News Kategorien unterhalb von Nachrichten: 0x
News RSS Feeds dieser Nachrichten Kategorie: IT Security Nachrichten
Benutze Feedly zum Abonieren.
Download RSS Feed App für Windows 10 Store (Leider gibt es nicht mehr viele Extensions mit welchen Sie RSS-Feeds in einer Software abonieren können. Der Browser Support für RSS-Feeds wurde eingestellt (Firefox,Chrome).
Eigene IT Security Webseite / Blog / Quelle hinzufügen
DSGVO zeigt ihre Zähne
von Starwood keine ausreichenden Prüfungen vornahm und danach nicht genügend für IT-Sicherheit gesorgt habe. Marriott kann nun Stellung ...
Gdata informiert Partner und beleuchtet Sicherheitstrends
Mittelständische Wirtschaftsunternehmen müssen in Zukunft IT- Sicherheit als Teil der Wertschöpfung sehen und nicht als Cost Center. Denn sonst ist ...
Ask Slashdot: Could Climate Change Be Solved By Manipulating Photons in Space?
Slashdot reader dryriver writes: Most "solutions" to climate change center on reducing greenhouse gas emissions on Earth and using renewable energy where possible. What if you could work a bit closer to the root of the problem, by thinking about the problem as an excess number of photons traveling from the Sun to the Earth? Would it be completely physically impossible to place or project some kind of electrical or other field into space that alters the flight paths of photons -- which are energy packets -- that pass through it? What if you could make say 2% of photons that would normally hit the Earth miss the Earth, or at the very least enter Earth's atmosphere at an altered angle? Given that the fight against climate change will likely swallow hundreds of billions of dollars over the next years, is it completely unfeasible to spend a few billion dollars on figuring out how to manipulate the flight paths of photons out in Space? Here's a recent news report along those lines: A group of Swedish researchers believe that a cataclysmic asteroid collision from hundreds of millions of years ago could have the answers to solving climate change... Researchers have been discussing different artificial methods of recreating post-collision asteroid dust, such as placing asteroids in orbits around Earth like satellites and having them "liberate fine dust" to block warming sunlight, thus hypothetically cooling our warming planet. "Our results show for the first time that such dust at times has cooled Earth dramatically," said Birger Schmitz, professor of geology at Lund University and the leader of the study. "Our studies can give a more detailed, empirical based understanding of how this works, and this in turn can be used to evaluate if model simulations are realistic." The research is still a ways out from practical use, however. Scientists are understandably wary about recreating a prehistoric dust storm. Speaking to Science Magazine, Seth Finnegan, a paleontologist at the University of California, Berkeley said that the results of the study "shows that the consequences of messing around in that way could be pretty severe." The university's press release does say their research "could be relevant for tackling global warming if we fail to reduce carbon dioxide emissions." But what do Slashdot's readers think of these ideas? Leave your own thoughts in the comments. Could climate change be solved by manipulating photons in space?
Read more of this story at Slashdot.
Mac Malware Poses as Trading App
Dem Hacker auf der Spur
Vor diesem Hintergrund hat sich die Cyber Security weiterentwickelt. Da Angriffe immer wahrscheinlicher werden, reichen präventive Massnahmen ...
Emmys: Amazon und Game of Thrones räumen bei den TV-Oscars ab
Alleged Hacker Faces 154 Charges in Football Leaks Case
Swiss IT Security schluckt Zapp IT
Mit dem Zukauf von Zapp IT erweitert Swiss IT Security die Gruppe um ein siebtes Unternehmen. Das 2004 gegründete Basler Unternehmen Zapp IT ...
Tausende Google-Kalender wegen Nutzerfehler frei im Netz
Es beinhaltet ein Security Information and Event Management (SIEM), Vulnerability Management sowie professionelle Penetrationstests. Zudem bietet ...
