Category: SANS Internet Storm Center, InfoCON: green

Phishing for Banking Information, (Fri, Dec 27th)

It is again the time of the year when scammers are asking to verify banking information, whether it is credit cards, bank card, package shipping information, winning money, etc. Last night I received a text message to verify a credit…

Read more →

Compiling Decompyle++ For Windows, (Wed, Dec 25th)

Occasionaly I decompile Python code, with decompilers written in Python. Recently I discovered Decompyle++, a Python disassembler & decompiler written in C++. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Compiling Decompyle++…

Read more →

More SSH Fun!, (Tue, Dec 24th)

A few days ago, I wrote a diary[1] about a link file that abused the ssh.exe tool present in modern versions of Microsoft Windows. At the end, I mentioned that I will hunt for more SSH-related files/scripts. Guess what? I…

Read more →

Modiloader From Obfuscated Batch File, (Mon, Dec 23rd)

My last investigation is a file called “Albertsons_payment.GZ”, received via email. The file looks like an archive but is identified as a picture by TrID: This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original…

Read more →

Christmas “Gift” Delivered Through SSH, (Fri, Dec 20th)

Christmas is at our doors and Attackers use the holiday season to deliver always more and more gifts into our mailboxes! I found this interesting file this morning: “christmas_slab.pdf.lnk”[1]. Link files (.lnk) are a classic way to execute something malicious…

Read more →

Python Delivering AnyDesk Client as RAT, (Tue, Dec 17th)

RATs or “Remote Access Tools” are very popular these days. From an attacker&#x27s point of view, it&#x27s a great way to search and exfiltrate interesting data but also to pivot internally in the network. Besides malicious RATs, they are legit…

Read more →

Microsoft Patch Tuesday: December 2024, (Tue, Dec 10th)

Microsoft today released patches for 71 vulnerabilities. 16 of these vulnerabilities are considered critical. One vulnerability (CVE-2024-49138) has already been exploited, and details were made public before today's patch release. This article has been indexed from SANS Internet Storm Center,…

Read more →

CURLing for Crypto on Honeypots, (Mon, Dec 9th)

I get a daily report from my honeypots for Cowrie activity [1], which includes telnet and SSH sessions attempted on the honyepot. One indicator I use to find sessions of interest is the number of commands run. Most of the…

Read more →

[Guest Diary] Business Email Compromise, (Thu, Dec 5th)

[This is a Guest Diary by Chris Kobee, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1]. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article:…

Read more →

Quickie: Mass BASE64 Decoding, (Fri, Nov 29th)

I was asked how one can decode a bunch of BASE64 encoded IOCs with my tools. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Quickie: Mass BASE64 Decoding, (Fri, Nov 29th)

Read more →

Decrypting a PDF With a User Password, (Sat, Nov 23rd)

In diary entry “Analyzing an Encrypted Phishing PDF”, I decrypted a phishing PDF document. Because the PDF was encrypted for DRM (owner password), I didn't have to provide a password. This article has been indexed from SANS Internet Storm Center,…

Read more →

Wireshark 4.4.2 Released, (Sat, Nov 23rd)

Wireshark release 4.4.2 fixes 2 vulnerabilities and 33 bugs. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Wireshark 4.4.2 Released, (Sat, Nov 23rd)

Read more →

Apple Fixes Two Exploited Vulnerabilities, (Tue, Nov 19th)

Today, Apple released updates patching two vulnerabilities that have already been exploited. Interestingly, according to Apple, the vulnerabilities have only been exploited against Intel-based systems, but they appear to affect ARM (M”x”) systems as well. This article has been indexed…

Read more →

Increase In Phishing SVG Attachments, (Thu, Nov 21st)

There is an increase in SVG attachments used in phishing emails (Scalable Vector Graphics, an XML-based vector image format). This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Increase In Phishing SVG Attachments,…

Read more →

Detecting the Presence of a Debugger in Linux, (Tue, Nov 19th)

