Code analysis of CryCryptor Ransomware and its vulnerability that allowed to create a decryption tool
π£barakadua131
π@malwr
π£barakadua131
π@malwr
YouTube
Analysis of CryCryptor Android Ransomware and how I created decryptor | fake COVID-19 tracing app
Code and vulnerability analysis of CryCryptor Android Ransomware that was distributed via malicious websites as COVID-19 Tracing app in Canada.
More information: https://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canadaβ¦
More information: https://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canadaβ¦
ExAllocatePoolZero
π£FastInvite2k2
> you can see that check is made for build numbers later than 18362. The problem with that is that Windows 1909 isnβt build 18362, itβs 18363.
The off-by-one error strikes again, this time in kernel mode.
π€WonderfulNinja
π@malwr
π£FastInvite2k2
> you can see that check is made for build numbers later than 18362. The problem with that is that Windows 1909 isnβt build 18362, itβs 18363.
The off-by-one error strikes again, this time in kernel mode.
π€WonderfulNinja
π@malwr
OSR
Bug in New Function ExAllocatePoolZero Results in Security Vulnerability and Crashes
Update: Late in December 2020 Microsoft issued an update to the WDK/EWDK that includes mitigations for this security issue. See our blog post describing these updates. tl;dr Last week (week of 5 Juβ¦
Interesting tactic by Ratty & Adwind for distribution of JAR appended to signed MSI - Securityinbits
π£anuraggawande
π@malwr
π£anuraggawande
π@malwr
Securityinbits
Interesting tactic by Ratty & Adwind for distribution of JAR appended to signed MSI - CVE-2020-1464 - Securityinbits
This article discusses an interesting tactic (CVE-2020-1464) actively used by different Java RAT malware authors like Ratty & Adwind to distribute malicious JAR appended to signed MSI files.
LibreHealth Version 2.0.0 - Multiple High-Risk CVEs
π£breach_house
Reading through the unmerged pull requests here, surely there's a point where this many "string concatenation straight into SQL" combines with "this was fixed years ago in the other product this was forked from", a vendor that got a 30 day disclosure extended to 90 days and still hasn't merged fixes, and you've got to consider whether the product can really be salvaged.
π€disclosure5
π@malwr
π£breach_house
Reading through the unmerged pull requests here, surely there's a point where this many "string concatenation straight into SQL" combines with "this was fixed years ago in the other product this was forked from", a vendor that got a 30 day disclosure extended to 90 days and still hasn't merged fixes, and you've got to consider whether the product can really be salvaged.
π€disclosure5
π@malwr
Bishopfox
LibreHealth Version 2.0.0
Bishop Fox advisory on five vulnerabilities in LibreHealth application 2.0.0 including SQL injection, cross-site scripting and cross-site request forgery.
SIGRed - Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers - Check Point Research
π£digicat
We are all remediated now but this is an ugly ugly hole that is going to lead to some multi million dollar hacks against companies who donβt patch promptly.
π€afwaller
Seems kinda bold of them to give the world only a few hours head start to patch their systems given that it's not thought to be in the wild yet. Shoulda bought CheckPoint IPS I guess /shrug.
π€OnARedditDiet
π@malwr
π£digicat
We are all remediated now but this is an ugly ugly hole that is going to lead to some multi million dollar hacks against companies who donβt patch promptly.
π€afwaller
Seems kinda bold of them to give the world only a few hours head start to patch their systems given that it's not thought to be in the wild yet. Shoulda bought CheckPoint IPS I guess /shrug.
π€OnARedditDiet
π@malwr
TSK/Autopsy - Web Artifacts Opera
Hello,
i was wondering why the history of the opera web browser is not detected.
I know that on the web page it says Firefox, Chrome and Internet Explorer. Is it anywhere documented why the Opera browser is not included?
π£guyizda
As to why I don't know. It does seem it is an sqllite database, much like Chrome/Firefox.
Looks like there is a reference in their github for android:
https://github.com/sleuthkit/autopsy/blob/646a7a9e12148512de8db6ab030f78f297248394/InternalPythonModules/android/operabrowser.py
Mention to the windows location here:
https://github.com/sleuthkit/autopsy/blob/ab60e9c29ed8be6a43f918ffa29f228a6cdf270a/thirdparty/plaso/plaso-20180818-Win32/artifacts/webbrowser.yaml
π€AnalyzeAllTheLogs
Autopsy is generally...not that good. Opera is Chromium based and uses WebKit (Blink now?), so it is probably sorted under the Chrome history.
π€FunkeDope
π@malwr
Hello,
i was wondering why the history of the opera web browser is not detected.
I know that on the web page it says Firefox, Chrome and Internet Explorer. Is it anywhere documented why the Opera browser is not included?
π£guyizda
As to why I don't know. It does seem it is an sqllite database, much like Chrome/Firefox.
Looks like there is a reference in their github for android:
https://github.com/sleuthkit/autopsy/blob/646a7a9e12148512de8db6ab030f78f297248394/InternalPythonModules/android/operabrowser.py
Mention to the windows location here:
https://github.com/sleuthkit/autopsy/blob/ab60e9c29ed8be6a43f918ffa29f228a6cdf270a/thirdparty/plaso/plaso-20180818-Win32/artifacts/webbrowser.yaml
π€AnalyzeAllTheLogs
Autopsy is generally...not that good. Opera is Chromium based and uses WebKit (Blink now?), so it is probably sorted under the Chrome history.
π€FunkeDope
π@malwr
reddit
TSK/Autopsy - Web Artifacts Opera
Hello, i was wondering why the history of the opera web browser is not detected. I know that on the web page it says Firefox, Chrome and...
Analyzing in the wild exploitation of CVE-2019-1367 by DarkHotel #APT and Magnitude EK. The exploit introduced a Write-What-Where bug that works in every version of JScript engine.
π£eliya_confiant
π@malwr
π£eliya_confiant
π@malwr
Confiant
Internet Explorer CVE-2019β1367 In the wild Exploitation β prelude
Originally written by Taha Karim
Technical write up by researcher who found vulnerabilities in the Tenda AC15 AC1900 firmware 15.03.05.19 (5 CVEs issued - CMDi, XSS, CSRF, Hardcoded Telnet Password)
π£goopcat
π@malwr
π£goopcat
π@malwr
Medium
Tenda AC15 AC1900 Vulnerabilities Discovered and Exploited
Demonstrating how remote attackers can gain control of the Tenda AC15 AC1900.
https://github.com/ThisIsLibra/MalPull
More info: https://maxkersten.nl/projects/malpull/
βΉοΈ Sent from one of our members
π@malwr
More info: https://maxkersten.nl/projects/malpull/
βΉοΈ Sent from one of our members
π@malwr
GitHub
GitHub - ThisIsLibra/MalPull: A multi-threaded malware sample downloader based upon given MD-5/SHA-1/SHA-256 hashes, using multipleβ¦
A multi-threaded malware sample downloader based upon given MD-5/SHA-1/SHA-256 hashes, using multiple malware databases. - ThisIsLibra/MalPull