Shedding Skin – Turla’s Fresh Faces

Turla, also known as Venomous Bear, Waterbug, and Uroboros, may be best known for what was at the time an "ultra complex" snake rootkit focused on NATO-related targets, but their malware set and activity is much broader. Our current focus is on more recent and upcoming activity from this APT, whi...

Threat Roundup Sept 21 - 28

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 21 and 28. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by...

October 27, 2016 — KB3197954 (OS Build 14393.351)

October 27, 2016 — KB3197954 OS Build 14393.351 This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include: Improved reliability of Internet Explorer 11, Start, File Explorer, action center, graphics, and the Windows kernel...

December 9, 2016 — KB3201845 (OS Build 14393.479)

December 9, 2016 — KB3201845 OS Build 14393.479 Improvements and fixes This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include: Improved the reliability of mobile device management MDM disenrollment, Distributed Componen...

August 23, 2016 — KB3176934 (OS Build 14393.82)

August 23, 2016 — KB3176934 OS Build 14393.82 This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include: Improved reliability of Network Controller, DNS server, gateways, Storage Spaces Direct, Group Managed Service...

Buggy implementation of CVE-2018-8373 vulnerability used to deliver Quasar RAT

A variant of a remote code execution vulnerability with Internet Explorer's scripting engine known as CVE-2018-8373 patched last August has been found in the wild. Looking at the IOCs posted by our colleagues at TrendMicro, we recognized the infrastructure serving this exploit. The same static...

SharpSploit - A .NET Post-Exploitation Library Written In C#

SharpSploit is a .NET post-exploitation library written in C that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers. SharpSploit is named, in part, as a homage to the PowerSploit project, a personal favorite of mine! While SharpSploit does port...

Threat Roundup for September 14 to September 21

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 14 and 21. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by...

Threat Roundup for September 7 to September 14

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 7 and 14. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by...

Bypassing Antivirus for Your Antivirus Bypass

Chances are you have heard about how easy it can be to evade antivirus. Often, this is because the signatures used by vendors are too simplistic and can be successfully duped without changing the functionality of the malware. Have you ever attempted to evade AV? Is it really that easy? In this bl...

OilRig APT Continues Its Ongoing Malware Evolution

OilRig, an APT group believed to have ties to Iran, has been spotted in yet another campaign in the Middle East – this time targeting victims within an undisclosed government using an evolved variant of the BondUpdater trojan. The group, which is also called Cobalt Gypsy, Crambus, Helix Kitten or...

ThreatList: Microsoft Macros Remain Top Vector for Malware Delivery

Attacks using malicious Microsoft macros, always a popular method for compromising target machines, are more virulent than ever, accounting for 45 percent of all delivery mechanisms analyzed in August. Top Malware Delivery Mechanisms in August Just behind this tried-and-true method lies the...

PowerShell Obfuscation Ups the Ante on Antivirus

A new malware sample using a rare obfuscation technique has been spotted that uses the features of PowerShell, a tool that comes built in to Microsoft Windows. Analysis from Cylance shows that the tactic succeeds in bypassing most antivirus products. Cylance researchers stumbled across a malware...

Carbon Black Report: Tools of Choice

Quarterly Incident Response Threat Report PowerShell and WMI Remain Tools of Choice for Cyberattacks We’ve long known that PowerShell has been abused, but it is still significant that 100% of respondents say they believe the tool most often helps facilitate lateral movements, followed by WMI at...

PowerShell Front-End for Windows Debugger Engine: DbgShell

The main impetus for DbgShell is that it’s just waaaay too hard to automate anything in the debugger. There are facilities today to assist in automating the debugger, of course. But in my opinion they are not meeting people’s needs. Using the built-in scripting language is arcane, limited,...

Ghostscript - Failed Restore Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule /dev/tty' include Msf::Exploit::FILEFORMAT include Msf::Exploit::CmdStager include Msf::Exploit::Powershell def initializeinfo =...

Threat Actors Eyeing IQY Files To Peddle Malspam

More threat actors are pushing weaponized Excel web query IQY files to deliver malicious code – as seen in recent campaigns by several major malspam distributors. Researchers at IBM X-Force this week disclosed that both the Necurs Botnet, as well as DarkHydrus and the threat actor behind the Mara...

Threat Roundup for August 31 to September 7

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Aug. 31 and Sept. 7. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed b...

Ghostscript Failed Restore Command Execution Exploit

This Metasploit module exploits a -dSAFER bypass in Ghostscript to execute arbitrary commands by handling a failed restore grestore in PostScript to disable LockSafetyParams and avoid invalidaccess. This vulnerability is reachable via libraries such as ImageMagick, and this module provides the...

iBombShell: A Dynamic Post-Exploitation Remote Shell

PenTestIT RSS Feed Consider you have a shell on a system and other post-exploitation do not work for you as they are being caught by a security solution on the system. Worry not as we now have iBombShell, a dynamic remote shell that can be run on any system that supports PowerShell. The reason th...