Descending into Cybercrime
More than an year ago (and before crazy and scary things like WannaCry and Petya happened) I had an idea for a research about the darkest shade of wearing a black hat, by the mean of getting some piece of information and statistics and write an analysis. Not a technical one, but something more like a financial analysis of the cybercrime business model and now I’m going to publish the results (it's even more present now than an year ago...). First...
Cerber Dropper Ransomware Analysis
Before the month ends (I’m sorry but my time was really sucked up by planning and developing the HackInBo’s CTF, that I hope you will enjoy) I would like to post this very small and brief analysis of the latest JavaScript dropper used by the Cerber Ransomware in its campaign. I would also like to thank the Hacktive Security’s guys for the following sample: Dropper: MD5 afd5aa687ed3931d39f180f8e15500e1 SHA1 11460389a303e58086a2b7dbdab02437fb001434 SHA256 8b00174be5f9dd6a703bc5327e1be4161cd3922ca9a338889717370b53d4ca71 Cerber Ransomware: MD5 2dd3bd1801989ff6625aa041761cbed3 SHA1 08f28d5a7d32528fdb2b386334669d6b2b4226cb SHA256 a27c202bffde364fc385e41a244649e8e7baaec97c44c45cd02bb59642e1fb0e This time I will not...
LinkedIn – CSV Excel formula injection
We are proud to publish an undisclosed vulnerability affecting LinkedIn and in particular its "CSV Export" function. Following our Vulnerability Disclosure Policy Agreement, LinkedIn Security Team has been informed about this specific issue and this vulnerability will be published without a working PoC. LinkedIn's users can exports all their connections into a CSV file, that due to some missing filters (escaping output), could allows an attacker to execute a command on the user machine. An attacker can create a LinkedIn profile embedding a...
Backdoored OS
Recap Nella giornata del 21 Febbraio la distribuzione Linux Mint è stata attaccata e, a seguito dell’intrusione, l’aggressore è stato in grado di modificare la ISO della versione 17.3 Cinnamon Edition, inserendo una backdoor al suo interno. "Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it," Clement Lefebvre - head of Linux Mint project Tralasciando le modalità dell’attacco a Wordpress, la successiva compromissione del sito web e del forum (password del... Backdoored OS
Recap On February 21 Linux Mint was attacked and, as a result of the intrusion, the attacker was able to backdoor the ISO (Cinnamon Edition v17.3). "Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it," Clement Lefebvre - head of Linux Mint project Aside from the Wordpress attack, the subsequent forum dump (database password: "upMint.", seriously?) and the analysis of the malware (Tsunami/Kaiten), this incident made me think about a long-term...
Keybase
Recently, a malware known as KeyBase, is "triggering" some of my sensors. KeyBase was distributed in February 2015 and sold for about $ 50 (in its first version), It remained active until May and then disappear from internet. During November it is back up with thousands of infections (v1.5). Keybase is a malware with limited capabilities belonging to the families of keyloggers and info-stealers. Malware Overview Keybase is written in C# and among its features we can find: Keylogging HotLogging(Keylogging ofspecific windows.ex. Paypal,... KeyBase
Da un po’ di tempo a questa parte, un malware conosciuto col nome di KeyBase, è ricomparso nei log di alcuni dei sensori che monitoro. Distribuito durante Febbraio 2015 nella versione 1.0 e acquistabile per circa 50$, è rimasto attivo fino a Maggio per poi sparire dalla rete. Da Novembre è tornato attivo (v1.5) con migliaia d’infezioni. Keybase è un malware dalle limitate capacità appartenente alla famiglia dei keylogger e info-stealer. You can read this article in English. Malware Overview Keybase è scritto in...
DiamondFox
Recentemente una nuova botnet è passata alla ribalta, grazie a Xylitol, il suo nome è DiamondFox, anche conosciuta col nome di Gorynch, è una botnet general purpose con svariate funzionalità. Ecco come si presenta il pannello di controllo della botnet: Il malware, scritto in VB6, ha molte funzioni al suo intero, una tra le più interessanti è lo scraper di carte di credito, un modulo del bot che ricerca nella RAM del computer infetto, generalmente un Point of Sale System (POS), i...