Reihenweise YouTube-Channels wurden von Spammern übernommen
Worrying Bug Causes Random Credit Cards to Show Up in Other People’s Apple IDs
A number of iPhone owners complain of what appears to be a major security problem encountered when trying to change the billing info or the iTunes credit card data. According to posts on reddit (1 and 2), account information belonging to someone else shows up in others’ Apple IDs, along with full name, billing address, and the last 4 digits of credit cards. While full credit card data is not exposed, the personal information is, and users who came across this bug claim Apple is already aware of the problem. “Spent about 40 minutes on the phone with Apple. They are aware of my issue,” reddit user createdbyeric explains. “They are taking the issue very serious. I was transferred an senior manager who quickly acknowledged how big of an issue this was and he will ...
2019 Top Trending Issues for Cybersecurity
Free Windows 7 Updates for Voting Devices to Continue Until Late 2020
Voting machines running Windows 7 will continue to receive free security updates though the end of 2020 despite the January 14 end-of-support date for the operating system. Microsoft says it wants to provide devices that will be used in the voting process with security updates not only in the United States, but also in other democratic states that express their interest in this regard. Additionally, the software giant says it’s working with the government to make the process of certifying voting machines smoother in an attempt to speed up the upgrade process to newer software. “As we head into the 2020 elections, we know there is a relatively small but still significant number of certified voting machines in operation running on Windows 7. We also know that transitioning to machines running newer operating systems in time for the 2020 election may not be possible for a number of reasons, including the lengthy voting machine certification process – a process we are...
Unter 30, von Bill Gates ausgezeichnet und auf dem Weg zum internationalen Startup-Star ...
Das Darmstädter Start-up überzeugte auf der weltweit ausstellerstärksten Fachmesse für IT Security, das Fachpublikum mit seinem innovativen ...
exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
This will convert any binary file (*.exe) to a BAT file, the resulting BAT file contains only echo commands followed by a PowerShell command to re-create the original binary file.
This kind of tool can be useful during a pen-test when you want to trigger a shell without any upload feature.
No Cyber Attack on Iran says Ministry
Iran has cleared the air that there has been no cyberattack on its digital assets operating in Oil Refineries as claimed by some sources from western media. According to a press statement released by the Government’s Cyber Security Office to Times of Israel, no successful cyberattack was witnessed on oil refineries and so disruption claims […]
Dubai Cheers Exhibition lost $53,000 due to Phishing Cyber Attack
UAE based company Cheers Exhibition which is into stand building business for companies hosting their products & services at exhibitions has admitted that it has become a victim of a phishing cyber attack recently. And as per the latest update released to the media, its website has been pulled down as the website content holding […]
The post Dubai Cheers Exhibition lost $53,000 due to Phishing Cyber Attack appeared first on Cybersecurity Insiders.
Sichere Web-Konferenzen abhalten
Schlagwörter: Authentifizierung, BlueJeans, Collaboration, IT-Sicherheit, ... Mit kostenlosen Audio-, Video- und Web-Konferenzen ist es eine große ...
Software-Entwicklung virtueller Maschinen mit V-Realize Automation
Die Techniken, welche die Trusted Security Solutions Group (TSS) von ... dem US-Verteidigungsministerium, der Singapore Cyber Security Agency ...
Google Loans Cameras To Volunteers To Fill Gaps in 'Street View'
NPR explains why a man "applied to borrow a 360-degree camera through Google's Street View camera loan program." Kanhema, who works as a product manager in Silicon Valley and is a freelance photographer in his spare time, volunteered to carry Google's Street View gear to map what amounted to 2,000 miles of his home country. The Berkeley, California, resident has filled in the map of other areas in Africa and Canada as well.... Google says it has "largely mapped" only 87 of nearly 200 countries on the platform, which launched in 2007. Many other countries on the planet have at least some Street View coverage, Google says. But there are sizable gaps in regions like Africa, Antarctica and Central Asia, while areas such as the U.S. and Europe are mostly filled in. While users can see almost every street corner in places such as Paris or New York, they can't do the same for Algiers, Algeria, or Kabul, Afghanistan. "We start in the large metropolitan areas where we know we have users, where it's easy for us to drive and we can execute quickly," says Stafford Marquardt, a product manager for Street View. He says the team is working to expand the service's reach. To do that, Google often relies on volunteers who can either borrow the company's camera equipment or take photos using their own. Most images on Street View are collected by drivers, and most of these drivers are employed by third parties that work with Google. But when it comes to the places Google hasn't prioritized, people like Kanhema can fill in the gaps... All this is a lot of work, but for Kanhema, it's a hobby. Google doesn't pay him or the other volunteers -- whom the company calls "contributors" -- for the content they upload. Kanhema, for example, spent around $5,000 of his own money to travel across Zimbabwe for the project. "What motivates me is just being that constant nudge on these companies and this system to pay attention to those parts of the world," he says. Craig Dalton, an assistant professor of global studies and geography at Hofstra University, says Google's business model plays a big role in which places are added to Street View first. "Google Maps is not a public service. Google Maps is a product from a company, and things are included and excluded based on the company's needs," Dalton says. "Sometimes that means that things are excluded that have a lot of merit but that don't fit the business plan..." Although the company's end goal is to make a global street map, Kanhema is unsure when places like his hometown would be visible on the platform without volunteered images. "There's not always going to be a business case to tell the story of how people live across the world," he says. The volunteer contributors to Street View can sometimes receive funding from tourism boards or travel agencies, according to the article, but Street View's product manager adds that Google currently has no plans to compensate its volunteers. He says instead that Google compensates its volunteer contributors "in a lot of other ways" by offering "a platform to host gigabytes and terabytes of imagery and publish it to the entire world, absolutely for free."
Read more of this story at Slashdot.
M2solutions und Nordland sind strategische Partner
Der Holsteiner IT-Dienstleister und der Ahrensburger POS-Spezialist arbeiten ab sofort ... IT-Dienstleistungen und IT-Security-Lösungen profitieren.“.
Google Braces for Landmark Global Privacy Ruling
KI braucht intelligentes Datenmanagement
Künstliche Intelligenz (KI) verändert nicht nur die Produktions- und Arbeitswelt in den Unternehmen, sondern auch die Art und Weise, wie nationale Sicherheitsorganisationen weltweit ihre Operationen durchführen und Aktivitäten steuern.
Think twice before using facial-recognition technology or fingerprint scanning
DIE ZUKUNFT DES WAN MANAGEMENTS - ZERO TOUCH PROVISIONING
Die Telekommunikationslandschaft erlebt in den letzten Jahren einen gezielten und steten Wandel der Netzinfrastruktur. Sei es der Wechsel von ISDN auf VoIP oder der Ablösung des quasi Marktstandards MPLS zum SD-WAN.
3 Types of Network Attacks to Watch Out For
Cybersecurity is becoming more of a common tongue term in today’s industry. It is being passed around the executive meetings along with financial information and projected marketing strategies. Here are some common attack vectors plaguing the industry when it comes to network infrastructure. It does not really matter the infrastructure type you have. If there […]… Read More
Building a Foundation for “Smart” Steel Factories with Fog Computing, the Cloud and Cybersecurity
Digital technologies have been transforming our world for the past few decades. For instance, the Internet of Things (IoT) and cloud computing have induced an evolution in the way we as society live our everyday lives as well as how many enterprises conduct business. This evolution has started to enter the industrial realm, most notably […]… Read More
Massive wave of account hijacks hits YouTube creators
YouTube creators from the auto and car community were hit the hardest in what appears to be a coordinated attack.
Do Coders Crave a Sense of Control?
