Truebot exploits vulnerability in Netwrix to deploy Clop Ransomware

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary In 2017, Truebot was discovered to be linked to the Silence group and has affected more than 1,500 systems worldwide with shellcode, Cobalt Strike beacons, Grace malware, the Teleport tool, and Clop...

Google Warns of Internet Explorer Zero-Day Vulnerability Exploited by ScarCruft Hackers

An Internet Explorer zero-day vulnerability was actively exploited by a North Korean threat actor to target South Korean users by capitalizing on the recent Itaewon Halloween crowd crush to trick users into downloading malware. The discovery, reported by Google Threat Analysis Group researchers...

Recent Lazarus campaign leveraged Crypto App to spread AppleJeus malware

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary The Lazarus Group threat actor was noticed employing fake cryptocurrency apps as a ruse to transmit a previously unidentified version of the AppleJeus malware masquerading as malicious Microsoft Office...

North Korean Hackers Spread AppleJeus Malware Disguised as Cryptocurrency Apps

The Lazarus Group threat actor has been observed leveraging fake cryptocurrency apps as a lure to deliver a previously undocumented version of the AppleJeus malware, according to new findings from Volexity. "This activity notably involves a campaign likely targeting cryptocurrency users and...

DTrack activity targeting Europe and Latin America

Introduction DTrack is a backdoor used by the Lazarus group. Initially discovered in 2019, the backdoor remains in use three years later. It is used by the Lazarus group against a wide variety of targets. For example, weve seen it being used in financial environments where ATMs were breached, in...

APT10: Tracking down LODEINFO 2022, part II

In the previous publication Tracking down LODEINFO 2022, part I, we mentioned that the initial infection methods vary in different attack scenarios and that the LODEINFO shellcode was regularly updated for use with each infection vector. In this article, we discuss improvements made to the LODEIN...

APT10: Tracking down LODEINFO 2022, part I

Kaspersky has been tracking activities involving the LODEINFO malware family since 2019, looking for new modifications and thoroughly investigating any attacks utilizing those new variants. LODEINFO is sophisticated fileless malware first named in a blogpost from JPCERT/CC in February 2020. The...

Sandman - NTP Based Backdoor For Red Team Engagements In Hardened Networks

Sandman is a backdoor that is meant to work on hardened networks during red team engagements. Sandman works as a stager and leverages NTP a protocol to sync time & date to get and run an arbitrary shellcode from a pre-defined server. Since NTP is a protocol that is overlooked by many defenders...

ProtectMyTooling - Multi-Packer Wrapper Letting Us Daisy-Chain Various Packers, Obfuscators And Other Red Team Oriented Weaponry

Script that wraps around multitude of packers, protectors, obfuscators, shellcode loaders, encoders, generators to produce complex protected Red Team implants. Your perfect companion in Malware Development CI/CD pipeline, helping watermark your artifacts, collect IOCs, backdoor and more...

CVE-2022-41415

Acer Altos W2000h-W570h F4 R01.03.0018 was discovered to contain a stack overflow in the RevserveMem component. This vulnerability allows attackers to cause a Denial of Service DoS via injecting crafted shellcode into the NVRAM variable...

CVE-2022-41415

Acer Altos W2000h-W570h F4 R01.03.0018 was discovered to contain a stack overflow in the RevserveMem component. This vulnerability allows attackers to cause a Denial of Service DoS via injecting crafted shellcode into the NVRAM variable...

FUD-UUID-Shellcode - Another shellcode injection technique using C++ that attempts to bypass Windows Defender using XOR encryption sorcery and UUID strings madness

Introduction Another shellcode injection technique using C++ that attempts to bypass Windows Defender using XOR encryption sorcery and UUID strings madness :. How it works Shellcode generation Firstly, generate a payload in binary format using either CobaltStrike or msfvenom for instance, in...

SharpNamedPipePTH - Pass The Hash To A Named Pipe For Token Impersonation

This project is a C tool to use Pass-the-Hash for authentication on a local Named Pipe for user Impersonation. You need a local administrator or SEImpersonate rights to use this. There is a blog post for explanation: https://s3cur3th1ssh1t.github.io/Named-Pipe-PTH/ It is heavily based on the code...

NimGetSyscallStub - Get Fresh Syscalls From A Fresh Ntdll.Dll Copy

Get fresh Syscalls from a fresh ntdll.dll copy. This code can be used as an alternative to the already published awesome tools NimlineWhispers and NimlineWhispers2 by @ajpc500 or ParallelNimcalls. The advantage of grabbing Syscalls dynamically is, that the signature of the Stubs is not included i...

DeathSleep - A PoC Implementation For An Evasion Technique To Terminate The Current Thread And Restore It Before Resuming Execution, While Implementing Page Protection Changes During No Execution

A PoC implementation for an evasion technique to terminate the current thread and restore it before resuming execution, while implementing page protection changes during no execution. Intro Sleep and obfuscation methods are well known in the maldev community, with different implementations, they...

Metasploit Weekly Wrap-Up

BYOS: Bring your own stager We try hard to make sure we have a great choice of fully-functional payloads to choose from, but sometimes you might want to “branch” out on your own, and if that’s the case we’ve got you covered. In an attempt to make Metasploit play well with others, we’ve introduced...

SharpImpersonation - A User Impersonation Tool - Via Token Or Shellcode Injection

This was a learning by doing project from my side. Well known techniques are used to built just another impersonation tool with some improvements in comparison to other public tools. The code base was taken from: https://github.com/0xbadjuju/Tokenvator A blog post for the intruduction can be foun...

Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)

Custom shellcode stage. Connect back to the attacker Module Options msf use payload/windows/x64/custom/bindtcprc4 msf payloadbindtcprc4 show actions ...actions... msf payloadbindtcprc4 set ACTION msf payloadbindtcprc4 show options ...show and set options... msf payloadbindtcprc4 run -- coding:...

Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)

Custom shellcode stage. Connect back to the attacker with UUID Support Windows x64 Module Options msf use payload/windows/x64/custom/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf payloadreversetcpuuid set ACTION msf payloadreversetcpuuid show options ...show and set...

Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)

Custom shellcode stage. Listen for a connection with UUID Support Windows x64 Module Options msf use payload/windows/x64/custom/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf payloadbindtcpuuid show options ...show and set options... msf...