Westcon has signed an agreement with AttackIQ, the leader in Breach and Attack Simulation (BAS), to distribute its solutions with immediate effect in the EMEA and APAC regions. Carl Wright, Chief Commercial Officer at Attack IQ, comments: “Breach damage is worse than ever. In 2021, cyber damage on the global economy is expected to reach $6..
Early Visual Basic program crackers knew that if you put a breakpoint in a right place, you can intercept strings entered into a text/input box. Once you do that, finding the key verification routine is easy as it will refer the memory buffer we can track after data is copied to it.
Around 13 years ago I was asked by an analyst on my team to help him with a WinBatch-compiled malicious sample. At that time there were not many options for analyzing these types of programs and of course, reading producers’ web site one would be discouraged to reverse engineer such executables as they are ‘close to impossible to crack’. After poking around I realized that the code of the ‘compiled’ batch file was actually available in plain text during run-time! It was decrypted and then stored in a memory block on a heap.
I was experimenting a lot with API hooking at that time and this particular experience led me to write a tool that was intercepting calls to a RtlFreeHeap function (HeapFree was forwarded to it), then dumping the content of a memory block the API referenced to a file before releasing the memory. You see, if you are a coder that is taught to free memory buffers after use, it’s only natural you will call these APIs. Even if you don’t really need to, because after process is killed these memory buffer will be killed anyway…
That tool I wrote back in 2008 was essential in handling many ‘script hidden by obfuscation more than anything else’ – it dealt with executables created by perl2exe, winbatch, and many bat2exe converters, and alike. It would literally take seconds to run a suspicious sample through that tool, review the data file it created, and cherry-pick the content that was of interest.
Because of that tool I was probably one of the first analysts being able to systematically dump code of many perl2exe samples targeting POS as well as forensic tools shared by prominent forensic experts e.g. compare rfc.exe vs. its source code, where the dump from my tool shows this (raw data + formatted):
Over next few years I started building a more robust sandbox and I added handling for buffers freed by many memory functions including VirtualFree, RtlFreeHeap, GlobalFree/LocalFree, free, NtFreeVirtualMemory and a few others that I knew contained buffers worth looking at.
Software analysis progressed really a lot since then and we have a gamut of decompilers, sandboxes, emulators, debuggers, plug-ins and both dynamic and static-oriented analysis tools now. It’s a treat.
Yet.
One thing remains constant – tricks are here to stay.
If you can cut reversing corners – you definitely should.
More than 200 Google Forms impersonate top brands – including Microsoft OneDrive, Office 365, and Wells Fargo – to steal victims’ credentials. Read More
The sudden shift to remote work rocked IT teams around the world–disrupting systems that had been carefully designed to keep the business secure almost overnight. As remote work continues, IT teams will need complete visibility of their network more than ever. ExtraHop’s Mike Campfield joins Security Weekly to make the case for why Network Detection and Response (NDR) should have a place in security strategies in 2021.
This segment is sponsored by ExtraHop Networks. Visit https://securityweekly.com/extrahop to learn more about them!
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw205
The sudden shift to remote work rocked IT teams around the world–disrupting systems that had been carefully designed to keep the business secure almost overnight. As remote work continues, IT teams will need complete visibility of their network more than ever. ExtraHop’s Mike Campfield joins Security Weekly to make the case for why Network Detection and Response (NDR) should have a place in security strategies in 2021.
This segment is sponsored by ExtraHop Networks. Visit https://securityweekly.com/extrahop to learn more about them!
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw205
A current and active cyberattack is spreading rapidly across organizations, propagating via open redirector domains and subsidiary domains belonging to multiple global brands. The comprehensive and multi-layered attack is delivered via phishing emails, attempting to steal corporate email credentials and deploy malware. Find out how organizations detect this attack. And, we’ll discuss how this attack compares to the Proud Boys phishing campaign.
This segment is sponsored by GreatHorn.
Visit https://securityweekly.com/GreatHorn to learn more about them!
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw205
Offsite-training is expensive and inefficient. It takes key resources away from their jobs and then demands even more time from them by requiring that they then train the rest of the team on what they learned. On-demand training for the entire team through platforms like Cybrary enables leads to train and simultaneously develop training programs for the rest of the team that focus on hands-on skill development in the areas that are relevant and tailored.
This segment is sponsored by Cybrary.
Visit https://cybrary.it/solved to learn more about them!
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw205
With Election Day Fast Approaching in the USA, Many Are Concerned About Cybersecurity at the Polls It’s almost that time again. Election Day is just a few weeks away for…
This blog post was authored by Jérôme Segura and Hossein Jazi.
The 2020 US elections have been the subject of intense scrutiny and emotions, while happening in the middle of a global pandemic. As election night ended and uncertainty regarding the results began to creep in, threat actors decided to jump in on it too.
Those tracking the threat landscape know very well that major world events do not go unnoticed by criminals. In this case, we began observing a new spam campaign delivering malicious attachments that exploit doubts about the election process.
The QBot banking Trojan operators return with yet another themed spam wave using the same hijacked email thread technique enticing victims with malicious election interference attachments.
The malicious emails come as thread replies, similar to what Emotet does to add legitimacy and make detection harder. They contain zip attachments aptly named ElectionInterference_[8 to 9 digits].zip.
While the election results are still being evaluated and debated, victims are enticed to open up the document to read about alleged election interference:
Figure 1: Malicious email with ElectionInterference attachment
The extracted file is an Excel spreadsheet that has been crafted as if it were a secure DocuSign file. Users are tricked to allow macros in order to ‘decrypt’ the document.
This tried and tested trick will download a malicious payload onto the victim’s machine. The URL for that payload is encoded in a cell of a Cyrillic-named sheet “Лист3”.
Figure 3: Payload URL obfuscation
Once executed, the QBot Trojan will contact its command and control server and request instructions. In addition to stealing and exfiltrating data from its victims, QBot will also start grabbing emails that will later be used as part of the next malspam campaigns.
Figure 4: QBot process flow execution
World events are the best lure
At the core of the malware attacks we witness each day are typical social engineering schemes. Threat actors need to get victims to perform a certain set of actions in order to compromise them.
Spam campaigns routinely abuse email delivery notifications (Fedex, DHL, etc.) or bank alerts to disguise malicious payloads. But world events such as the Covid pandemic or the US elections provide ideal material to craft effective schemes resulting in high infection ratios.
Malwarebytes users were already protected against this attack thanks to our Anti-Exploit technology. Additionally, we detect the payload as Backdoor.Qbot.
Figure 5: Malwarebytes blocking the macro from delivering its payload
Companies hit by ransomware often face a dual threat: Even if they avoid paying the ransom and can restore things from scratch, about half the time the attackers also threaten to release sensitive stolen data unless the victim pays for a promise to have the data deleted. Leaving aside the notion that victims might have any real expectation the attackers will actually destroy the stolen data, new research suggests a fair number of victims who do pay up may see some or all of the stolen data published anyway.