This week Stack Overflow's CEO/founder Joel Spolsky spoke to Clive Thompson, the tech journalist who just published the new book Coders: the Making of a New Tribe and the Remaking of the World . "It's a sort of ethnographic history of this particular tribe," explains a blog post at Stack Overflow, "examining how software developers fit into the world of business and culture and how their role in society has shifted in recent decades. "The official conversation kicked off after a 15-minute tangent on Joel's collection of Omni magazine and the formative role this publication had for both men." Some excerpts: Clive: The question in my mind is, who is interested in this? What gets them bit by the bug so they are willing to crawl over all the broken glass that is the daily work. Joel: In my time, it was the absolute control. Whatever code you wrote, that's what executed. There was no translation. It wasn't like, well the flour was kind of old, and I tried to make the souffle but it collapsed. Unlike so many things you will try to accomplish as a child or an adult, where you work on something but it doesn't turn out as you expect it to, with code it will do exactly what you told it. Even if that's not what you meant. You might suddenly realize you're obeying me to the point of making me angry. Clive: The monkey's paw thing. I shouldn't have wished for that. Joel: But the computer is still being completely obedient. Clive: That thrill is a common thread I found in my research, from the 1960s through today. I will talk to people in their 80s who worked on machines the size of an entire room, and it's the same damn thing talking to a 15-year-old girl at an afterschool program working on a raspberry pi or P5. There is something unique about the micro-world that is inside the machine, qualitatively different from our real world. Joel: It's sort of utopian. Things behave as they are supposed to. The reason I put a question mark on that, as programmers move higher and higher up the abstraction tree, that kinda goes away. Clive: I think the rise of machine learning is an interesting challenge to the traditional craft of software development. Some of the people I spoke with for the book aren't interested in it because they don't like the idea of working with these indeterminate training systems... there is something unsettling about not really knowing what's going on with what you're building. Joel: I just picked up Arduino a year ago and that was enormously fun because it was like going back to C, instead of all these fancy high-level languages where you don't know what they are going to do. It offered a really detailed level of control. If something doesn't work, you can figure it out, because everything is tractable. They also discussed the future of coding -- and took a fond look back at its past. Spolsky remembers his first exposure to computers was an interactive terminal system connected to a mainframe that ran FORTRAN, BASIC, and PL/I programs. "Many, many years later I realized there was no way they had enough memory for three compilers and in fact what they had was a very simple pre-processsor that made Basic, FORTRAN, and PL/I all look like the same mush. "It was a very crappy subset of each of those three languages."
Read more of this story at Slashdot.
Der Schlüssel zu moderner Cyber-Sicherheit
Nicolas Fischbach, CTO des globalen Cyber-Security-Anbieters Forcepoint, spricht über die Bedeutung der Analyse menschlichen Verhaltens und wie sich die Cyber Security in den nächsten Jahren verändern wird.
Star Trek: Deep Space Nine 'Nog' Actor Aron Eisenberg Has Died at 50
An anonymous reader quotes CNET: Actor Aron Eisenberg, who played Nog on Star Trek: Deep Space Nine, died Saturday at age 50, his wife Malíssa Longo posted on Facebook. "He was an intelligent, humble, funny, emphatic soul," Longo wrote. "He sought to live his life with integrity and truth. He was so driven to put the best he had into whatever work was put before him." The actor's cause of death wasn't released, but he underwent his second kidney transplant in 2015, StarTrek.com notes in an obituary. Eisenberg played Nog, the first Ferengi to join Starfleet, and appeared in 40 episodes from across all seven seasons. The show ran from 1993 to 1999. His character was the son of Rom, the nephew of Quark, and the best friend of Jake Sisko, who was the son of commanding officer Benjamin Sisko. Eisenberg was told nothing about his character when he was cast and had no idea that the part would last, Star Trek reports "I thought every episode I was doing might be my last episode," he told StarTrek.com in 2012. The site also notes that Eisenberg also played Kar, the young Kazon-Ogla, in a 1995 Star Trek: Voyager episode. This year Aron had become the host and producer of a Star Trek-themed podcast called "The 7th Rule." And Deep Space Nine (and the other early Star Trek series) are all available through Amazon Prime. CNET remembered the actor by sharing the Deep Space Nine scene where Nog makes a passionate speech about why he wants to join Starfleet Academy. ("My father is a mechanical genius. He could've been chief engineer of a starship if he'd had the opportunity. But he went into business like a good Ferengi...") On Twitter 79-year-old René Auberjonois (who played Odo on Deep Space Nine) called Aron "such a pure, sweet soul and gifted artist. He was a dedicated collaborator and friend. My condolences and love to his wife and family." Armin Shimerman, who had played Nog's bartender uncle Quark, tweeted Sunday "I have lost a great friend and the world has lost a great heart... He was a man of conviction and enormous sensitivity and the best of humanity... Flights of angels my friend... you will be missed." And Next Generation actor Jonathan Frakes tweeted "bless his sweet soul."
Read more of this story at Slashdot.
Rebel Cops Review (PC)
Rebel Cops is Weappy Studio's latest game and a spinoff from This Is the Police, the series that made the developer known to the gaming industry. However, unlike either of the two This Is the Police games, Rebel Cops is a straightforward experience that doesn't require management skills, nor moral choices. If you've played This Is the Police, this is a similar game stripped down by all other aspects except for the turn-based combat. The moral choices are limited to using lethal or non-lethal force when taking down an enemy, but they are merely reduced to decisions related to how you want to approach a mission from a tactical point of view. The premise of the game is as generic as a cop flick's scenario: a Russian crime boss takes over a rural town paying off all cops or eliminating those who oppose him. The last stand for justice is a group of incorruptible cops, who resign from the police force and take it to the woods to try and retake Ripton from Viktor Zuev's c...
How the Microsoft Store Urges Customers To Trade In Their iPhones
"Have you ever wondered how -- or even why -- Microsoft is offering $650 to switch from iPhone to Samsung's latest phones?" asks tech columnist Chris Matyszczyk. "A Microsoft store salesman enlightened me. It was spiritual, as much as factual." "This is a Microsoft store," I said. "Why are you pushing these?" "Because three weeks ago, you couldn't do what you can do now," he said. This was quite some drama. I hadn't heard that my life had changed just 21 days prior, but Oscar was ready to explain. "Now you can have a terabyte, which means this phone improves your mobility and can now replace your laptop. You can now run your business straight from this phone," he said... With a fervent -- and, I have to say, elegant -- enthusiasm, he talked me through my new possibilities. The ability to have everything from Outlook to Word to Excel to One Drive existing simultaneously on every gadget was, apparently, my new Nirvana. He took me over to a desktop and showed me how to dock my new Samsung phone and work simultaneously on the phone and the desktop. He then led me to the Surface Pro 6. "This is the one I've got. And, look, you don't need a keyboard," he said, as he brought up the on-screen keyboard that really isn't very easy to type on. Oscar's congenital positivity was so alluring that I had to insert a pause and ask him what phone he had. He pulled out the same iPhone XR as mine, but sadly in a case. "I've been with Apple for a long time," he explained. "But I just need to pay my iPhone down a bit more and I'm going to switch to this Note..." "Switching from iPhone to Samsung isn't easy, is it?" I muttered. "It's all in your mind," he replied. "You need to have a growth mindset. That's what leaving your iPhone behind represents. Growth." I had to laugh. Not out of insult, but out of sheer admiration for his TED Talk attempt to inspire. He was appealing to my spirit, not my rational mind. He was right, of course. I have a growth bodyset, not a growth mindset.... [A]s I walked out many minutes later, I remembered there was a new iPhone coming out. Three new iPhones. Would any of them represent personal growth?
Read more of this story at Slashdot.
What are some tool that use checksums in support of incident response?
Deobfuscating/REversing Remcos - AutoIt, Shellcode, and RunPE
Remcos is a robust RAT actively being used in the wild.
This multi-staged/evasive RAT provides powerful functionality to an attacker. Each stage is written in a different language: AutoIt -> Shellcode -> C++. I wanted to explore both the evasiveness, and core functionality of the malware.
This variant is a compiled AutoIt script.
AutoIt executables store their payload in the resource section, and load it at runtime via LoadResource.
AutoIt is de-compilable, this can be performed by dropping the executable into Exe2Aut.
The source code is obfuscated, but can be easily deobfuscated with Python. Here is a block of code obfuscated with a recurring algorithm used throughout the malware.
Function and variable names are randomized, and the first line of the function begins with defining an array of 169 elements. Each element is an integer, the result of either an addition or subtraction. The malware then iterates through this array, passing each element to the ChrW() function, which will convert each integer to an ASCII character, building a string one character at a time.
