New Linux Malware 'sedexp' Hides Credit Card Skimmers Using Udev Rules
https://thehackernews.com/2024/08/new-linux-malware-sedexp-hides-credit.html
#linux #udev #analysis
https://thehackernews.com/2024/08/new-linux-malware-sedexp-hides-credit.html
#linux #udev #analysis
Dissecting the Windows Defender Driver - WdFilter (Part 1)
https://n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/
Dissecting the Windows Defender Driver - WdFilter (Part 2)
https://n4r1b.com/posts/2020/02/dissecting-the-windows-defender-driver-wdfilter-part-2/
#windows #defender #av #reverse
https://n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/
Dissecting the Windows Defender Driver - WdFilter (Part 2)
https://n4r1b.com/posts/2020/02/dissecting-the-windows-defender-driver-wdfilter-part-2/
#windows #defender #av #reverse
N4R1B
Dissecting the Windows Defender Driver - WdFilter (Part 1)
In this series of posts I'll be explaining how the Windows Defender main Driver works, in this first post we will look into the initialization and the Process creation notifications among other things
Extract Windows Defender database from vdm files and unpack it
https://github.com/hfiref0x/WDExtract
#windows #defender #av #vdm #signuature #unpack
https://github.com/hfiref0x/WDExtract
#windows #defender #av #vdm #signuature #unpack
GitHub
GitHub - hfiref0x/WDExtract: Extract Windows Defender database from vdm files and unpack it
Extract Windows Defender database from vdm files and unpack it - hfiref0x/WDExtract
Defender Pretender: When Windows Defender Updates Become a Security Risk
https://www.safebreach.com/blog/defender-pretender-when-windows-defender-updates-become-a-security-risk/
#windows #defender #av #signature #vdm
https://www.safebreach.com/blog/defender-pretender-when-windows-defender-updates-become-a-security-risk/
#windows #defender #av #signature #vdm
SafeBreach
Windows Defender Security Risk: Defender Pretender | SafeBreach
SafeBreach exploited the Windows Defender update to deliver malicious updates & maintain persistence on systems as an unprivileged user
An unexpected journey into Microsoft Defender's signature World
https://retooling.io/blog/an-unexpected-journey-into-microsoft-defenders-signature-world
#windows #defender #av #signature
https://retooling.io/blog/an-unexpected-journey-into-microsoft-defenders-signature-world
#windows #defender #av #signature
PEAKLIGHT: Decoding the Stealthy Memory-Only Malware | Google Cloud Blog
https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/
#analysis #memonly
https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/
#analysis #memonly
Google Cloud Blog
PEAKLIGHT: Decoding the Stealthy Memory-Only Malware | Google Cloud Blog
Mandiant identified a new memory-only dropper using a complex, multi-stage infection process.
Operation DevilTiger: 0day vulnerability techniques and tactics used by APT-Q-12 disclosed
https://ti.qianxin.com/blog/articles/operation-deviltiger-0day-vulnerability-techniques-and-tactics-used-by-apt-q-12-disclosed-en/
#analysis #apt
https://ti.qianxin.com/blog/articles/operation-deviltiger-0day-vulnerability-techniques-and-tactics-used-by-apt-q-12-disclosed-en/
#analysis #apt
Qianxin
奇安信威胁情报中心
Nuxt.js project
Analysis of two arbitrary code execution vulnerabilities affecting WPS Office
https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/
#analysis #apt #exploit #wps #office
https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/
#analysis #apt #exploit #wps #office
Welivesecurity
Analysis of two arbitrary code execution vulnerabilities affecting WPS Office
ESET research uncovers a vulnerability in WPS Office for Windows (CVE-2024-7262), as it was being exploited by South Korea-aligned cyberespionage group APT-C-60 to target East Asian countries. Analysis of the vendor’s silently released patch led to the discovery…
Obfuscated PowerShell leads to Lumma C2 Stealer
https://www.ontinue.com/resource/obfuscated-powershell-leads-to-lumma-c2-stealer/
#analysis #lummac2 #stealer
https://www.ontinue.com/resource/obfuscated-powershell-leads-to-lumma-c2-stealer/
#analysis #lummac2 #stealer
Masking Malicious Memory Artifacts – Part I: Phantom DLL Hollowing
https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing
Masking Malicious Memory Artifacts – Part II: Blending in with False Positives
https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta
Masking Malicious Memory Artifacts – Part III: Bypassing Defensive Scanners
https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-iii-bypassing-defensive-scanners
#research #memory #artifacts
https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing
Masking Malicious Memory Artifacts – Part II: Blending in with False Positives
https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta
Masking Malicious Memory Artifacts – Part III: Bypassing Defensive Scanners
https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-iii-bypassing-defensive-scanners
#research #memory #artifacts
ForrestOrr
Masking Malicious Memory Artifacts – Part I: Phantom DLL Hollowing
IntroductionI've written this article with the intention of improving the skill of the reader as relating to the topic of memory stealth when designing malware. First by detailing a technique I term DLL hollowing which has not yet gained widespread recognition…
Meet UULoader: An Emerging and Evasive Malicious Installer.
https://cyberint.com/blog/research/meet-uuloader-an-emerging-and-evasive-malicious-installer/
#analysis #loader #msi
https://cyberint.com/blog/research/meet-uuloader-an-emerging-and-evasive-malicious-installer/
#analysis #loader #msi
Cyberint
Meet UULoader: An Emerging and Evasive Malicious Installer.
