-
SwaetRAT Delivery Through Python, (Fri, Jan 3rd)
We entered a new year, but attack scenarios have not changed (yet). I found a Python script with an interesting behavior[1] and a low Virustotal score (7/61). It targets Microsoft Windows hosts because it starts by loading all libraries required to call Microsoft API Calls and manipulate payloads: from System.Reflection import Assembly from ctypes import windll from…
-
Goodware Hash Sets, (Thu, Jan 2nd)
In the cybersecurity landscape, we all need hashes! A hash is the result of applying a special mathematical function (a “hash function”) that transforms an input (such as a file or a piece of text) into a fixed-size string or number. This output, often called a “hash value,” “digest,” or “checksum,” uniquely represents the original…
-
No Holiday Season for Attackers, (Tue, Dec 31st)
While most of us are preparing the switch to a new year (If it’s already the case for you: Happy New Year!), Attackers never stop and implement always new tricks to defeat our security controls. For a long time now, we have been flooded by sextortion emails. This is a kind of blackmail where someone…
-
Changes in SSL and TLS support in 2024, (Mon, Dec 30th)
With the end of the year quickly approaching, it is undoubtedly a good time to take a look at what has changed during the past 12 months. One security-related area, which deserves special attention in this context, is related to the use of different versions of SSL and TLS on various servers on the internet,…
-
Phishing for Banking Information, (Fri, Dec 27th)
It is again the time of the year when scammers are asking to verify banking information, whether it is credit cards, bank card, package shipping information, winning money, etc. Last night I received a text message to verify a credit card, it is case a Bank of Montreal (BMO) credit card. From Bank of Montreal…
-
Capturing Honeypot Data Beyond the Logs, (Thu, Dec 26th)
By default, DShield Honeypots [1] collect firewall, web and cowrie (telnet/ssh) [2] data and log them on the local filesystem. A subset of this data is reported to the SANS Internet Storm Center (ISC) where it can be used by anyone [3]. A common question that comes up from new users is whether there is any…
-
Compiling Decompyle++ For Windows, (Wed, Dec 25th)
Occasionaly I decompile Python code, with decompilers written in Python. Recently I discovered Decompyle++, a Python disassembler & decompiler written in C++. It’s very easy to compile for Linux, but a bit more difficult for Windows. This is how I compiled Decompyle++ on Windows: I used Microsoft Visual Studio Community 2022. First I launch the…
-
More SSH Fun!, (Tue, Dec 24th)
A few days ago, I wrote a diary[1] about a link file that abused the ssh.exe tool present in modern versions of Microsoft Windows. At the end, I mentioned that I will hunt for more SSH-related files/scripts. Guess what? I already found another one. The script is a Windows batch file (SHA256:3172eb8283a3e82384e006458265b60001ba68c7982fda1b81053705496a999c)[2] that has a…
-
Modiloader From Obfuscated Batch File, (Mon, Dec 23rd)
My last investigation is a file called “Albertsons_payment.GZ”, received via email. The file looks like an archive but is identified as a picture by TrID: Collecting data from file: Albertsons_payment.GZ 100.0% (.PG/BIN) PrintFox/Pagefox bitmap (640×800) (1000/1) Finally, it’s a Windows Cabinet file: remnux@remnux:/MalwareZoo/20241218$ cabextract -t Albertsons_payment.GZ Testing cabinet: Albertsons_payment.GZ Chine_ana22893D347515193D264135FF38996037FF515169loodatke.PNG OK dc156637aebf04336700a9bc71c78aad OK 7cd592cb2f2179e188e9e99cb7c06bba Svcrhpjadgyclc.cmd…
-
Christmas “Gift” Delivered Through SSH, (Fri, Dec 20th)
Christmas is at our doors and Attackers use the holiday season to deliver always more and more gifts into our mailboxes! I found this interesting file this morning: “christmas_slab.pdf.lnk”[1]. Link files (.lnk) are a classic way to execute something malicious on the victim’s computer but the technique used here is interesting. For a while, Microsoft…
