endpoints

Vice Society Ransomware Group Targets Manufacturing Companies

Posted on January 24, 2023January 24, 2023 by Admin

Vice Society Ransomware Group Targets Manufacturing Companies Ransomware In this blog entry, we’d like to highlight our findings on Vice Society, which includes an end-to-end infection diagram that we were able to create using Trend Micro internal telemetry. By: Ieriz Nicolle Gonzalez, Paul Pajares, Arianne Dela Cruz, Warren Sto.Tomas January 24, 2023 Read time: ( words) The Vice Society ransomware group made headlines in late 2022 and early 2023 during a spate of attacks against several targets, such as the one…

Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures

Posted on January 17, 2023January 17, 2023 by Admin

Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures Malware We discovered an active campaign ongoing since at least mid-2022 which uses Middle Eastern geopolitical-themed lures to distribute NjRAT (also known as Bladabindi) to infect victims across the Middle East and North Africa. By: Peter Girnus, Aliakbar Zahravi January 17, 2023 Read time: ( words) While threat hunting, we found an active campaign using Middle Eastern geopolitical themes as a lure to target potential…

Batloader Malware Abuses Legitimate Tools Uses Obfuscated JavaScript Files in Q4 2022 Attacks

Posted on January 17, 2023January 17, 2023 by Admin

Batloader Malware Abuses Legitimate Tools Uses Obfuscated JavaScript Files in Q4 2022 Attacks Malware We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader). By: Junestherry Dela Cruz January 17, 2023 Read time: ( words) We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis…

Gootkit Loader Actively Targets Australian Healthcare Industry

Posted on January 9, 2023January 11, 2023 by Admin

Credential access The file krb.txt was created by one of the injected processes that contains Kerberos hashes for several accounts. Given that we did not see any dumping activity in the process telemetry, the dumping process transpired in the memory; it did not introduce a new tool or an executable file to do the dumping. Impact The final payload is unknown for this case since we detected it and responded to it while it was…

Dridex Returns, Targets MacOS Using New Entry Method

Posted on January 5, 2023January 5, 2023 by Admin

Dridex Returns, Targets MacOS Using New Entry Method Malware The Dridex variant we analyzed targets MacOS platforms with a new technique to deliver documents embedded with malicious macros to users. By: Armando Nathaniel Pedragoza January 05, 2023 Read time: ( words) Normally, documents containing malicious macros enter a user’s system via email attachments posing as normal document files. However, while this might be the primary method of arrival, malicious actors have other ways of entering…

IcedID Botnet Distributors Abuse Google PPC to Distribute Malware

Posted on December 23, 2022December 23, 2022 by Admin

IcedID Botnet Distributors Abuse Google PPC to Distribute Malware Malware We analyze the latest changes in IcedID botnet from a campaign that abuses Google pay per click (PPC) ads to distribute IcedID via malvertising attacks. By: Ian Kenefick December 23, 2022 Read time: ( words) After closely tracking the activities of the IcedID botnet, we have discovered some significant changes in its distribution methods. Since December 2022, we observed the abuse of Google pay per…

Detecting Windows AMSI Bypass Techniques

Posted on December 21, 2022December 21, 2022 by Admin

Techniques bypassing AMSI were primarily used by security researchers and penetration testers. In recent years, however, cybercriminals have abused this and included the method as a feature in malware routines to evade detection that allowed them to continuously operate in a victim’s computer. Prior to AMSI, detections of fileless threats proved difficult. Previously documented methods used to achieve an AMSI bypass were: Obfuscation and/or encryption PowerShell downgrade Hooks and unhooks Memory patching Forcing an error…

A Technical Analysis of CVE-2022-22583 and CVE-2022-32800

Posted on December 21, 2022December 21, 2022 by Admin

A Technical Analysis of CVE-2022-22583 and CVE-2022-32800 Exploits & Vulnerabilities This blog entry discusses the technical details of how we exploited CVE-2022-22583 using a different method. We also tackle the technical details of CVE-2022-32800, another SIP-bypass that we discovered more recently, in this report. By: Mickey Jin December 21, 2022 Read time: ( words) On Jan. 26, 2022, Apple patched a System Integrity Protection (SIP)-bypass vulnerability in the PackageKit framework, identified as CVE-2022-22583. Apple shared…

Diving into an Old Exploit Chain and Discovering 3 new SIP-Bypass Vulnerabilities

Posted on December 20, 2022December 20, 2022 by Admin

A new bypass appears According to the aforementioned patch, we can see that if we can bypass the volume path check at line 81, then the system_installd service will spawn the script directly instead of resorting to the isolated XPC service. The question then is, how can we bypass the volume path check? Through debugging, we found that the destination volume path returned at line 80 is an arbitrary mounted DMG volume path that we…

Raspberry Robin Malware Targets Telecom, Governments

Posted on December 20, 2022December 20, 2022 by Admin

We noted layers 3 and 5 as capable of anti-analysis techniques. Meanwhile, we found that not all layers have unique packers. The fourth and seventh layers are identical, as well as the tenth and thirteenth. The packing of the eighth and fourteenth layers are also similar. This repeated use of packers implies that the group is using a separate packing program. We are continuing with our analysis to see if this program is their own…

« 1 2 3 4 5 … 11 »

Vice Society Ransomware Group Targets Manufacturing Companies

Batloader Malware Abuses Legitimate Tools Uses Obfuscated JavaScript Files in Q4 2022 Attacks

Gootkit Loader Actively Targets Australian Healthcare Industry

Dridex Returns, Targets MacOS Using New Entry Method

IcedID Botnet Distributors Abuse Google PPC to Distribute Malware

Detecting Windows AMSI Bypass Techniques

A Technical Analysis of CVE-2022-22583 and CVE-2022-32800

Diving into an Old Exploit Chain and Discovering 3 new SIP-Bypass Vulnerabilities

Raspberry Robin Malware Targets Telecom, Governments

VMWARE

Helping Public Sector Organisations Define Cloud Strategy

How to change the VLAN ID of the Service Console in ESX from the command line/console

Cisco UCS and Vmware Interfaces (Vnics) HA Design Considerations

Troubleshooting network and TCP/UDP port connectivity issues on ESX/ESXi(2020669)

vSphere Client Parameters

Configuration Templates

CUE Licenses

Trouble shooting Unity Express with Call Manager Integeration & Operational Issues

CME Configuration Example: SIP Trunks to Viatalk and VoIP.ms

SIP Phone registration – CME Configuration

CUE Voicemail + VPIM networking (CUE to unity)