Hello from Singapore where I'm with Johannes and Yee! This week, I'm teaching FOR710[1]. I spotted another Python script that looked interesting because, amongst the classic detection of virtualized environments, it also tries to detect the presence of a debugger. The script has been…

Read more →

Exploit attempts for unpatched Citrix vulnerability, (Mon, Nov 18th)

Last week, Watchtowr Labs released details describing a new and so far unpatched vulnerability in Citrix's remote access solution [1]. Specifically, the vulnerability affects the “Virtual Apps and Desktops.” This solution allows “secure” remote access to desktop applications. It is…

Read more →

Microsoft November 2024 Patch Tuesday, (Tue, Nov 12th)

This month, Microsoft is addressing a total of 83 vulnerabilities. Among these, 3 are classified as critical, 2 have been exploited in the wild, and another 2 have been disclosed prior to Patch Tuesday. Organizations are encouraged to prioritize these…

Read more →

PDF Object Streams, (Mon, Nov 11th)

The first thing to do, when analyzing a potentially malicious PDF, is to look for the /Encrypt name as explained in diary entry Analyzing an Encrypted Phishing PDF. This article has been indexed from SANS Internet Storm Center, InfoCON: green…

Read more →


zipdump & PKZIP Records, (Sun, Nov 10th)

In yesterday's diary entry “zipdump & Evasive ZIP Concatenation” I showed how one can inspect the PKZIP records that make up a ZIP file. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article:…

Read more →


zipdump & Evasive ZIP Concatenation, (Sat, Nov 9th)

On Friday's Stormcast, Johannes talks about Evasive ZIP Concatenation, a technique where 2 (or more) ZIP files are concatenated together to evade detection. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: 
zipdump…

Read more →

zipdump & PKZIP Records, (Sun, Nov 10th)

In yesterday's diary entry “zipdump & Evasive ZIP Concatenation” I showed how one can inspect the PKZIP records that make up a ZIP file. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article:…

Read more →

zipdump & Evasive ZIP Concatenation, (Sat, Nov 9th)

On Friday's Stormcast, Johannes talks about Evasive ZIP Concatenation, a technique where 2 (or more) ZIP files are concatenated together to evade detection. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: zipdump…

Read more →

Steam Account Checker Poisoned with Infostealer, (Thu, Nov 7th)

I found an interesting script targeting Steam users. Steam[1] is a popular digital distribution platform for purchasing, downloading, and playing video games on personal computers. The script is called “steam-account-checker” and is available in Github[2]. Its description is: This article…

Read more →

[Guest Diary] Insights from August Web Traffic Surge, (Wed, Nov 6th)

[This is a Guest Diary by Trevor Coleman, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1]. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article:…

Read more →

Python RAT with a Nice Screensharing Feature, (Tue, Nov 5th)

While hunting, I found another interesting Python RAT in the wild. This is not brand new because the script was released two years ago[1]. The script I found is based on the same tool and still has a low VT score:…

Read more →

Analyzing an Encrypted Phishing PDF, (Mon, Nov 4th)

Once in a while, I get a question about my pdf-parser.py tool, not able to decode strings and streams from a PDF document. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Analyzing…

Read more →

qpdf: Extracting PDF Streams, (Sat, Nov 2nd)

In diary entry “Analyzing PDF Streams” I answer a question asked by a student of Xavier: “how can you export all streams of a PDF?”. I explained how to do this with my pdf-parser.py tool. This article has been indexed…

Read more →

Scans for RDP Gateways, (Wed, Oct 30th)

RDP is one of the most prominent entry points into networks. Ransomware actors have taken down many large networks after initially entering via RDP. Credentials for RDP access are often traded by “initial access brokers”. This article has been indexed…

Read more →

Apple Updates Everything, (Mon, Oct 28th)

Today, Apple released updates for all of its operating systems. These updates include new AI features. For iOS 18 users, the only upgrade path is iOS 18.1, which includes the AI features. Same for users of macOS 15 Sequoia. For…

Read more →