Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)

Exploit Title: Ivanti Endpoint Manager 4.6 - Remote Code Execution RCE Date: 20/03/2022 Exploit Author: d7x Vendor Homepage: https://www.ivanti.com/ Software Link: https://forums.ivanti.com/s/article/Customer-Update-Cloud-Service-Appliance-4-6 Version: CSA 4.6 4.5 - EOF Aug 2021 Tested on: Linux...

Malicious npm Code Packages Built for Hijacking Discord Servers

A series of malicious packages in the Node.js package manager npm code repository are looking to harvest Discord tokens, which can be used to take over unsuspecting users’ accounts and servers. The npm repository is an open-source home for JavaScript developers to share and reuse code blocks. The...

Citrix gateway plugin executes PowerShell script obfuscated code which might be blocked by Antivirus software

We might see errors somewhat like below in AntiVirus : Event type: Process action blocked Component: Adaptive Anomaly Control Rule name: PowerShell executes obfuscated code Source process: c:\windows\system32\windowspowershell\v1.0\powershell.exe Application : "C:\Program Files\Citrix\Secure Acce...

UPX Packed Headaches

Researching malware has many challenges. One of those challenges is obfuscated code and intentionally corrupted binaries. To address challenges like this, we've written a small tool in C that could fix intentionally corrupted binaries automatically. We also plan to open-source the project so othe...

REW-sploit - Emulate And Dissect MSF And *Other* Attacks

REW-sploit The tool has been presented at Black-Hat Arsenal USA 2021 https://www.blackhat.com/us-21/arsenal/schedule/index.htmlrew-sploit-dissecting-metasploit-attacks-24086 Slides of presentation are available at https://github.com/REW-sploit/REW-sploitdocs Need help in analyzing Windows shellco...

iOS Malicious Bit Hunter - A Malicious Plug-In Detection Eng ine For iOS Applications

iOS Malicious Bit Hunter is a malicious plug-in detection engine for iOS applications. It can analyze the head of the macho file of the injected dylib dynamic library based on runtime, and can perform behavior analysis through interface input characteristics to determine the behavior of the dynam...

h1-ctf: Complete destruction of the Grinch server

Hackyholidays flag 1 First flag is just a matter of reading /robots.txt file: User-agent: Disallow: /s3cr3t-ar3a Flag: flag48104912-28b0-494a-9995-a203d1e261e7 flag 2 Visiting /s3cr3t-ar3a and opening it with developer tools gets the second flag: flagb7ebcb75-9100-4f91-8454-cfb9574459f7 It is...

CVE-2020-35587

In Solstice Pod before 3.0.3, the firmware can easily be decompiled/disassembled. The decompiled/disassembled files contain non-obfuscated code. NOTE: it is unclear whether lack of obfuscation is directly associated with a negative impact, or instead only facilitates an attack technique...

CVE-2020-35587

Affected product: Solstice Pod firmware. Vulnerability: decompilation/disassembly yields non-obfuscated code in versions prior to 3.0.3; root cause and exact impact of lack of obfuscation are not explicitly quantified in the provided docs. Impact: not clearly stated beyond the presence of non-obf...

Malicious Package

Overview ruby-bitcoin is a malicious package. Within version.rb, hidden obfuscated code is present which, on Windows systems, generates and runs a malicious VBScript theScore.vb. Note: The code present in this package is slightly different to the malicious package prettycolor. Remediation Avoid...

Js-X-Ray - JavaScript And Node.js Open-Source SAST Scanner (A Static Analysis Of Detecting Most Common Malicious Patterns)

JavaScript AST analysis. This package has been created to export the Node-Secure AST Analysis to enable better code evolution and allow better access to developers and researchers. The goal is to quickly identify dangerous code and patterns for developers and Security researchers. Interpreting th...

The zero-day exploits of Operation WizardOpium

Back in October 2019 we detected a classic watering-hole attack on a North Korea-related news site that exploited a chain of Google Chrome and Microsoft Windows zero-days. While we've already published blog posts briefly describing this operation available here and here, in this blog post we'd li...

Dozens of Android Apps for Kids on Google Play Store Caught in Ad Fraud Scheme

More than 50 Android apps on the Google Play Store—most of which were designed for kids and had racked up almost 1 million downloads between them—have been caught using a new trick to secretly click on ads without the knowledge of smartphone users. Dubbed "Tekya ," the malware in the apps imitate...

Platinum APT Shines Up New Titanium Backdoor

APT threat group Platinum has a shiny new plaything: A custom trojan backdoor dubbed Titanium. The backdoor’s name, aside from keeping with the silvery metal theme, comes from password to one of the self-executable archives found in the code. According to Kaspersky researchers who analyzed the...

GitHub hosted Magecart skimmer used against hundreds of e-commerce sites

Every day, new e-commerce websites fall into the hands of one of the many Magecart skimmers. Unbeknownst to shoppers, criminals are harvesting their personal information, including payment details in the online equivalent of ATM card skimming. Most often the skimming code—written in JavaScript an...

Fnord - Pattern Extractor For Obfuscated Code

Fnord is a pattern extractor for obfuscated code Description Fnord has two main functions: 1. Extract byte sequences and create some statistics 2. Use these statistics, combine length, number of occurrences, similarity and keywords to create a YARA rule 1. Statistics Fnord processes the file with...

CoinHive URL Shortener Abused to Secretly Mine Cryptocurrency Using Hacked Sites

Security researchers have been warning about a new malicious campaign that leverages an alternative scheme to mine cryptocurrencies without directly injecting the infamous CoinHive JavaScript into thousands of hacked websites. Coinhive is a popular browser-based service that offers website owners...

Obfuscated Coinhive shortlink reveals larger mining operation

During the past several months, in-browser mining has continued to affect a large number of websites, predominantly relying on Coinhive's infamous API. We documented several campaigns on this blog, in particular Drupalgeddon, where attackers are taking advantage of vulnerabilities in popular...

StaCoAn - Crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications

StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications. This tool will look for interesting lines in the code which can contain: Hardcoded credentials API keys URL's of API's Decryption keys Major coding...

Open Source Static Code Analyser: StaCoAn

StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications. This tool will look for interesting lines in the code which can contain: Hardcoded credentials API keys URL’s of API’s Decryption keys Major coding...