Exploit This

Security News, Exploits, and Vulnerabilities.

Shedding Skin – Turla’s Fresh Faces

Turla, also known as Venomous Bear, Waterbug, and Uroboros, may be best known for what was at the time an “ultra complex” snake rootkit focused on NATO-related targets, but their malware set and activity is much broader. Our current focus is on more recent and upcoming activity from this APT.

Delving deep into VBScript

In late April we found and wrote a description of CVE-2018-8174, a new zero-day vulnerability for Internet Explorer that uses a well-known technique from the PoC exploit CVE-2014-6332. But whereas CVE-2014-6332 was aimed at integer overflow exploitation for writing to arbitrary memory locations, my interest lay in how this technique was adapted to exploit the use-after-free vulnerability.

Roaming Mantis uses DNS hijacking to infect Android smartphones

In March 2018, Japanese media reported the hijacking of DNS settings on routers located in Japan, redirecting users to malicious IP addresses. The redirection led to the installation of Trojanized applications named facebook.apk and chrome.apk that contained Android Trojan-Banker. During our research we received some invaluable information about the true scale of this attack, we decided to call it ‘Roaming Mantis’.

Denis and Co.

In April 2017, we published a detailed review of a malicious program that used DNS tunneling to communicate to its C&C. That study prompted us to develop a technology to detect similar threats, which allowed us to collect a multitude of malware samples using DNS tunneling.

Dridex: A History of Evolution

In the several years that the Dridex family has existed, there have been numerous unsuccessful attempts to block the botnet’s activity. The ongoing evolution of the malware demonstrates that the cybercriminals are not about to bid farewell to their brainchild, which is providing them with a steady revenue stream.

Use of DNS Tunneling for C&C Communications

Often, virus writers don’t even bother to run encryption or mask their communications. However, you do get the occasional off-the-wall approaches that don’t fall into either of the categories. Take, for instance, the case of a Trojan that Kaspersky Lab researchers discovered in mid-March and which establishes a DNS tunnel for communication with the C&C server.

Hajime, the mysterious evolving botnet

Hajime (meaning ‘beginning’ in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks. In this blogpost we outline some of the recent ‘improvements’ to Hajime, some techniques that haven’t been made public, and some statistics about infected IoT devices.

The security is still secure

Recently WikiLeaks published a report that, among other things, claims to disclose tools and tactics employed by a state-sponsored organization to break into users’ computers and circumvent installed security solutions. The list of compromised security products includes dozens of vendors and relates to the whole cybersecurity industry.

Old Malware Tricks To Bypass Detection in the Age of Big Data

Kaspersky Lab has been tracking a targeted attack actor’s activities in Japan and South Korea recently. This attacker has been using the XXMM malware toolkit, which was named after an original project path revealed through a pdb string inside the file.

Malicious code and the Windows integrity mechanism

My goal wasn’t to review the techniques of elevating system privileges. Here, I wanted to look at the overall picture and talk about the whole range of Windows operating systems in all their diversity dating back to Windows Vista, but without discussing specific versions.

%d bloggers like this: