Wednesday, April 3, 2019

Mojave updates breaks VMWare Fusion

If you run Mac as a research machine as well, you might want to check your privacy settings if it all of a sudden stops responding.  I noticed the Mojave update unchecked accessibility.  you'll know if it fits -- the damn thing will not allow keyboard or mouse access in the VM.

See below:

https://communities.vmware.com/thread/594284


Sunday, March 10, 2019

OSX - mami

A bit older but a fun piece of malware that I ran into this weekend.

Easiest ways to detect:

  • These IP addresses as DNS servers: 82.163.143․135 and 82.163.142․137.
  • Finding a root CA for the domain cloudguard[dot]me
  • unusual files in /Library/LaunchDaemons and ~/Library/Application Support,

For network searching:

this blog has a list of domains that can be researched to look for traffic over port 80.

References:

Thursday, March 7, 2019

Basking in a little shade


I like malwarebytes work.  When they write up malware, at least its informative and pleasing to use.  The write up on Troldesh (shade) is a great example.

It gets right to the point:  hey, everyone, while ransomware has trended down some families are still on the rise, especially this one.

Can't beat that.  Gets right to the meat of things.

Infection vector:  same ole same ole:  email spam.  In this case, you learn its vector is via attachments, especially zip files.  If that isn't your normal email attachment, then give it a skip -- save yourself from being infected.

They do let me down a bit about the attribution.  Saying something might be Russian in origin because its ransomware note is in both Russian and English makes me sad.  Now if they had pointed to the orthography of the writing or the coding, maybe that could hold more water.  It does hint that those two audiences are a focus.

Anyway, in the gems I saw in this article, the movies references used as extension were interesting.  Many of these were not only very famous in the US but equally runaway famous in foreign countries, such as breaking bad, dexter, da Vinci code, etc.

When I see these, I tend to pay attention to where reporting is happening from.  In this case, a wide array of English speaking, Chinese and Russian sites dominate.

Bonus Points (older reporting):


Wednesday, March 6, 2019

Its that time again

Yup.  Like it says, here we go.

PirateMatryoshka

Torrent site infecting people with malware

Makes for great headlines.  Here's the actual report on securelist for deeper reading.

Torrents make for easy targets, since the people using the are stereotyped to be doing so for less than above board reasons.  Any judgements aside, caution needs to be exercised regardless of why you are torrenting a file.

For downloaders:


  • Be cautious.  Look at the number of seeders and peers.  It's easy to abuse and inflate.  Use https://iknowwhatyoudownload.com/en/api/ and sign up for the API.  Look for the amount of activity there and double check it against what you are seeing.
  • Look up the tracker.  If you can't easily find it via your favorite search engine, reconsider downloading from it.
  • Look for comments.  See if they sound human and make sense.  You know what to do if they don't.
  • Any kind of instructions are a dead give away to a likely bad file.  If it asks for you to log in, provide data, authenticate, etc -- you are about to be phished, infected or generally done over in a very painful way.
  • File types matter.  Use caution with an archive (rar, zip, 7zip, etc.) and completely avoid executable files if possible.
  • Download to a safe location.  If you can, use a virtual machine.


For Researchers:

Head to here.  Sign up for an API key.  You can query up to a 1000 times for free.  You can pivot off a lot of interesting elements here.  My favorite one is the infohash, which provides a JSON of the following fields back.


Feel free to dig to your heart's content.  Here's the full breakdown of what's available via the API.

You can also do it yourself with a bit of elbow grease:  http://labs.boramalper.org/magnetico/

Friday, March 1, 2019

Less malware and just malware related fun

I read this article on March Malware Madness.  The points in the article are articulated well enough that its worth the read and time on the points.

The marketing spin is only lightly applied so you won't be drowning in exhorts that their product does everything and anything security but you won't miss them either.

While the four scenarios and points were well done, they miss the number one hard thing that really is the at the root of the issue (root cause analysis, anyone?) that's being addressed:  people.



Like this shamelessly borrowed unknown attributed image I found says, its really the people who are the root cause.

The right training, review of processes and company cultural changes that support security would go as far or, dare I say, farther to mitigate and control the problem.





Saturday, February 23, 2019

Separ


Password stealer virus with some interesting trends.

Community Names:
  Separ
Tactics:

  • Living off the Land

Attack Vectors:

  • Primarily phishing emails with fake adobe pdf/installer infected attachments
  • Some entry points are by accident when people stumble across the infected sites


References:


  • https://hackercombat.com/whats-new-with-separ-malware-family-in-2019/
  • https://www.deepinstinct.com/2019/02/19/a-new-wave-of-the-separ-info-stealer-is-infecting-organizations-through-living-off-the-land-attack-methods/
  • https://threatpost.com/separ-malware-credentials-phishing/142009/
  • https://blog.talosintelligence.com/2018/06/threat-roundup-0622-0629.html