Code analysis of CryCryptor Ransomware and its vulnerability that allowed to create a decryption tool
π£barakadua131
π@malwr
π£barakadua131
π@malwr
YouTube
Analysis of CryCryptor Android Ransomware and how I created decryptor | fake COVID-19 tracing app
Code and vulnerability analysis of CryCryptor Android Ransomware that was distributed via malicious websites as COVID-19 Tracing app in Canada.
More information: https://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canadaβ¦
More information: https://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canadaβ¦
ExAllocatePoolZero
π£FastInvite2k2
> you can see that check is made for build numbers later than 18362. The problem with that is that Windows 1909 isnβt build 18362, itβs 18363.
The off-by-one error strikes again, this time in kernel mode.
π€WonderfulNinja
π@malwr
π£FastInvite2k2
> you can see that check is made for build numbers later than 18362. The problem with that is that Windows 1909 isnβt build 18362, itβs 18363.
The off-by-one error strikes again, this time in kernel mode.
π€WonderfulNinja
π@malwr
OSR
Bug in New Function ExAllocatePoolZero Results in Security Vulnerability and Crashes
Update: Late in December 2020 Microsoft issued an update to the WDK/EWDK that includes mitigations for this security issue. See our blog post describing these updates. tl;dr Last week (week of 5 Juβ¦
Interesting tactic by Ratty & Adwind for distribution of JAR appended to signed MSI - Securityinbits
π£anuraggawande
π@malwr
π£anuraggawande
π@malwr
Securityinbits
Interesting tactic by Ratty & Adwind for distribution of JAR appended to signed MSI - CVE-2020-1464 - Securityinbits
This article discusses an interesting tactic (CVE-2020-1464) actively used by different Java RAT malware authors like Ratty & Adwind to distribute malicious JAR appended to signed MSI files.
LibreHealth Version 2.0.0 - Multiple High-Risk CVEs
π£breach_house
Reading through the unmerged pull requests here, surely there's a point where this many "string concatenation straight into SQL" combines with "this was fixed years ago in the other product this was forked from", a vendor that got a 30 day disclosure extended to 90 days and still hasn't merged fixes, and you've got to consider whether the product can really be salvaged.
π€disclosure5
π@malwr
π£breach_house
Reading through the unmerged pull requests here, surely there's a point where this many "string concatenation straight into SQL" combines with "this was fixed years ago in the other product this was forked from", a vendor that got a 30 day disclosure extended to 90 days and still hasn't merged fixes, and you've got to consider whether the product can really be salvaged.
π€disclosure5
π@malwr
Bishopfox
LibreHealth Version 2.0.0
Bishop Fox advisory on five vulnerabilities in LibreHealth application 2.0.0 including SQL injection, cross-site scripting and cross-site request forgery.
SIGRed - Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers - Check Point Research
π£digicat
We are all remediated now but this is an ugly ugly hole that is going to lead to some multi million dollar hacks against companies who donβt patch promptly.
π€afwaller
Seems kinda bold of them to give the world only a few hours head start to patch their systems given that it's not thought to be in the wild yet. Shoulda bought CheckPoint IPS I guess /shrug.
π€OnARedditDiet
π@malwr
π£digicat
We are all remediated now but this is an ugly ugly hole that is going to lead to some multi million dollar hacks against companies who donβt patch promptly.
π€afwaller
Seems kinda bold of them to give the world only a few hours head start to patch their systems given that it's not thought to be in the wild yet. Shoulda bought CheckPoint IPS I guess /shrug.
π€OnARedditDiet
π@malwr
TSK/Autopsy - Web Artifacts Opera
Hello,
i was wondering why the history of the opera web browser is not detected.
I know that on the web page it says Firefox, Chrome and Internet Explorer. Is it anywhere documented why the Opera browser is not included?
π£guyizda
As to why I don't know. It does seem it is an sqllite database, much like Chrome/Firefox.
