Security Review #202

We introduce Ruzzy, a coverage-guided fuzzer for pure Ruby code and Ruby C extensions. This post will go over our motivation behind building Ruzzy, provide a brief overview of installing and running the tool, and discuss some of its interesting implementation details.

In this post, we will extend DNS IoC from an incident report by leveraging passive DNS analysis to identify common patterns (IP, Registration dates, Subdomain Patterns). We will then use this pattern to obtain updated threat actor domains which were not included the publication of the initial incident report report.

In this blog post, we share our full technical analysis of the latest Linux version of DinodasRAT, which we track as Linodas. It appears to be more mature than the Windows version, with a set of capabilities tailored specifically for Linux servers. In addition, the latest version introduces a separate evasion module to hide any traces of malware in the system by proxying and modifying the system binaries' execution.

In this blog post, we are talking about what we can do if we are presented with a Memory image for a suspected machine to investigate and how to leverage our tools to get as much information as we can from it.

In this blogpost, I detail a technique to abuse specific configuration to coerce the SCCM client push account to authenticate to an arbitrary host without needing access to any SCCM client nor administrative access within the domain.

This article provides in-depth analysis and IoCs for Remcos RAT, a malware typically spread through malicious attachments, drive-by downloads, or social engineering.

In this second part of the series, we will focus on Credential Access and the attacks that Kerberos can facilitate.

This article is an analysis of the interactions between TheMoon - a bot running on more than 40.000 compromised systems, and Faceless - a proxy service that has become an integral tool for cybercriminals in obfuscating their activity.

In this article, we explain how to build the relationship between security capabilities and adversary behaviors with Mappings Explorer, a hub for defenders to explore these security capability mappings to ATT&CK.

This post outlines what I believe to be a novel way to overcome the limitations of the osquery yara scanning table to find fileless malware on Linux operating systems.

This blog provides an in-depth analysis of a newly identified loader, highlighting the attack's evasiveness and the advanced tactics, techniques, and procedures (TTPs) used in both the loader and its command and control (C2) framework.

This articles details how to detect and mitigate CVE-2024-3094, a critical supply chain compromise, affecting XZ Utils Data compression library.

In this article, we delve into a malware evasion technique gaining traction: SMB (Server Message Block) staging, a maneuver that allows attackers to bypass antivirus software and gain unauthorized access to systems.

We show that it is possible to trigger Rowhammer bit flips on DDR4 devices on AMD Zen 2 and Zen 3 systems despite deployed TRR mitigations. This result proves that AMD systems are equally vulnerable to Rowhammer as Intel systems, which greatly increases the attack surface.

StrelaStealer malware steals email login data from well-known email clients and sends them back to the attacker's C2 server. In an attempt to evade detection, attackers change the initial email attachment file format. This article delves deeper into the timeline of these more recent attacks and the evolving tactics employed by the malware.

This article details how we can write Yara rules for unique identifiers specific to malware written in .NET, or any other .NET assemblies for that matter.

I decided to experiment with KCOV and see how I can hook it into libfuzzer and boot the kernel without spending too much on building a root file system.

We identified a cluster of VPN apps available on the Google Play Store that transformed the user's device into a proxy node without their knowledge. We've dubbed this operation PROXYLIB after the Golang library responsible for the proxy node enrollment in each of the apps.

We identified a vulnerability within Azure multi-tenant applications where the application's redirect URI contains a subdomain entry that is registered to the application but not to an Azure resource. These redirect URI can be abused by threat actors to steal users' authorization codes and ID tokens.

Analysing a Latrodectus phishing domain leveraging passive DNS tooling and 302 redirects.

We provide technical analysis of the new features added to Vulture, an Android banking trojan. It started masquerading its malicious activity by encrypting its C2 communication, using multiple encrypted payloads that are decrypted on the fly, and using the guise of legitimate applications to carry out its malicious actions.

In this article, I document two DOMPurify bypasses of XML/HTML confusion.

In this blog post, I will focus on the initial part in bash and the simple-but-clever obfuscation methods used in the xz/liblzma backdoor.

In this blog post, we will write a simple driver that is capable of bypassing AMSI to demonstrate patching usermode memory from the kernel, go through credential dumping process from the kernel and finish with tampering various kernel callbacks as an example for patching kernel mode memory and last but not least - the final words and conclusion of this series.

