-
Capturing Honeypot Data Beyond the Logs, (Thu, Dec 26th)
By default, DShield Honeypots [1] collect firewall, web and cowrie (telnet/ssh) [2] data and log them on the local filesystem. A subset of this data is reported to the SANS Internet Storm Center (ISC) where it can be used by anyone [3]. A common question that comes up from new users is whether there is any…
-
Compiling Decompyle++ For Windows, (Wed, Dec 25th)
Occasionaly I decompile Python code, with decompilers written in Python. Recently I discovered Decompyle++, a Python disassembler & decompiler written in C++. It’s very easy to compile for Linux, but a bit more difficult for Windows. This is how I compiled Decompyle++ on Windows: I used Microsoft Visual Studio Community 2022. First I launch the…
-
More SSH Fun!, (Tue, Dec 24th)
A few days ago, I wrote a diary[1] about a link file that abused the ssh.exe tool present in modern versions of Microsoft Windows. At the end, I mentioned that I will hunt for more SSH-related files/scripts. Guess what? I already found another one. The script is a Windows batch file (SHA256:3172eb8283a3e82384e006458265b60001ba68c7982fda1b81053705496a999c)[2] that has a…
-
Modiloader From Obfuscated Batch File, (Mon, Dec 23rd)
My last investigation is a file called “Albertsons_payment.GZ”, received via email. The file looks like an archive but is identified as a picture by TrID: Collecting data from file: Albertsons_payment.GZ 100.0% (.PG/BIN) PrintFox/Pagefox bitmap (640×800) (1000/1) Finally, it’s a Windows Cabinet file: remnux@remnux:/MalwareZoo/20241218$ cabextract -t Albertsons_payment.GZ Testing cabinet: Albertsons_payment.GZ Chine_ana22893D347515193D264135FF38996037FF515169loodatke.PNG OK dc156637aebf04336700a9bc71c78aad OK 7cd592cb2f2179e188e9e99cb7c06bba Svcrhpjadgyclc.cmd…
-
Christmas “Gift” Delivered Through SSH, (Fri, Dec 20th)
Christmas is at our doors and Attackers use the holiday season to deliver always more and more gifts into our mailboxes! I found this interesting file this morning: “christmas_slab.pdf.lnk”[1]. Link files (.lnk) are a classic way to execute something malicious on the victim’s computer but the technique used here is interesting. For a while, Microsoft…
-
ISC Stormcast For Friday, December 20th, 2024 https://isc.sans.edu/podcastdetail/9264, (Fri, Dec 20th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
![Command Injection Exploit For PHPUnit before 4.8.28 and 5.x before 5.6.3 [Guest Diary], (Tue, Dec 17th)](/wp-content/uploads/2024/12/Sahil_Shaikh_pic1-UzlX9a.png)
Command Injection Exploit For PHPUnit before 4.8.28 and 5.x before 5.6.3 [Guest Diary], (Tue, Dec 17th)
[This is a Guest Diary by Sahil Shaikh, an ISC intern as part of the SANS.edu BACS program] Introduction CVE-2017-9841 is a vulnerability is a security flaw in PHPUnit before 4.8.28 and 5.x before 5.6.3. This flaw allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a “<?php ” substring.…
-
ISC Stormcast For Thursday, December 19th, 2024 https://isc.sans.edu/podcastdetail/9262, (Thu, Dec 19th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
ISC Stormcast For Wednesday, December 18th, 2024 https://isc.sans.edu/podcastdetail/9260, (Wed, Dec 18th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
![[Guest Diary] A Deep Dive into TeamTNT and Spinning YARN, (Wed, Dec 18th)](/wp-content/uploads/2024/12/2024-12-18_figure1-5KbF1R.png)
[Guest Diary] A Deep Dive into TeamTNT and Spinning YARN, (Wed, Dec 18th)
[This is a Guest Diary by James Levija, an ISC intern as part of the SANS.edu Bachelor’s Degree in Applied Cybersecurity (BACS) program [1].] Executive Summary TeamTNT is running a crypto mining campaign dubbed Spinning YARN. Spinning YARN focuses on exploiting Docker, Redis, YARN, and Confluence [2]. On November 4th, 2024, my DShield sensor recorded…
