-
Quick & Dirty Obfuscated JavaScript Analysis, (Sun, Nov 24th)
As mentioned in diary entry “Increase In Phishing SVG Attachments“, I have a phishing SVG sample with heavily obfuscated JavaScript. As I didn’t want to spend time doing static analysis, I did a quick dynamic analysis instead. TL;DR: I open the SVG file in a VM disconnected from the Internet, and use Edge’s developer tools…
-
Decrypting a PDF With a User Password, (Sat, Nov 23rd)
In diary entry “Analyzing an Encrypted Phishing PDF“, I decrypted a phishing PDF document. Because the PDF was encrypted for DRM (owner password), I didn’t have to provide a password. What happens if you try this with a PDF encrypted for confidentiality (user password), where a password is needed to open the document? The PDF…
-
Wireshark 4.4.2 Released, (Sat, Nov 23rd)
Wireshark release 4.4.2 fixes 2 vulnerabilities and 33 bugs. Didier Stevens Senior handler blog.DidierStevens.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
An Infostealer Searching for « BIP-0039 » Data, (Fri, Nov 22nd)
I like obfuscation techniques implemented by malware developers. If their primary purpose is to defeat security controls and automatic scanners, they are a great starting point for malware analysts. Indeed, if some data or actions have been obfuscated, that means that they can disclose interesting TTP’s. When reviewing a malicious Python script, I found this piece…
-
ISC Stormcast For Friday, November 22nd, 2024 https://isc.sans.edu/podcastdetail/9230, (Fri, Nov 22nd)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
ISC Stormcast For Thursday, November 21st, 2024 https://isc.sans.edu/podcastdetail/9228, (Thu, Nov 21st)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
Increase In Phishing SVG Attachments, (Thu, Nov 21st)
There is an increase in SVG attachments used in phishing emails (Scalable Vector Graphics, an XML-based vector image format). I took a look at the some samples mentioned in the Bleeping Computer article, and searched more samples on VirusTotal. These samples contain HTML & JavaScript code to display a blurry Excel PNG image, and a…
-
ISC Stormcast For Wednesday, November 20th, 2024 https://isc.sans.edu/podcastdetail/9226, (Wed, Nov 20th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
Apple Fixes Two Exploited Vulnerabilities, (Tue, Nov 19th)
Today, Apple released updates patching two vulnerabilities that have already been exploited. Interestingly, according to Apple, the vulnerabilities have only been exploited against Intel-based systems, but they appear to affect ARM (M”x”) systems as well. CVE-2024-44308 A vulnerability in JavaScriptCore. It could be triggered by the user visiting a malicious web page and may lead…
-
Detecting the Presence of a Debugger in Linux, (Tue, Nov 19th)
Hello from Singapore where I’m with Johannes and Yee! This week, I’m teaching FOR710[1]. I spotted another Python script that looked interesting because, amongst the classic detection of virtualized environments, it also tries to detect the presence of a debugger. The script has been developed to target both environments: Windows & Linux. On Windows, it’s pretty easy to detect…
