-
Phishing for Banking Information, (Fri, Dec 27th)
It is again the time of the year when scammers are asking to verify banking information, whether it is credit cards, bank card, package shipping information, winning money, etc. Last night I received a text message to verify a credit card, it is case a Bank of Montreal (BMO) credit card. From Bank of Montreal…
-
Capturing Honeypot Data Beyond the Logs, (Thu, Dec 26th)
By default, DShield Honeypots [1] collect firewall, web and cowrie (telnet/ssh) [2] data and log them on the local filesystem. A subset of this data is reported to the SANS Internet Storm Center (ISC) where it can be used by anyone [3]. A common question that comes up from new users is whether there is any…
-
Compiling Decompyle++ For Windows, (Wed, Dec 25th)
Occasionaly I decompile Python code, with decompilers written in Python. Recently I discovered Decompyle++, a Python disassembler & decompiler written in C++. It’s very easy to compile for Linux, but a bit more difficult for Windows. This is how I compiled Decompyle++ on Windows: I used Microsoft Visual Studio Community 2022. First I launch the…
-
More SSH Fun!, (Tue, Dec 24th)
A few days ago, I wrote a diary[1] about a link file that abused the ssh.exe tool present in modern versions of Microsoft Windows. At the end, I mentioned that I will hunt for more SSH-related files/scripts. Guess what? I already found another one. The script is a Windows batch file (SHA256:3172eb8283a3e82384e006458265b60001ba68c7982fda1b81053705496a999c)[2] that has a…
-
Modiloader From Obfuscated Batch File, (Mon, Dec 23rd)
My last investigation is a file called “Albertsons_payment.GZ”, received via email. The file looks like an archive but is identified as a picture by TrID: Collecting data from file: Albertsons_payment.GZ 100.0% (.PG/BIN) PrintFox/Pagefox bitmap (640×800) (1000/1) Finally, it’s a Windows Cabinet file: remnux@remnux:/MalwareZoo/20241218$ cabextract -t Albertsons_payment.GZ Testing cabinet: Albertsons_payment.GZ Chine_ana22893D347515193D264135FF38996037FF515169loodatke.PNG OK dc156637aebf04336700a9bc71c78aad OK 7cd592cb2f2179e188e9e99cb7c06bba Svcrhpjadgyclc.cmd…
-
Christmas “Gift” Delivered Through SSH, (Fri, Dec 20th)
Christmas is at our doors and Attackers use the holiday season to deliver always more and more gifts into our mailboxes! I found this interesting file this morning: “christmas_slab.pdf.lnk”[1]. Link files (.lnk) are a classic way to execute something malicious on the victim’s computer but the technique used here is interesting. For a while, Microsoft…
-
ISC Stormcast For Friday, December 20th, 2024 https://isc.sans.edu/podcastdetail/9264, (Fri, Dec 20th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
![Command Injection Exploit For PHPUnit before 4.8.28 and 5.x before 5.6.3 [Guest Diary], (Tue, Dec 17th)](/wp-content/uploads/2024/12/Sahil_Shaikh_pic1-UzlX9a.png)
Command Injection Exploit For PHPUnit before 4.8.28 and 5.x before 5.6.3 [Guest Diary], (Tue, Dec 17th)
[This is a Guest Diary by Sahil Shaikh, an ISC intern as part of the SANS.edu BACS program] Introduction CVE-2017-9841 is a vulnerability is a security flaw in PHPUnit before 4.8.28 and 5.x before 5.6.3. This flaw allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a “<?php ” substring.…
-
ISC Stormcast For Thursday, December 19th, 2024 https://isc.sans.edu/podcastdetail/9262, (Thu, Dec 19th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
ISC Stormcast For Wednesday, December 18th, 2024 https://isc.sans.edu/podcastdetail/9260, (Wed, Dec 18th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