This is a technical report about an incident leading to the delivery of IceID, a RAT malware, through the use of Microsoft OneNote files.

Supply chain attacks targeting DevOps pipelines have become increasingly prevalent, posing significant risks to software development and deployment processes. Let's explore the perspectives on these attacks and how organizations can defend against them.

In this blog post, we'll go over the construction and tuning of a few Semgrep rules I created while looking at a Ruby on Rails application.

Leveraging steganography to embed malicious shellcode within images offers an effective means to evade detection by AVs and EDRs. In this article, we will design a PoC of a loader that use steganography as a way of hiding the shellcode.

In this post, we will provide an explanation of our understanding of how parts of Microsoft Intunes work, a simple privilege escalation bug, our experience reporting the bug to MSRC, and then an analysis of Microsoft's patch.

In this blog, we'll explore various techniques and best practices for securing a Flutter application using the OWASP Mobile Top 10 list. We will be looking into crucial areas like credential mishandling, communication vulnerabilities, data storage pitfalls, and binary protection weaknesses and also steps to mitigate these risks along with some examples.

The actual goal I had in mind was to find all features the game uses to derive the fingerprint and to patch them. On top of that, I want to patch most of the runtime checks. The real challenge I saw for myself was to analyze the protection to discover all the bindings it uses for the fingerprint.

In this two-part blog series, we will examine the attack chain observed in two separate incidents, offering in-depth analysis of the malicious behavior detected. This first post focuses on an incident triggered by a user downloading an application, which subsequently triggered the execution of the IDAT Loader and the BruteRatel C4 framework following initial access to a compromised asset.

In this blog, we'll discuss different techniques to dynamically execute code inside a program. We'll provide examples in different languages, such as Python, PowerShell etc.

The novelty of kobold letters lies in the focus on a specific attack scenario, while looking at multiple email clients. This article will help raise awareness of the risks associated with HTML emails and contribute to the discussion of what trade-offs are acceptable to mitigate these risks.

In this article, I detail how I did setup my own phishing toolkit that runs serverless on Azure - based on Azure Functions to phish some Entra ID credentials and cookies.

Google Maps Scraper is useful for various investigations. For example, to collect information about a company or to find a place based on a photo. Here's a quick tutorial on how to use this tool.

In this article, we detail DLL Proxy Loading, a technique which an arbitrary DLL exports the same functions as the legitimate DLL and forwards the calls to the legitimate DLL. It is typically utilized as a stealthier method to load an arbitrary DLL without breaking the original operation of a process which might be an indicator of compromise for defenders.

This blog describes our analysis of the DJI Mavic 3 Drone firmware along with the criticality and potential impacts of each vulnerability. These vulnerabilities have the potential to facilitate unauthorized exfiltration of videos and pictures by exploiting the QuickTransfer Mode Wi-Fi protocol.

Raspberry Robin started as a worm, then evolved to become an initial access broker for other threat actors. In this blog, we will analyze a recent variant featuring interesting and as-of-yet unknown anti-emulation techniques.

In this article, we will have a look at the fingerprinting stage of VexTrio, a malicious TDS (Traffic Distribution System) currently injected into webpages across the globe, that redirects visitors to an array of different fraudpages.

QUIC's connection ID issuance mechanism is vulnerable to a resource exhaustion attack. In this post, we'll dive into how QUIC uses connection IDs, and how the current protocol mechanism introduces a this vulnerability. We'll also take a step back and explore the lessons to be learned from these recent attacks.

Through a case study, this blog post aims to give an insight into the Dalvik Executable file format, how it is constructed, and how it can be altered to make analysis easier. Additionally, we are releasing a tool called dexmod that exemplifies Dalvik bytecode patching and helps modify DEX files.

In this article, we will focus on the Apache APISIX API gateway and its security implications.

Embedded IoT systems need to be designed for specific functions. As a result, we can't use a single reference design. However, it is possible to summarize the most common architectures. In this post, we will review the main components of such design, evaluate the attack surface, and exploit some vulnerabilities we found.

In this second and final blog post on this topic, we cover some OTA vulnerabilities we identified in wireless communication protocols, primarily Zigbee and BLE.