks.
Sometimes, however, all of this may be done in much simpler ways, as was the case in the malicious campaign that we detected a while ago – we named it 'Microcin' after microini, one of the malicious components used in it.
A vulnerability in the Cisco FindIT Network Discovery Utility could allow an authenticated, local attacker to perform a DLL preloading attack, potentially causing a partial impact to device availability, confidentiality, and integrity. The vulnera...
In the field of information security, sandboxes are used to isolate an insecure external environment from a secure internal environment (or vice versa), to protect against the exploitation of vulnerabilities, and to analyze malicious code.

At Kaspersky Lab, we have several sandboxes, we will look at just one of them that was customized to serve the needs of a specific product and became the basis of Kaspersky Anti Targeted Attack Platform.

Introducing WhiteBear

As a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear.
It is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private report. Like previous Turla activity, WhiteBear leverages compromised websites and hijacked satellite connections for command and control (C2) infrastructure.
In July 2017, during an investigation, suspicious DNS requests were identified in a partnerrsquo;s network.

The source of the queries was a software package produced by NetSarang. Our analysis showed that recent versions of the software had been surreptitiously modified to include an encrypted payload that could be remotely activated by a knowledgeable attacker.