Category: SANS Full Feed

The Good Stuff First This tool is being shared (calling it a tool is generous) due to the number of times last year I had to create fake internet domains. It adds domains and zones to Windows DNS. This was to help with the many student cyber ranges that got ‘sploited [1] in the name of…

Read More

[This is a Guest Diary by David Watson, an ISC intern as part of the SANS.edu BACS program] One thing I’ve learned about cybersecurity, particularly during my time here at the Internet Storm Center is this: If you don’t capture detailed network data (like PCAPs), you can easily miss the full picture of an attack,…

Read More

Attackers like to mix multiple technologies to improve the deployment of their malicious code. I spotted a small script that drops a Python malware. The file was sent on VirusTotal and got a score of 2/60![1] (SHA256:96bb0777a8e9616bc9ca22ca207cf434a947a3e4286c051ed98ddd39147b3c4f). The script starts by downloading and opening a fake Garmin document through Powershell: powershell.exe -WindowStyle Hidden -Command “[Net.ServicePointManager]::SecurityProtocol =…

Read More

Exodus is a well-known crypto wallet software[1] and, when you are popular, there are chances that attackers will target you! I already wrote a diary related to this application[2]. Yesterday, I found a new one that behaves differently. My previous diary described a Python script that will patch the original Exodus software. Today, it’s a real…

Read More

Threat actors who send out phishing messages have long ago learned that zero-width characters and unrendered HTML entities can be quite useful to them. Inserting a zero-width character into a hyperlink can be used to bypass some URL security checks without any negative impact on the function of the link, while any unrendered entities can…

Read More