If you run Mac as a research machine as well, you might want to check your privacy settings if it all of a sudden stops responding. I noticed the Mojave update unchecked accessibility. you'll know if it fits -- the damn thing will not allow keyboard or mouse access in the VM.
See below:
https://communities.vmware.com/thread/594284
Wednesday, April 3, 2019
Sunday, March 10, 2019
OSX - mami
A bit older but a fun piece of malware that I ran into this weekend.
Easiest ways to detect:
For network searching:
this blog has a list of domains that can be researched to look for traffic over port 80.
References:
Easiest ways to detect:
- These IP addresses as DNS servers: 82.163.143․135 and 82.163.142․137.
- Finding a root CA for the domain cloudguard[dot]me
- unusual files in /Library/LaunchDaemons and ~/Library/Application Support,
For network searching:
this blog has a list of domains that can be researched to look for traffic over port 80.
References:
Thursday, March 7, 2019
Basking in a little shade
I like malwarebytes work. When they write up malware, at least its informative and pleasing to use. The write up on Troldesh (shade) is a great example.
It gets right to the point: hey, everyone, while ransomware has trended down some families are still on the rise, especially this one.
Can't beat that. Gets right to the meat of things.
Infection vector: same ole same ole: email spam. In this case, you learn its vector is via attachments, especially zip files. If that isn't your normal email attachment, then give it a skip -- save yourself from being infected.
They do let me down a bit about the attribution. Saying something might be Russian in origin because its ransomware note is in both Russian and English makes me sad. Now if they had pointed to the orthography of the writing or the coding, maybe that could hold more water. It does hint that those two audiences are a focus.
Anyway, in the gems I saw in this article, the movies references used as extension were interesting. Many of these were not only very famous in the US but equally runaway famous in foreign countries, such as breaking bad, dexter, da Vinci code, etc.
When I see these, I tend to pay attention to where reporting is happening from. In this case, a wide array of English speaking, Chinese and Russian sites dominate.
Bonus Points (older reporting):
- https://www.microsoft.com/security/blog/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/
- https://servicedesk.necsu.nhs.uk/hscic-carecert-bulletin-necs-response-270716/
Wednesday, March 6, 2019
Its that time again
Yup. Like it says, here we go.
PirateMatryoshka
Torrent site infecting people with malware.
Makes for great headlines. Here's the actual report on securelist for deeper reading.
Torrents make for easy targets, since the people using the are stereotyped to be doing so for less than above board reasons. Any judgements aside, caution needs to be exercised regardless of why you are torrenting a file.
For downloaders:
For Researchers:
Head to here. Sign up for an API key. You can query up to a 1000 times for free. You can pivot off a lot of interesting elements here. My favorite one is the infohash, which provides a JSON of the following fields back.
Feel free to dig to your heart's content. Here's the full breakdown of what's available via the API.
You can also do it yourself with a bit of elbow grease: http://labs.boramalper.org/magnetico/
PirateMatryoshka
Torrent site infecting people with malware.
Makes for great headlines. Here's the actual report on securelist for deeper reading.
Torrents make for easy targets, since the people using the are stereotyped to be doing so for less than above board reasons. Any judgements aside, caution needs to be exercised regardless of why you are torrenting a file.
For downloaders:
- Be cautious. Look at the number of seeders and peers. It's easy to abuse and inflate. Use https://iknowwhatyoudownload.com/en/api/ and sign up for the API. Look for the amount of activity there and double check it against what you are seeing.
- Look up the tracker. If you can't easily find it via your favorite search engine, reconsider downloading from it.
- Look for comments. See if they sound human and make sense. You know what to do if they don't.
- Any kind of instructions are a dead give away to a likely bad file. If it asks for you to log in, provide data, authenticate, etc -- you are about to be phished, infected or generally done over in a very painful way.
- File types matter. Use caution with an archive (rar, zip, 7zip, etc.) and completely avoid executable files if possible.
- Download to a safe location. If you can, use a virtual machine.
For Researchers:
Head to here. Sign up for an API key. You can query up to a 1000 times for free. You can pivot off a lot of interesting elements here. My favorite one is the infohash, which provides a JSON of the following fields back.
Feel free to dig to your heart's content. Here's the full breakdown of what's available via the API.
You can also do it yourself with a bit of elbow grease: http://labs.boramalper.org/magnetico/
Friday, March 1, 2019
Less malware and just malware related fun
I read this article on March Malware Madness. The points in the article are articulated well enough that its worth the read and time on the points.
The marketing spin is only lightly applied so you won't be drowning in exhorts that their product does everything and anything security but you won't miss them either.
While the four scenarios and points were well done, they miss the number one hard thing that really is the at the root of the issue (root cause analysis, anyone?) that's being addressed: people.
Like this shamelessly borrowed unknown attributed image I found says, its really the people who are the root cause.
The right training, review of processes and company cultural changes that support security would go as far or, dare I say, farther to mitigate and control the problem.
The marketing spin is only lightly applied so you won't be drowning in exhorts that their product does everything and anything security but you won't miss them either.
While the four scenarios and points were well done, they miss the number one hard thing that really is the at the root of the issue (root cause analysis, anyone?) that's being addressed: people.
Like this shamelessly borrowed unknown attributed image I found says, its really the people who are the root cause.
The right training, review of processes and company cultural changes that support security would go as far or, dare I say, farther to mitigate and control the problem.
Sunday, February 24, 2019
Rietspoof
Rietspoof
Multiple stage malware that starts in messenger or skype, delivers a script that infects and continues on through 4-5 stages depending on the target.
Community Names:
Attack Vector:
References:
Multiple stage malware that starts in messenger or skype, delivers a script that infects and continues on through 4-5 stages depending on the target.
Community Names:
- Trojan.YDJX-4
- Generic.Trojan.Agent.TPE1UM
- VBA:Rietspoof-A [Trj]
Attack Vector:
- Links in Skype & Messenger
References:
- https://www.technadu.com/rietspoof-malware-distribution-skype-messenger/58503/
- https://blog.avast.com/rietspoof-malware-increases-activity
- https://twitter.com/malwrhunterteam/status/1097568650507284483
- https://www.hybrid-analysis.com/sample/90813ad836effce0e21843c7db025d56bf1d204af25746578800f09a049ac008?environmentId=100
- https://twitter.com/James_inthe_box/status/1097569129123311624
- https://malware.sekoia.fr/results/90813ad836effce0e21843c7db025d56bf1d204af25746578800f09a049ac008
- https://www.virustotal.com/#/file/90813ad836effce0e21843c7db025d56bf1d204af25746578800f09a049ac008/detection
- https://www.vmray.com/analyses/90813ad836ef/report/overview.html
Saturday, February 23, 2019
Separ
Password stealer virus with some interesting trends.
Community Names:
Separ
Tactics:
- Living off the Land
Attack Vectors:
- Primarily phishing emails with fake adobe pdf/installer infected attachments
- Some entry points are by accident when people stumble across the infected sites
References:
- https://hackercombat.com/whats-new-with-separ-malware-family-in-2019/
- https://www.deepinstinct.com/2019/02/19/a-new-wave-of-the-separ-info-stealer-is-infecting-organizations-through-living-off-the-land-attack-methods/
- https://threatpost.com/separ-malware-credentials-phishing/142009/
- https://blog.talosintelligence.com/2018/06/threat-roundup-0622-0629.html
Subscribe to:
Posts (Atom)