Malware Analysis: Ragnarok Ransomware

The analysed sample is a malware employed by the Threat Actor known as Ragnarok. The ransomware is responsible for files’ encryption and it is typically executed, by the actors themselves, on the compromised machines. The name of the analysed executable is xs_high.exe, but others have been found used by the same ransomware family (such as xs_normal.exe and xs_remote.exe). The configuration within the malware contains information regarding the encryption activities, from whitelisted countries to the contents of the ransom note. It is...

Posted By

Descending into Cybercrime

More than an year ago (and before crazy and scary things like WannaCry and Petya happened) I had an idea for a research about the darkest shade of wearing a black hat, by the mean of getting some piece of information and statistics and write an analysis. Not a technical one, but something more like a financial analysis of the cybercrime business model and now I’m going to publish the results (it's even more present now than an year ago...). First...

Posted By

Cerber Dropper Ransomware Analysis

Before the month ends (I’m sorry but my time was really sucked up by planning and developing the HackInBo’s CTF, that I hope you will enjoy) I would like to post this very small and brief analysis of the latest JavaScript dropper used by the Cerber Ransomware in its campaign. I would also like to thank the Hacktive Security’s guys for the following sample: Dropper: MD5 afd5aa687ed3931d39f180f8e15500e1 SHA1 11460389a303e58086a2b7dbdab02437fb001434 SHA256 8b00174be5f9dd6a703bc5327e1be4161cd3922ca9a338889717370b53d4ca71 Cerber Ransomware: MD5 2dd3bd1801989ff6625aa041761cbed3 SHA1 08f28d5a7d32528fdb2b386334669d6b2b4226cb SHA256 a27c202bffde364fc385e41a244649e8e7baaec97c44c45cd02bb59642e1fb0e This time I will not...

Posted By

LinkedIn – CSV Excel formula injection

We are proud to publish an undisclosed vulnerability affecting LinkedIn and in particular its "CSV Export" function. Following our Vulnerability Disclosure Policy Agreement, LinkedIn Security Team has been informed about this specific issue and this vulnerability will be published without a working PoC. LinkedIn's users can exports all their connections into a CSV file, that due to some missing filters (escaping output), could allows an attacker to execute a command on the user machine. An attacker can create a LinkedIn profile embedding a...

Posted By

Backdoored OS

Recap Nella giornata del 21 Febbraio la distribuzione Linux Mint è stata attaccata e, a seguito dell’intrusione, l’aggressore è stato in grado di modificare la ISO della versione 17.3 Cinnamon Edition, inserendo una backdoor al suo interno. "Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it," Clement Lefebvre - head of Linux Mint project Tralasciando le modalità dell’attacco a Wordpress, la successiva compromissione del sito web e del forum (password del...

Posted By

Backdoored OS

Recap On February 21 Linux Mint was attacked and, as a result of the intrusion, the attacker was able to backdoor the ISO (Cinnamon Edition v17.3). "Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it," Clement Lefebvre - head of Linux Mint project Aside from the Wordpress attack, the subsequent forum dump (database password: "upMint.", seriously?) and the analysis of the malware (Tsunami/Kaiten), this incident made me think about a long-term...

Posted By

Keybase

Recently, a malware known as KeyBase, is "triggering" some of my sensors. KeyBase was distributed in February 2015 and sold for about $ 50 (in its first version), It remained active until May and then disappear from internet. During November it is back up with thousands of infections (v1.5). Keybase is a malware with limited capabilities belonging to the families of keyloggers and info-stealers. Malware Overview Keybase is written in C# and among its features we can find: Keylogging HotLogging(Keylogging ofspecific windows.ex. Paypal,...

Posted By

KeyBase

Da un po’ di tempo a questa parte, un malware conosciuto col nome di KeyBase, è ricomparso nei log di alcuni dei sensori che monitoro. Distribuito durante Febbraio 2015 nella versione 1.0 e acquistabile per circa 50$, è rimasto attivo fino a Maggio per poi sparire dalla rete. Da Novembre è tornato attivo (v1.5) con migliaia d’infezioni. Keybase è un malware dalle limitate capacità appartenente alla famiglia dei keylogger e info-stealer. You can read this article in English. Malware Overview Keybase è scritto in...

Posted By

DiamondFox

Recentemente una nuova botnet è passata alla ribalta, grazie a Xylitol, il suo nome è DiamondFox, anche conosciuta col nome di Gorynch, è una botnet general purpose con svariate funzionalità. Ecco come si presenta il pannello di controllo della botnet: Il malware, scritto in VB6, ha molte funzioni al suo intero, una tra le più interessanti è lo scraper di carte di credito, un modulo del bot che ricerca nella RAM del computer infetto, generalmente un Point of Sale System (POS), i...

Posted By

Reportage: HackInBo 2015 – Lab Edition

Lo scorso weekend si è tenuta a Bologna la quarta edizione dell’HackInBo, l’evento tutto italiano organizzato da Mario Anglani, dedicato agli appassionati e ai professionisti nell’ambito della sicurezza informatica. Come ogni edizione i membri del team VoidSec hanno partecipato all’evento e quest’anno, per la prima volta, anche bughardy si è unito al gruppo. L’evento quest’anno ha assunto una forma totalmente nuova affiancando alla giornata dedicata alla teoria una giornata intera di laboratori pratici, una novità che abbiamo decisamente apprezzato. La prima giornata, quella...

Posted By