-
Windows Defender Chrome Extension Detection, (Fri, Jan 10th)
With the recent Cyberhaven Extension(2) attack, looking for specific Chrome extensions installed can be very helpful. If you are running Defender with enhanced vulnerability management, Defender automatically catalogs installed extensions by going to Vulnerability Management -> Inventories and selecting Browser Extension from the Defender Console. Also, you can do Hunt Queries on the DeviceTvmBrowserExtensions table. For…
-
![Examining Redtail Analyzing a Sophisticated Cryptomining Malware and its Advanced Tactics [Guest Diary], (Thu, Jan 9th)](/wp-content/uploads/2025/01/Cody_Hales_pic1-1O5NuV.png)
Examining Redtail Analyzing a Sophisticated Cryptomining Malware and its Advanced Tactics [Guest Diary], (Thu, Jan 9th)
[This is a Guest Diary by Cody Hales, an ISC intern as part of the SANS.edu BACS program] Introduction From August to November 2024, my honeypot has captured a wide array of malicious content. In this analysis, I will focus on a specific strain of malware called redtail and the scripts that enable its execution.…
-
ISC Stormcast For Thursday, January 9th, 2025 https://isc.sans.edu/podcastdetail/9272, (Thu, Jan 9th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
ISC Stormcast For Wednesday, January 8th, 2025 https://isc.sans.edu/podcastdetail/9270, (Wed, Jan 8th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
PacketCrypt Classic Cryptocurrency Miner on PHP Servers, (Tue, Jan 7th)
Side note: During the investigation, it was noted that the PacketCrypt (PKT) project evolved from a proof-of-work approach [now known as PKT Classic (PKTC)] to a new Stake-to-Earn (currently known as PKT) approach [3]. As such, there is a distinction in the cryptocurrency for the legacy project (PKTC) and the current iteration (PKT). In this…
-
ISC Stormcast For Tuesday, January 7th, 2025 https://isc.sans.edu/podcastdetail/9268, (Tue, Jan 7th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
Make Malware Happy, (Mon, Jan 6th)
When I teach FOR610[1], I like to use a funny quotation with my students: “Make malware happy!” What does it mean? Yes, we like malware, and we need to treat it in a friendly way. To help the malware work or detonate successfully, it’s recommended that we replicate the environment where it was discovered (or…
-
ISC Stormcast For Monday, January 6th, 2025 https://isc.sans.edu/podcastdetail/9266, (Mon, Jan 6th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
SwaetRAT Delivery Through Python, (Fri, Jan 3rd)
We entered a new year, but attack scenarios have not changed (yet). I found a Python script with an interesting behavior[1] and a low Virustotal score (7/61). It targets Microsoft Windows hosts because it starts by loading all libraries required to call Microsoft API Calls and manipulate payloads: from System.Reflection import Assembly from ctypes import windll from…
-
Goodware Hash Sets, (Thu, Jan 2nd)
In the cybersecurity landscape, we all need hashes! A hash is the result of applying a special mathematical function (a “hash function”) that transforms an input (such as a file or a piece of text) into a fixed-size string or number. This output, often called a “hash value,” “digest,” or “checksum,” uniquely represents the original…