We can use some greedy regex to grab all of these arrays and decode them with Python (snippet below).
The Python eval() function can be used to perform the addition/subtraction for each element.
As you can see, many of these integers are within the ASCII range, thus can be resolved with the chr() function. The .join() function is used to join the list into one string, and the [list comprehension] is used to iterate through the list, performing the chr() function on each element.
I then added a function to decode all hex strings from the output, which first prints the hex itself, then the decoded ASCII on the following line. One of the last lines of hex failed to decode (highlighted below). There are several interesting hex values that stand out in the string that lead me to believe that this was shellcode. E.g. E9 is a jump near, 55 8B EC is the start of a function prologue (push ebp....mov ebp, esp), 4D 5A ('MZ'), 50 45 ('PE'), etc...
I copied this hex string into HxD and saved it to disk to create the binary.
I then loaded it into IDA for further analysis.
The first jmp transfers control flow to an address outside of this blob of shellcode, which suggests that there is likely more shellcode somewhere else within the malware. A function prologue/new stack frame is then committed (push ebp...mov ebp, esp....sub esp, 0x14). The first cmp is dereferencing the address in EBX, checking for the value 'MZ', which is the magic bytes for a Windows Executable (.exe, .dll, .sys). If this value is found at that location, then the the jump is taken (JZ = Jump if Zero/Equal...5A4D - 5A4D = 0 sets the Zero Flag). 0x3C from the 0x0 byte / 'MZ' header of an executable is the offset to the start of PE header. This offset is obtained and then checked for the value 'PE', which is the magic bytes of the PE header.
For example, here is a hex dump of a windows executable with the offset of the PE header (0x3c) highlighted.
Here is the start of the PE header - magic bytes = 'PE'
Back to the shellcode, the malware then locates the Export table, which is 0x78 from the start of the PE header. It then obtains pointers to several important tables. These tables can be walked by shellcode to locate the addresses of WinAPI functions it may want to use. A manual/evasive way of giving you what GetProcAddress would return.
Back to the AutoIt code, I added a few lines to the Python to actually replace the encoded values with the decoded ones, so that I could get a better look at how they are being used.
I then started picking through the code, renaming variables to make more sense, and decoding any other obfuscated code I came across. The decdata function pulls a payload from the resource section through calling the user-defined function 'globaldata()'. There is a lot of garbage code (variables that are defined but never used and pointless arithmetic) that could be removed to clean it up.
This variable is defined, but never used, thus can be deleted!
Deobfuscated and cleaned up, you can see how much garbage was added to the function. The deobfuscation algorithm appears to be: hex -> ASCII (BinaryToString), reversed (StringReverse), and replace '%$=' with '/'.
The malware is using the WinAPI function CryptBinaryToString to convert the byte array '$sdata' to a string. The output string will be stored within a struct, which will be accessed by DllStructGetData to return the decoded data.
As mentioned earlier, the encoded data is pulled from the resource section of the executable via the 'globaldata()'function.
The resource that gets loaded is of type RCDATA, which is raw data.
Dumping this resource and popping it into a hex editor shows a reversed base64 string.
Here is the end of the resource ('TVqQ' is the base64 encoding of 'MZ'):
Using python to decode the payload, I stored the reversed base64 string in the variable 's', then performed the reverse and replace.
Decoded and copied to disk, the fully decoded payload is a windows executable.
The malware also attempts to privesc through the event viewer registry hijack to bypass UAC. Here is the deobfuscated/beautified code.
Another piece of code that stands out is the runpe() function. This routine is invoked via the wddtuykqzw() function.
RunPE is passed the path to the malware, a variable that invokes the decdata() function, and boolean values for the $protect and $persist parameters.
The first local variable contains the shellcode we loaded into IDA. More shellcode is appended to this variable throughout this function.
The shellcode is being appended to this variable 169 bytes at a time.
To quickly pull these values out, I grep'd for ["169"], and then awk'd for the 4th column, which contains the hex string.