Looks like there is a reference in their github for android:
https://github.com/sleuthkit/autopsy/blob/646a7a9e12148512de8db6ab030f78f297248394/InternalPythonModules/android/operabrowser.py
Mention to the windows location here:
https://github.com/sleuthkit/autopsy/blob/ab60e9c29ed8be6a43f918ffa29f228a6cdf270a/thirdparty/plaso/plaso-20180818-Win32/artifacts/webbrowser.yaml
π€AnalyzeAllTheLogs
Autopsy is generally...not that good. Opera is Chromium based and uses WebKit (Blink now?), so it is probably sorted under the Chrome history.
π€FunkeDope
π@malwr
Hello,
i was wondering why the history of the opera web browser is not detected.
I know that on the web page it says Firefox, Chrome and Internet Explorer. Is it anywhere documented why the Opera browser is not included?
π£guyizda
As to why I don't know. It does seem it is an sqllite database, much like Chrome/Firefox.
Looks like there is a reference in their github for android:
https://github.com/sleuthkit/autopsy/blob/646a7a9e12148512de8db6ab030f78f297248394/InternalPythonModules/android/operabrowser.py
Mention to the windows location here:
https://github.com/sleuthkit/autopsy/blob/ab60e9c29ed8be6a43f918ffa29f228a6cdf270a/thirdparty/plaso/plaso-20180818-Win32/artifacts/webbrowser.yaml
π€AnalyzeAllTheLogs
Autopsy is generally...not that good. Opera is Chromium based and uses WebKit (Blink now?), so it is probably sorted under the Chrome history.
π€FunkeDope
π@malwr
reddit
TSK/Autopsy - Web Artifacts Opera
Hello, i was wondering why the history of the opera web browser is not detected. I know that on the web page it says Firefox, Chrome and...
Analyzing in the wild exploitation of CVE-2019-1367 by DarkHotel #APT and Magnitude EK. The exploit introduced a Write-What-Where bug that works in every version of JScript engine.
π£eliya_confiant
π@malwr
π£eliya_confiant
π@malwr
Confiant
Internet Explorer CVE-2019β1367 In the wild Exploitation β prelude
Originally written by Taha Karim
Technical write up by researcher who found vulnerabilities in the Tenda AC15 AC1900 firmware 15.03.05.19 (5 CVEs issued - CMDi, XSS, CSRF, Hardcoded Telnet Password)
π£goopcat
π@malwr
π£goopcat
π@malwr
Medium
Tenda AC15 AC1900 Vulnerabilities Discovered and Exploited
Demonstrating how remote attackers can gain control of the Tenda AC15 AC1900.
https://github.com/ThisIsLibra/MalPull
More info: https://maxkersten.nl/projects/malpull/
βΉοΈ Sent from one of our members
π@malwr
More info: https://maxkersten.nl/projects/malpull/
βΉοΈ Sent from one of our members
π@malwr
GitHub
GitHub - ThisIsLibra/MalPull: A multi-threaded malware sample downloader based upon given MD-5/SHA-1/SHA-256 hashes, using multipleβ¦
A multi-threaded malware sample downloader based upon given MD-5/SHA-1/SHA-256 hashes, using multiple malware databases. - ThisIsLibra/MalPull
Malware News
A Twitter Hacking Spree Hits Musk, Obama, Apple, and More π£zr0_day π@malwr
All the messages appear to lead back to the same digital wallet, which received its first incoming transaction at 3:03 pm EDT. It has recorded around 300 transactions since, although several of those are outgoing. It's not clear at this time to where.
π@malwr
π@malwr
Malware News
All the messages appear to lead back to the same digital wallet, which received its first incoming transaction at 3:03 pm EDT. It has recorded around 300 transactions since, although several of those are outgoing. It's not clear at this time to where. π@malwr
At 10:38pm ET, the official Twitter Support account gave a more detailed explanation of the company's findings so far. "We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools," the thread states. "We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf.
π@malwr
π@malwr