Ransomware Tool Matrix
- The repository contains a list of which tools each ransomware gang or extortionist gang uses
- As defenders, we should exploit the fact that many of the tools used by these cybercriminals are often reused
- We can threat hunt, deploy detections, and block these tools to eliminate the ability of adversaries to launch intrusions
- The project will be updated as additional intelligence on ransomware gang TTPs is made available
https://github.com/BushidoUK/Ransomware-Tool-Matrix
#analysis #tools
- The repository contains a list of which tools each ransomware gang or extortionist gang uses
- As defenders, we should exploit the fact that many of the tools used by these cybercriminals are often reused
- We can threat hunt, deploy detections, and block these tools to eliminate the ability of adversaries to launch intrusions
- The project will be updated as additional intelligence on ransomware gang TTPs is made available
https://github.com/BushidoUK/Ransomware-Tool-Matrix
#analysis #tools
GitHub
GitHub - BushidoUK/Ransomware-Tool-Matrix: A resource containing all the tools each ransomware gangs uses
A resource containing all the tools each ransomware gangs uses - BushidoUK/Ransomware-Tool-Matrix
Stealer devs bypass Chrome's new cookie protection
https://news.risky.biz/risky-biz-news-stealer-devs-bypass-chromes-new-cookie-protection/
#chrome #cookies #stealers
https://news.risky.biz/risky-biz-news-stealer-devs-bypass-chromes-new-cookie-protection/
#chrome #cookies #stealers
Risky.Biz
Stealer devs bypass Chrome's new cookie protection
In other news: Sandvine to exit dozens of autocratic countries; Ukraine FINALLY bans Telegram on state devices; BingX hack is the 4th largest crypto-heist of the year.
Ebury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial gain
https://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/
https://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/
Welivesecurity
Ebury is alive but unseen: 400k Linux servers compromised for cryptotheft and financial gain
One of the most advanced server-side malware campaigns is still growing, with hundreds of thousands of compromised servers, and it has diversified to include credit card and cryptocurrency theft.
TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit
https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/
https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/
Unit 42
TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit
A threat actor attempted to use an AV/EDR bypass tool in an extortion attempt. Instead, the tool provided Unit 42 insight into the threat actor.
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Notify Routine callbacks, Object Callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
https://github.com/wavestone-cdt/EDRSandblast/
#tool #redteam #edr #bypass
https://github.com/wavestone-cdt/EDRSandblast/
#tool #redteam #edr #bypass
GitHub
GitHub - wavestone-cdt/EDRSandblast
Contribute to wavestone-cdt/EDRSandblast development by creating an account on GitHub.
This is a new bypass technique for memory scanners. It is useful in hiding problematic code that will be flagged by the antivirus vendors.
This is basically an improved version of Voidgate, but without all of the previous limitations.
This technique is compatible with all C2 beacons, it handles multithreaded payloads and it can handle executables generated by tools such as pe_to_shellcode, thus allowing it to run virtually any non .NET executables.
https://github.com/vxCrypt0r/Voidmaw
#tool #redteam #bypass
This is basically an improved version of Voidgate, but without all of the previous limitations.
This technique is compatible with all C2 beacons, it handles multithreaded payloads and it can handle executables generated by tools such as pe_to_shellcode, thus allowing it to run virtually any non .NET executables.
https://github.com/vxCrypt0r/Voidmaw
#tool #redteam #bypass
GitHub
GitHub - vxCrypt0r/Voidmaw: A new technique that can be used to bypass memory scanners. This can be useful in hiding problematic…
A new technique that can be used to bypass memory scanners. This can be useful in hiding problematic code (such as reflective loaders implemented by C2 beacons) or other problematic executables tha...
A new technique that can be used to bypass memory scanners. This can be useful in hiding problematic code (such as reflective loaders implemented by C2 beacons) or other problematic executables that will be flagged by the antimalware programs(such as mimikatz).
https://github.com/vxCrypt0r/Voidmaw
https://github.com/vxCrypt0r/Voidmaw
GitHub
GitHub - vxCrypt0r/Voidmaw: A new technique that can be used to bypass memory scanners. This can be useful in hiding problematic…
A new technique that can be used to bypass memory scanners. This can be useful in hiding problematic code (such as reflective loaders implemented by C2 beacons) or other problematic executables tha...
Introducing Early Cascade Injection: From Windows Process Creation to Stealthy Injection
https://www.outflank.nl/blog/2024/10/15/introducing-early-cascade-injection-from-windows-process-creation-to-stealthy-injection/
https://www.outflank.nl/blog/2024/10/15/introducing-early-cascade-injection-from-windows-process-creation-to-stealthy-injection/