Microsoft Windows Defender - Detection Mitigation Bypass TrojanWin32Powessere.G

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFTWINDOWSDEFENDERTROJAN.WIN32.POWESSERE.GMITIGATIONBYPASSPART3.txt + twitter.com/hyp3rlinx + ISR: ApparitionSec Vendor www.microsoft.com Product Windows Defender...

Microsoft Windows Defender / Trojan.Win32/Powessere.G - Detection Mitigation Bypass

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFTWINDOWSDEFENDERTROJAN.WIN32.POWESSERE.GMITIGATIONBYPASSPART2.txt + twitter.com/hyp3rlinx + ISR: ApparitionSec Vendor www.microsoft.com Product Windows Defender...

Microsoft Windows Defender / Detection Bypass Part 3

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFTWINDOWSDEFENDERTROJAN.WIN32.POWESSERE.GMITIGATIONBYPASSPART3.txt + twitter.com/hyp3rlinx + ISR: ApparitionSec Vendor www.microsoft.com Product Windows Defender...

ToddyCat: Keep calm and check logs

ToddyCat is an advanced APT actor that we described in a previous publication last year. The group started its activities in December 2020 and has been responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Our first publication was focused on their main tools,...

Researchers Warn of 'Raspberry Robin' Malware Spreading via External Drives

Cybersecurity researchers have discovered a new Windows malware with worm-like capabilities and is propagated by means of removable USB devices. Attributing the malware to a cluster named "Raspberry Robin," Red Canary researchers noted that the worm "leverages Windows Installer to reach out to...

Backdoor.Win32.Whisper.b Remote Stack Corruption

Discovery / credits: Malvuln - malvuln.com c 2021 Original source: https://malvuln.com/advisory/a0edb91f62c8c083ec35b32a922168d1.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Backdoor.Win32.Whisper.b Vulnerability: Remote Stack Corruption Description: Whisper.b listens on TC...

TAU Threat Intelligence Notification: PPID Spoofing – Explorer CLSID

Summary Popular Attack Surface Reduction bypasses allow adversaries to hinder threat hunting activities by spoofing Parent Process ID. PPID to PID relationships have always been a key indicator of compromise and removing these conditions lead to false sense of security. Upon investigation its bee...

An attacker with Office vulnerability propagation FELIXROOT Backdoor-vulnerability warning-the black bar safety net

! One, the attack event details 2017 9 months, in response to Ukrainian attacks, FireEye found FELIXROOT Backdoor this malicious payload, and feedback to our intelligence perception of the customers. The attack activities using some malicious Ukrainian banks document that contains a macro, used t...

Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign

Campaign Details In September 2017, FireEye identified the FELIXROOT backdoor as a payload in a campaign targeting Ukrainians and reported it to our intelligence customers. The campaign involved malicious Ukrainian bank documents, which contained a macro that downloaded a FELIXROOT payload, being...

Cerber ransomware delivered in format of a different order of Magnitude

As a follow up to our study into the Magnitude exploit kit and its gate which we profiled in a previous blog post, we take a look at an interesting technique used to distribute the Cerber ransomware. Exploit kits are a very effective means of serving malicious payloads and an important aspect is...

JSRat - Reverse HTTP Shell Using JavaScript

JSRat is a reverse HTTP Shell by using JavaScript. JSRat use rundll32.exe to load the JavaScript code in cmd and a HTTP Shell is returned when the code is executed. The special part is that after running the cmd command, rundll32.exe will remain in the background to continuously connect to the...

HP Data Protector 8.10 Remote Command Execution

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'HP Data Protector 8.10 Remote Command Execution', 'Description' = %q This module exploits a remote command execution on HP Data...

HP Data Protector 8.10 Remote Command Execution

This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary commands can be executed by sending crafted requests with opcode 28 to the OmniInet service listening on the TCP/5555 port. Since there is a strict length limitation on the command, rundll32.exe is executed, and...

Microsoft Windows XP/2000 RunDLL32.EXE Buffer Overflow Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/8114/info rundll32.exe has been reported prone to a buffer overflow vulnerability. The condition has been reported to be triggered when an excessive string is passed to the vulnerable application as a routine name for a...

Energizer DUO USB battery charger software allows unauthorized remote system access

Overview The software available for the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access. Description Energizer DUO is a USB battery charger. An optional Windows application that allows the user to view the battery charging status has been...

Microsoft Windows XP2000 - RunDLL32.exe Local Buffer Overflow

Microsoft Windows XP2000 - RunDLL32.exe Local Buffer Overflow source: https://www.securityfocus.com/bid/8114/info rundll32.exe has been reported prone to a buffer overflow vulnerability. The condition has been reported to be triggered when an excessive string is passed to the vulnerable applicati...

Microsoft Windows XP/2000 - 'RunDLL32.exe' Local Buffer Overflow

source: https://www.securityfocus.com/bid/8114/info rundll32.exe has been reported prone to a buffer overflow vulnerability. The condition has been reported to be triggered when an excessive string is passed to the vulnerable application as a routine name for a module. Exploitation of this issue...