#Malware_analysis
1. Owowa: the add-on that turns your OWA into a credential stealer and remote access panel
https://securelist.com/owowa-credential-stealer-and-remote-access/105219
2. TinyNuke Banking Malware
https://www.proofpoint.com/us/blog/threat-insight/tinynuke-banking-malware-targets-french-entities
@IotPenetrationTesting
1. Owowa: the add-on that turns your OWA into a credential stealer and remote access panel
https://securelist.com/owowa-credential-stealer-and-remote-access/105219
2. TinyNuke Banking Malware
https://www.proofpoint.com/us/blog/threat-insight/tinynuke-banking-malware-targets-french-entities
@IotPenetrationTesting
Securelist
Owowa: the add-on that turns your OWA into a credential stealer and remote access panel
We found a suspicious binary and determined it as an IIS module, aimed at stealing credentials and enabling remote command execution from OWA. We named the malicious module ‘Owowa’,
Forwarded from Red Blue Team
Full_Spectrum_Detections_for_Web_Shells.pdf
2.6 MB
#Blue_Team
Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, TWOFACE
@BlueRedTeam
Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, TWOFACE
@BlueRedTeam
#Malware_analysis
BLISTER malware campaign
https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign
@IotPenetrationTesting
BLISTER malware campaign
https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign
@IotPenetrationTesting
www.elastic.co
Elastic Security uncovers BLISTER malware campaign — Elastic Security Labs
Elastic Security has identified active intrusions leveraging the newly identified BLISTER malware loader utilizing valid code-signing certificates to evade detection. We are providing detection guidance for security teams to protect themselves.
IoT_honeypot_ecosystem.pdf
6.2 MB
#Research
#IoT_Security
"What are Attackers after on IoT Devices?
An approach based on a multi-phased multi-faceted IoT honeypot ecosystem and data clustering", 2021.
@IotPenetrationTesting
#IoT_Security
"What are Attackers after on IoT Devices?
An approach based on a multi-phased multi-faceted IoT honeypot ecosystem and data clustering", 2021.
@IotPenetrationTesting
Detecting Evasive Malware on IoT Devices Using Electromagnetic Emanations
https://thehackernews.com/2022/01/detecting-evasive-malware-on-iot.html
@IotPenetrationTesting
https://thehackernews.com/2022/01/detecting-evasive-malware-on-iot.html
@IotPenetrationTesting
#Malware_analysis
1. McAfee Phishing Campaign with a Nice Fake Scan
https://isc.sans.edu/forums/diary/McAfee+Phishing+Campaign+with+a+Nice+Fake+Scan/28208
2. The Continued Evolution of Abcbot
https://www.cadosecurity.com/the-continued-evolution-of-abcbot
1. McAfee Phishing Campaign with a Nice Fake Scan
https://isc.sans.edu/forums/diary/McAfee+Phishing+Campaign+with+a+Nice+Fake+Scan/28208
2. The Continued Evolution of Abcbot
https://www.cadosecurity.com/the-continued-evolution-of-abcbot
Cado Security | Cloud Forensics & Incident Response
The Continued Evolution of Abcbot - Cado Security | Cloud Forensics & Incident Response
A new version of a malicious shell noscript targeting insecure cloud instances has recently been discovered.
#Malware_analysis
1. Monitoring malware abusing CVE-2020-1599
https://blog.virustotal.com/2022/01/monitoring-malware-abusing-cve-2020-1599.html
2. Patchwork APT caught in its own web...
https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web
@IotPenetrationTesting
1. Monitoring malware abusing CVE-2020-1599
https://blog.virustotal.com/2022/01/monitoring-malware-abusing-cve-2020-1599.html
2. Patchwork APT caught in its own web...
https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web
@IotPenetrationTesting
Virustotal
Monitoring malware abusing CVE-2020-1599
CVE-2020-1599 is a vulnerability that can be abused by adding data ( that will be later executed) to the signature section of a file, for i...
#Malware
#Analysis
1. How to Analyze Malicious Microsoft Office Files
https://www.intezer.com/blog/malware-analysis/analyze-malicious-microsoft-office-files
2. Nanocore, Netwire, AsyncRAT spreading campaign uses public cloud infrastructure
https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html
3. Decrypting Qakbot’s Encrypted Registry Keys
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys
@IotPenetrationTesting
#Analysis
1. How to Analyze Malicious Microsoft Office Files
https://www.intezer.com/blog/malware-analysis/analyze-malicious-microsoft-office-files
2. Nanocore, Netwire, AsyncRAT spreading campaign uses public cloud infrastructure
https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html
3. Decrypting Qakbot’s Encrypted Registry Keys
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys
@IotPenetrationTesting
Intezer
How to Analyze Malicious Microsoft Office Files
Got malicious Microsoft Office files? Check out this deep dive into the different Office file formats and how they are abused by attackers.
#Malware
#Analysis
1. Pysa Ransomware: A Deep-Dive Analysis
https://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis
2. MOTIF Dataset
https://github.com/boozallen/MOTIF
@IotPenetrationTesting
#Analysis
1. Pysa Ransomware: A Deep-Dive Analysis
https://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis
2. MOTIF Dataset
https://github.com/boozallen/MOTIF
@IotPenetrationTesting
Cyble
Cyble - Pysa Ransomware Under The Lens: A Deep-Dive Analysis
A human-operated ransomware, Pysa encrypts the victim files and drops ransom notes to instruct users on how to recover the files.
