reports

Batloader Malware Abuses Legitimate Tools Uses Obfuscated JavaScript Files in Q4 2022 Attacks

Posted on by Admin
Batloader Malware Abuses Legitimate Tools Uses Obfuscated JavaScript Files in Q4 2022 Attacks

Batloader Malware Abuses Legitimate Tools Uses Obfuscated JavaScript Files in Q4 2022 Attacks Malware We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader). By: Junestherry Dela Cruz January 17, 2023 Read time:  ( words) We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis…

Read More

Abusing a GitHub Codespaces Feature For Malware Delivery

Posted on by Admin
Abusing a GitHub Codespaces Feature For Malware Delivery

GitHub Codespaces, initially in preview for specific users, became widely available for free in November 2022. This cloud-based integrated development environment (IDE) allows developers and organizations to customize projects via configuring dev container files, easing some previous pain points in project development. We investigated the services offered by this cloud IDE and found that one of its features for code development and collaboration – sharing forwarded ports publicly – can be abused by malicious actors…

Read More

What is Red Teaming & How it Benefits Orgs

Posted on by Admin
What is Red Teaming & How it Benefits Orgs

In today’s increasingly connected world, red teaming has become a critical tool for organizations to test their security and identify possible gaps within their defenses. Red teaming, also known as red cell, adversary simulation, or Cyber Red Team, involves simulating real-world cyber attackers’ tactics, techniques, and procedures (TTPs) to assess an organization’s security posture. In the world of cybersecurity, the term “red teaming” refers to a method of ethical hacking that is goal-oriented and driven…

Read More

Gootkit Loader Actively Targets Australian Healthcare Industry

Posted on by Admin
Gootkit Loader Actively Targets Australian Healthcare Industry

Credential access The file krb.txt was created by one of the injected processes that contains Kerberos hashes for several accounts. Given that we did not see any dumping activity in the process telemetry, the dumping process transpired in the memory; it did not introduce a new tool or an executable file to do the dumping.   Impact The final payload is unknown for this case since we detected it and responded to it while it was…

Read More

Dridex Returns, Targets MacOS Using New Entry Method

Posted on by Admin
Dridex Returns, Targets MacOS Using New Entry Method

Dridex Returns, Targets MacOS Using New Entry Method Malware The Dridex variant we analyzed targets MacOS platforms with a new technique to deliver documents embedded with malicious macros to users. By: Armando Nathaniel Pedragoza January 05, 2023 Read time:  ( words) Normally, documents containing malicious macros enter a user’s system via email attachments posing as normal document files. However, while this might be the primary method of arrival, malicious actors have other ways of entering…

Read More

IcedID Botnet Distributors Abuse Google PPC to Distribute Malware

Posted on by Admin
IcedID Botnet Distributors Abuse Google PPC to Distribute Malware

IcedID Botnet Distributors Abuse Google PPC to Distribute Malware Malware We analyze the latest changes in IcedID botnet from a campaign that abuses Google pay per click (PPC) ads to distribute IcedID via malvertising attacks. By: Ian Kenefick December 23, 2022 Read time:  ( words) After closely tracking the activities of the IcedID botnet, we have discovered some significant changes in its distribution methods. Since December 2022, we observed the abuse of Google pay per…

Read More

Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks

Posted on by Admin
Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks

Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks Ransomware From September to December, we detected multiple attacks from the Royal ransomware group. In this blog entry, we discuss findings from our investigation of this ransomware and the tools that Royal ransomware actors used to carry out their attacks. By: Ivan Nicole Chavez, Byron Gelera, Monte de Jesus, Don Ovid Ladores, Khristian Joseph Morales December 21, 2022 Read time:  ( words)…

Read More

Detecting Windows AMSI Bypass Techniques

Posted on by Admin
Detecting Windows AMSI Bypass Techniques

Techniques bypassing AMSI were primarily used by security researchers and penetration testers. In recent years, however, cybercriminals have abused this and included the method as a feature in malware routines to evade detection that allowed them to continuously operate in a victim’s computer. Prior to AMSI, detections of fileless threats proved difficult. Previously documented methods used to achieve an AMSI bypass were: Obfuscation and/or encryption PowerShell downgrade Hooks and unhooks Memory patching Forcing an error…

Read More

A Technical Analysis of CVE-2022-22583 and CVE-2022-32800

Posted on by Admin
A Technical Analysis of CVE-2022-22583 and CVE-2022-32800

A Technical Analysis of CVE-2022-22583 and CVE-2022-32800 Exploits & Vulnerabilities This blog entry discusses the technical details of how we exploited CVE-2022-22583 using a different method. We also tackle the technical details of CVE-2022-32800, another SIP-bypass that we discovered more recently, in this report. By: Mickey Jin December 21, 2022 Read time:  ( words) On Jan. 26, 2022, Apple patched a System Integrity Protection (SIP)-bypass vulnerability in the PackageKit framework, identified as CVE-2022-22583. Apple shared…

Read More

Diving into an Old Exploit Chain and Discovering 3 new SIP-Bypass Vulnerabilities

Posted on by Admin
Diving into an Old Exploit Chain and Discovering 3 new SIP-Bypass Vulnerabilities

A new bypass appears According to the aforementioned patch, we can see that if we can bypass the volume path check at line 81, then the system_installd service will spawn the script directly instead of resorting to the isolated XPC service. The question then is, how can we bypass the volume path check? Through debugging, we found that the destination volume path returned at line 80 is an arbitrary mounted DMG volume path that we…

Read More
1 4 5 6 7 8 27