60 matches found
New TrickBot Variant Updates Anti-Analysis Tricks
Researchers uncovered a new variant of the TrickBot malware that relies on new anti-analysis techniques, an updated method for downloading its payload as well as adopting minor changes to the integration of its components. TrickBot is a module-based malware that, while first identified as a banki...
TAU Threat Intelligence Notification: PPID Spoofing – Explorer CLSID
Summary Popular Attack Surface Reduction bypasses allow adversaries to hinder threat hunting activities by spoofing Parent Process ID. PPID to PID relationships have always been a key indicator of compromise and removing these conditions lead to false sense of security. Upon investigation its bee...
WebDAV Server Serving DLL
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Serve DLL via webdav server', 'Description' = %q This module simplifies the rundll32.exe Application Whitelisting Bypass technique. The module...
Serve DLL via webdav server
This module simplifies the rundll32.exe Application Whitelisting Bypass technique. The module creates a webdav server that hosts a dll file. When the user types the provided rundll32 command on a system, rundll32 will load the dll remotly and execute the provided export function. The export...
An attacker with Office vulnerability propagation FELIXROOT Backdoor-vulnerability warning-the black bar safety net
! One, the attack event details 2017 9 months, in response to Ukrainian attacks, FireEye found FELIXROOT Backdoor this malicious payload, and feedback to our intelligence perception of the customers. The attack activities using some malicious Ukrainian banks document that contains a macro, used t...
Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign
Campaign Details In September 2017, FireEye identified the FELIXROOT backdoor as a payload in a campaign targeting Ukrainians and reported it to our intelligence customers. The campaign involved malicious Ukrainian bank documents, which contained a macro that downloaded a FELIXROOT payload, being...
PowerShdll - Run PowerShell with rundll32 (Bypass software restrictions)
Run PowerShell with dlls only. Does not require access to powershell.exe as it uses powershell automation dlls. dll mode: Usage: rundll32 PowerShdll,main rundll32 PowerShdll,main -f Run the script passed as argument rundll32 PowerShdll,main -w Start an interactive console in a new window rundll32...
Koadic - COM Command & Control Framework (JScript RAT)
Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host a.k.a. JScript/VBScript, with compatibility in t...
Cerber ransomware delivered in format of a different order of Magnitude
As a follow up to our study into the Magnitude exploit kit and its gate which we profiled in a previous blog post, we take a look at an interesting technique used to distribute the Cerber ransomware. Exploit kits are a very effective means of serving malicious payloads and an important aspect is...
JSRat - Reverse HTTP Shell Using JavaScript
JSRat is a reverse HTTP Shell by using JavaScript. JSRat use rundll32.exe to load the JavaScript code in cmd and a HTTP Shell is returned when the code is executed. The special part is that after running the cmd command, rundll32.exe will remain in the background to continuously connect to the...
HP Data Protector 8.10 Remote Command Execution
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'HP Data Protector 8.10 Remote Command Execution', 'Description' = %q This module exploits a remote command execution on HP Data...
HP Data Protector 8.10 Remote Command Execution
This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary commands can be executed by sending crafted requests with opcode 28 to the OmniInet service listening on the TCP/5555 port. Since there is a strict length limitation on the command, rundll32.exe is executed, and...
Microsoft Windows XP/2000 RunDLL32.EXE Buffer Overflow Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/8114/info rundll32.exe has been reported prone to a buffer overflow vulnerability. The condition has been reported to be triggered when an excessive string is passed to the vulnerable application as a routine name for a...
[Binrev] Automate Reversing Windows Binaries for Pentesters
What you can do with this? Static analysis: you can do a basic manual code review for decompiled sources to discover hidden communication channels, search for hard-coded passwords, or SQL injection vulnerabilities. Import decompiled projects to an IDE to reconstruct and modify the original source...
Self-extracting archive (SFX) as Creative Virus Handler
Self-extracting archive SFX as Creative Virus Handler Yesterday I Found and interesting article about "Self-extracting archive SFX" on Unremote.org by DarkCoderSc. SFX is a little application that contains compressed files. Creating a customized WinRAR SFX archives is a very easy task, but not al...
Energizer DUO USB battery charger software allows unauthorized remote system access
Overview The software available for the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access. Description Energizer DUO is a USB battery charger. An optional Windows application that allows the user to view the battery charging status has been...
A brush visits to the website of the pony analysis-vulnerability warning-the black bar safety net
Article author: 混世魔王 Information source: evil octal information security team www.eviloctal.com) System patch kick, online blind filling, and actually also in the network of the horse, ay. Now.... Put his net horse down down, 8 wrong, and genuine. Pass to kill 9 8. nt. 2 0 0 0. xp. XP SP2. 2 0 0 ...
Dove gray is registered as a system service method-reference for the black hole-vulnerability and early warning-the black bar safety net
A few days ago a pigeon to research registered into the system service method, I don't have pigeons, and found that it is using rundll32 to import an inf to achieve, this should be added a registry key to disable the reg script, disable regedit, are effective? Examples are as follows: Add a...
Microsoft Windows XP2000 - RunDLL32.exe Local Buffer Overflow
Microsoft Windows XP2000 - RunDLL32.exe Local Buffer Overflow source: https://www.securityfocus.com/bid/8114/info rundll32.exe has been reported prone to a buffer overflow vulnerability. The condition has been reported to be triggered when an excessive string is passed to the vulnerable applicati...
Microsoft Windows XP/2000 - 'RunDLL32.exe' Local Buffer Overflow
source: https://www.securityfocus.com/bid/8114/info rundll32.exe has been reported prone to a buffer overflow vulnerability. The condition has been reported to be triggered when an excessive string is passed to the vulnerable application as a routine name for a module. Exploitation of this issue...