Campaigns abusing corporate trusted infrastructure
hunt for corporate credentials on ICS networks
https://ics-cert.kaspersky.com/publications/reports/2022/01/19/campaigns-abusing-corporate-trusted-infrastructure-hunt-for-corporate-credentials-on-ics-networks
]-> Guide to ICS Security
(NIST SP800-82 rev.2, .pdf):
https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final
#SCADA
@IotPenetrationTesting
hunt for corporate credentials on ICS networks
https://ics-cert.kaspersky.com/publications/reports/2022/01/19/campaigns-abusing-corporate-trusted-infrastructure-hunt-for-corporate-credentials-on-ics-networks
]-> Guide to ICS Security
(NIST SP800-82 rev.2, .pdf):
https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final
#SCADA
@IotPenetrationTesting
Kaspersky ICS CERT | Kaspersky Industrial Control Systems Cyber Emergency Response Team
Campaigns abusing corporate trusted infrastructure hunt for corporate credentials on ICS networks | Kaspersky ICS CERT
Targets of spyware attacks in which each malware sample has a limited-scope and a short lifetime include industrial enterprises. Victim organizations’ SMTP services are abused to send phishing emails and collect stolen data.
#Malware_analysis
1. Technical Analysis of the WhisperGate Malicious Bootloader
https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware
]-> https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate
2. MoonBounce: the dark side of UEFI firmware
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468
3. AVADDON Ransomware
https://www.mandiant.com/resources/chasing-avaddon-ransomware
@IotPenetrationTesting
1. Technical Analysis of the WhisperGate Malicious Bootloader
https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware
]-> https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate
2. MoonBounce: the dark side of UEFI firmware
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468
3. AVADDON Ransomware
https://www.mandiant.com/resources/chasing-avaddon-ransomware
@IotPenetrationTesting
#Malware_analysis
1. BlackCat Ransomware: Highly-Configurable, Rust-Driven RaaS On The Prowl For Victims
https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims
2. Custom Previews For Malicious Attachments:
A phishing technique that allows attackers to create fake previews for their malicious attachment with GMail
https://mrd0x.com/phishing-google-users-by-spoofing-previews
@IotPenetrationTesting
1. BlackCat Ransomware: Highly-Configurable, Rust-Driven RaaS On The Prowl For Victims
https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims
2. Custom Previews For Malicious Attachments:
A phishing technique that allows attackers to create fake previews for their malicious attachment with GMail
https://mrd0x.com/phishing-google-users-by-spoofing-previews
@IotPenetrationTesting
SentinelOne
BlackCat Ransomware | Highly-Configurable, Rust-Driven RaaS On The Prowl For Victims
With victims in the US, Australia and India, BlackCat is a new RaaS making a big impact. Learn more about this unique ransomware's behavior and IoCs.
#Malware_analysis
1. DTPacker - a .NET Packer with a Curious Password
https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1
2. Deep Dive into Trickbot's Web Injection
https://www.kryptoslogic.com/blog/2022/01/deep-dive-into-trickbots-web-injection
@IotPenetrationTesting
1. DTPacker - a .NET Packer with a Curious Password
https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1
2. Deep Dive into Trickbot's Web Injection
https://www.kryptoslogic.com/blog/2022/01/deep-dive-into-trickbots-web-injection
@IotPenetrationTesting
Proofpoint
DTPacker – a .NET Packer with a Curious Password | Proofpoint US
Key Findings Proofpoint identified a malware packer which researchers have dubbed DTPacker. The payload decoding uses a fixed password containing former U.S. president Donald
#Malware_analysis
1. Owowa: the add-on that turns your OWA into a credential stealer and remote access panel
https://securelist.com/owowa-credential-stealer-and-remote-access/105219
2. Evolved phishing:
Device registration trick adds to phishers’ toolbox for victims without MFA
https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa
3. Watering hole deploys new macOS malware, DazzleSpy, in Asia
https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia
@IotPenetrationTesting
1. Owowa: the add-on that turns your OWA into a credential stealer and remote access panel
https://securelist.com/owowa-credential-stealer-and-remote-access/105219
2. Evolved phishing:
Device registration trick adds to phishers’ toolbox for victims without MFA
https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa
3. Watering hole deploys new macOS malware, DazzleSpy, in Asia
https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia
@IotPenetrationTesting
Securelist
Owowa: the add-on that turns your OWA into a credential stealer and remote access panel
We found a suspicious binary and determined it as an IIS module, aimed at stealing credentials and enabling remote command execution from OWA. We named the malicious module ‘Owowa’,
#Malware_analysis
1. Lazarus APT leverages Windows Update client, GitHub in latest campaign
https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign
2. The Cookies Parasite
https://www.perimeterx.com/tech-blog/2022/cookies-parasite
3. Unknown Info Stealer Distributed via Compromised Discord Accounts
https://github.com/captainGeech42/malware/tree/main/samples/2022-01-29_unknown_stealer
@IotPenetrationTesting
1. Lazarus APT leverages Windows Update client, GitHub in latest campaign
https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign
2. The Cookies Parasite
https://www.perimeterx.com/tech-blog/2022/cookies-parasite
3. Unknown Info Stealer Distributed via Compromised Discord Accounts
https://github.com/captainGeech42/malware/tree/main/samples/2022-01-29_unknown_stealer
@IotPenetrationTesting
ThreatDown by Malwarebytes
North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign
How one of North Korea’s most sophisticated APTs tries to avoid detection by using legitiate tools during its attacks.