I then formatted and copied this string, dropped it into the hex editor, and then loaded the binary into IDA. As you can see, there are now 6 recognized functions.
sub_22D prepares for resolving WinAPIs that the malware needs by building stack strings. al is set to 0, and used repeatedly to insert a null-terminator to the end of each string/API.
Converting the hex to ASCII:
Two structs are created: one to store the shellcode, and the other to store the in-memory executable from the resource section. The struct 'silkrefud' stores the executable, and the shellcode is stored in the 'uderboss' struct. Control flow is then transferred to the shellcode via the 'DllCallAddress' function, which is passed a pointer to the 'silkrefud' struct as an argument.
To debug the shellcode, I loaded the executable into the debugger (x32dbg) and set a breakpoint on VirtualAlloc (trying to hit the block of code above). Before hitting the bp, I received an error message, and the program exited.
To bypass this mechanism, I set the BeingDebugged flag in the Process Environment Block (PEB) to 0. This is to trick the malware into thinking we aren't debugging it. To view the PEB in the memory dump window, the command is: dump fs:
BeingDebugged (offset 0x2 of PEB) is set to 1 (PEB -> fs:)
Setting flag to 0
After clearing the flag, I ran the program again and hit the VirtualAlloc called at the end of the runpe() function.
Here are the args passed to VirtualAlloc (matches the runpe() instance of this call)
I then set a memory-write breakpoint on the return value of this function, which is the base address of the newly allocated region of memory.
GetModuleHandleA is called just before WinMain is called in this new executable.
If not present, it then queries the registry for a value also related to the malware. If found, it deletes it.
A new mutex is then created:
The next function resolves the addresses of several WinAPIs, storing them in global variables.
Following this function, the malware enters an anti-analysis routine. The first check performed is to attempt to obtain a handle to 'SbieDll.dll', this will detect if the malware is running in Sandboxie.
The malware also checks the NtGlobalFlag in the PEB to detect being debugged.
The malware then checks for procmon by attempting to obtain a handle to the tool's window. It attempts to detect Process Explorer using the same technique.
The malware detects VMware through the 'in' instruction. If running in VMware, EBX will return the string 'VMXh'.
VirtualBox is detected through attempting to open a registry key associated with VirtualBox.
Admin rights are checked via the WinAPI call IsUserAnAdmin. This return value is then moved into a global variable.
If not run as admin, the malware attempts to privsec (bypass UAC) through the Event Viewer registry hijack (same technique used in the AutoIt code).
The malware then attempts to set the 'EnableLUA' registry value to 0. This is to stop the system from prompting the user when attempting to install something or make a system change (UAC message).
Command: cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
The mutex checked for earlier is then created, just before the malware performs the RunPE technique.
RunPE is performed through the standard sequence of risky WinAPI calls.
The malware contains several interesting commands/modules. Here is a snippet of several of the hardcoded commands available.
'downloadfromurltofile' will ultimately call URLDownloadToFile.
The downloaded file is then passed to ShellExecuteA to be ran.
'getproclist' will retrieve a list of running process by iterating through a snapshot of running processes via CreateToolhelp32Snapshot.
'execom' allows the malware to spawn additional processes and provide them commandline args. This is performed via WinExec:
Alternatively, the malware also has the capability to run native commands that will be passed to cmd.exe. Cmd.exe stdout is redirected to a named pipe, which the malware reads in.
The malware also has the ability to hijack the user's webcam. The malware calls out to C2 for an additional library for this functionality.
This library is mapped, then loaded in memory via LoadLibrary. The addresses of this DLL's functions are manually resolved, and placed in global variables.
'miccapture' will eavesdrop on the victim machine's mic.
Clipboard data is also stolen and exfiltrated.
Thanks for reading, and happy REversing!
SeitennavigationSeite 5 von 6.380 Seiten (Bei Beitrag 140 - 175)
223.279x Beiträge in dieser Kategorie
Auf Seite 4 zurück | Nächste 6 Seite | Letzte Seite
[ 1 ] [ 2 ] [ 3 ] [ 4 ]  [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ]