Authors: Boudewijn Meijer && Rick Veldhoven Introduction As defensive security products improve, attackers must refine their craft. Gone are the days of executing malicious binaries from disk, especially ones well known to antivirus and Endpoint Detection and Reponse (EDR) vendors.…
Tag: Fox-IT International blog
Sifting through the spines: identifying (potential) Cactus ransomware victims
Authored by Willem Zeeman and Yun Zheng Hu This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. To view…
Android Malware Vultur Expands Its Wingspan
Authored by Joshua Kamp Executive summary The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device. Vultur has also started masquerading more…
Memory Scanning for the Masses
Author: Axel Boesenach and Erik Schamper In this blog post we will go into a user-friendly memory scanning Python library that was created out of the necessity of having more control during memory scanning. We will give an overview of…
Reverse, Reveal, Recover: Windows Defender Quarantine Forensics
Max Groot & Erik Schamper TL;DR Introduction During incident response engagements we often encounter antivirus applications that have rightfully triggered on malicious software that was deployed by threat actors. Most commonly we encounter this for Windows Defender, the antivirus solution…
The Spelling Police: Searching for Malicious HTTP Servers by Identifying Typos in HTTP Responses
Authored by Margit Hazenbroek At Fox-IT (part of NCC Group) identifying servers that host nefarious activities is a critical aspect of our threat intelligence. One approach involves looking for anomalies in responses of HTTP servers. Sometimes cybercriminals that host malicious…
Popping Blisters for research: An overview of past payloads and exploring recent developments
Authored by Mick Koomen. Summary Blister is a piece of malware that loads a payload embedded inside it. We provide an overview of payloads dropped by the Blister loader based on 137 unpacked samples from the past one and a…
From ERMAC to Hook: Investigating the technical differences between two Android malware variants
Authored by Joshua Kamp (main author) and Alberto Segura. Summary Hook and ERMAC are Android based malware families that are both advertised by the actor named “DukeEugene”. Hook is the latest variant to be released by this actor and was…
Approximately 2000 Citrix NetScalers backdoored in mass-exploitation campaign
Fox-IT (part of NCC Group) has uncovered a large-scale exploitation campaign of Citrix NetScalers in a joint effort with the Dutch Institute of Vulnerability Disclosure (DIVD). An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing webshells on…
From Backup to Backdoor: Exploitation of CVE-2022-36537 in R1Soft Server Backup Manager
During a recent incident response case, we found traces of an adversary leveraging ConnectWise R1Soft Server Backup Manager software (hereinafter: R1Soft server software). The adversary used it as an initial point of access and as a platform to control downstream…
Threat spotlight: Hydra
This publication is part of our Annual Threat Monitor report that was released on the 8th of Febuary 2023. The Annual threat Monitor report can be found here. Authored by Alberto Segura Introduction Hydra, also known as BianLian, has been…
CVE-2022-27510, CVE-2022-27518 – Measuring Citrix ADC & Gateway version adoption on the Internet
Authored by Yun Zheng Hu Recently, two critical vulnerabilities were reported in Citrix ADC and Citrix Gateway; where one of them was being exploited in the wild by a threat actor. Due to these vulnerabilities being exploitable remotely and given…
One Year Since Log4Shell: Lessons Learned for the next ‘code red’
Authored by Edwin van Vliet and Max Groot One year ago, Fox-IT and NCC Group released their blogpost detailing findings on detecting & responding to exploitation of CVE-2021-44228, better known as ‘Log4Shell’. Log4Shell was a textbook example of a code…
I’m in your hypervisor, collecting your evidence
Authored by Erik Schamper Data acquisition during incident response engagements is always a big exercise, both for us and our clients. It’s rarely smooth sailing, and we usually encounter a hiccup or two. Fox-IT’s approach to enterprise scale incident response…
I’m in your hypervisor, collecting your evidence
Authored by Erik Schamper Data acquisition during incident response engagements is always a big exercise, both for us and our clients. It’s rarely smooth sailing, and we usually encounter a hiccup or two. Fox-IT’s approach to enterprise scale incident response…
I’m in your hypervisor, collecting your evidence
Authored by Erik Schamper Data acquisition during incident response engagements is always a big exercise, both for us and our clients. It’s rarely smooth sailing, and we usually encounter a hiccup or two. Fox-IT’s approach to enterprise scale incident response…
Sharkbot is back in Google Play
Authored by Alberto Segura (main author) and Mike Stokkel (co-author) Introduction After we discovered in February 2022 the SharkBotDropper in Google Play posing as a fake Android antivirus and cleaner, now we have detected a new version of this dropper…
Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study
Max Groot & Ruud van Luijk TL;DR A recently uncovered malware sample dubbed ‘Saitama’ was uncovered by security firm Malwarebytes in a weaponized document, possibly targeted towards the Jordan government. This Saitama implant uses DNS as its sole Command and…
Flubot: the evolution of a notorious Android Banking Malware
Authored by Alberto Segura (main author) and Rolf Govers (co-author) Summary Flubot is an Android based malware that has been distributed in the past 1.5 years inEurope, Asia and Oceania affecting thousands of devices of mostly unsuspecting victims.Like the majority…
Adventures in the land of BumbleBee
This article has been indexed from Fox-IT International blog Authored by: Nikolaos Totosis, Nikolaos Pantazopoulos and Mike Stokkel Executive summary BUMBLEBEE is a new malicious loader that is being used by several threat actors and has been observed to download…
SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store
This article has been indexed from Fox-IT International blog Authors: Alberto Segura, Malware analyst Rolf Govers, Malware analyst & Forensic IT Expert NCC Group, as well as many other researchers noticed a rise in Android malware last year, especillay Android…
log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228
This article has been indexed from Fox-IT International blog tl;dr Run our new tool by adding -javaagent:log4j-jndi-be-gone-1.0.0-standalone.jar to all of your JVM Java stuff to stop log4j from loading classes remotely over LDAP. This will prevent malicious inputs from triggering the “Log4Shell” vulnerability…
log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228
This article has been indexed from Fox-IT International blog tl;dr Run our new tool by adding -javaagent:log4j-jndi-be-gone-1.0.0-standalone.jar to all of your JVM Java stuff to stop log4j from loading classes remotely over LDAP. This will prevent malicious inputs from triggering the “Log4Shell” vulnerability…
Log4Shell: Reconnaissance and post exploitation network detection
This article has been indexed from Fox-IT International blog Note: This blogpost will be live-updated with new information. NCC Group’s RIFT is intending to publish PCAPs of different exploitation methods in the near future – last updated December 12th at 19:15…
Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm
This article has been indexed from Fox-IT International blog Author: Margit Hazenbroek tl;dr An approach to detecting suspicious TLS certificates using an incremental anomaly detection model is discussed. This model utilizes the Half-Space-Trees algorithm and provides our security operations teams (SOC)…
Tracking a P2P network related to TA505
This article has been indexed from Fox-IT International blog This post is by Nikolaos Pantazopoulos and Michael Sandee tl;dr – Executive Summary For the past few months NCC Group has been closely tracking the operations of TA505 and the development…
TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access
This article has been indexed from Fox-IT International blog NCC Group’s global Cyber Incident Response Team have observed an increase in Clop ransomware victims in the past weeks. The surge can be traced back to a vulnerability in SolarWinds Serv-U…
Reverse engineering and decrypting CyberArk vault credential files
This article has been indexed from Fox-IT International blog Author: Jelle Vergeer This blog will be a technical deep-dive into CyberArk credential files and how the credentials stored in these files are encrypted and decrypted. I discovered it was possible…
Reverse engineering and decrypting CyberArk vault credential files
This article has been indexed from Fox-IT International blog Author: Jelle Vergeer This blog will be a technical deep-dive into CyberArk credential files and how the credentials stored in these files are encrypted and decrypted. I discovered it was possible…
SnapMC skips ransomware, steals data
This article has been indexed from Fox-IT International blog Over the past few months NCC Group has observed an increasing number of data breach extortion cases, where the attacker steals data and threatens to publish said data online if the…
RM3 – Curiosities of the wildest banking malware
fumik0_ & the RIFT Team TL:DR Our Research and Intelligence Fusion Team have been tracking the Gozi variant RM3 for close to 30 months. In this post we provide some history, analysis and observations on this most pernicious family of banking malware targeting Oceania, the UK, Germany…
RM3 – Curiosities of the wildest banking malware
Read the original article: RM3 – Curiosities of the wildest banking malware fumik0_ & the RIFT Team TL:DR Our Research and Intelligence Fusion Team have been tracking the Gozi variant RM3 for close to 30 months. In this post we provide some history, analysis and…
Abusing cloud services to fly under the radar
Read the original article: Abusing cloud services to fly under the radar tl;dr NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through…
Abusing cloud services to fly under the radar
Read the original article: Abusing cloud services to fly under the radar tl;dr NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through…
Decrypting OpenSSH sessions for fun and profit
Read the original article: Decrypting OpenSSH sessions for fun and profit Author: Jelle Vergeer Introduction A while ago we had a forensics case in which a Linux server was compromised and a modified OpenSSH binary was loaded into the memory…
Decrypting OpenSSH sessions for fun and profit
Read the original article: Decrypting OpenSSH sessions for fun and profit Author: Jelle Vergeer Introduction A while ago we had a forensics case in which a Linux server was compromised and a modified OpenSSH binary was loaded into the memory…
StreamDivert: Relaying (specific) network connections
Read the original article: StreamDivert: Relaying (specific) network connections Author: Jelle Vergeer The first part of this blog will be the story of how this tool found it’s way into existence, the problems we faced and the thought process followed.…
Machine learning from idea to reality: a PowerShell case study
Read the original article: Machine learning from idea to reality: a PowerShell case study Detecting both ‘offensive’ and obfuscated PowerShell scripts in Splunk using Windows Event Log 4104 Author: Joost Jansen This blog provides a ‘look behind the scenes’ at…
Machine learning from idea to reality: a PowerShell case study
Read the original article: Machine learning from idea to reality: a PowerShell case study Detecting both ‘offensive’ and obfuscated PowerShell scripts in Splunk using Windows Event Log 4104 Author: Joost Jansen This blog provides a ‘look behind the scenes’ at…
A Second Look at CVE-2019-19781 (Citrix NetScaler / ADC)
Read the original article: A Second Look at CVE-2019-19781 (Citrix NetScaler / ADC) Authors: Rich Warren of NCC Group FSAS & Yun Zheng Hu of Fox-IT, in close collaboration with Fox-IT’s RIFT. About the Research and Intelligence Fusion Team (RIFT):…
A Second Look at CVE-2019-19781 (Citrix NetScaler / ADC)
Read the original article: A Second Look at CVE-2019-19781 (Citrix NetScaler / ADC) Authors: Rich Warren of NCC Group FSAS & Yun Zheng Hu of Fox-IT, in close collaboration with NCC’s RIFT. About the Research and Intelligence Fusion Team (RIFT):…
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Read the original article: WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group Authors: Nikolaos Pantazopoulos, Stefano Antenucci (@Antelox) Michael Sandee and in close collaboration with NCC’s RIFT. About the Research and Intelligence Fusion Team (RIFT):RIFT leverages our…
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Read the original article: WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group Authors: Nikolaos Pantazopoulos, Stefano Antenucci (@Antelox) and Michael Sandee 1. Introduction WastedLocker is a new ransomware locker we’ve detected being used since May 2020. We…
In-depth analysis of the new Team9 malware family
Read the original article: In-depth analysis of the new Team9 malware family Author: Nikolaos Pantazopoulos Co-author: Stefano Antenucci (@Antelox) And in close collaboration with NCC’s RIFT. 1. Introduction Publicly discovered in late April 2020, the Team9 malware family (also known…
In-depth analysis of the new Team9 malware family
Read the original article: In-depth analysis of the new Team9 malware family Author: Nikolaos Pantazopoulos Co-author: Stefano Antenucci (@Antelox) And in close collaboration with NCC’s RIFT. 1. Introduction Publicly discovered in late April 2020, the Team9 malware family (also known…
LDAPFragger: Command and Control over LDAP attributes
Introduction A while back during a penetration test of an internal network, we encountered physically segmented networks. These networks contained workstations joined to the same Active Directory domain, however only one network segment could connect to the internet. To…
Hunting for beacons
Author: Ruud van Luijk Attacks need to have a form of communication with their victim machines, also known as Command and Control (C2) [1]. This can be in the form of a continuous connection or connect the victim machine directly.…
Hunting for beacons
Author: Ruud van Luijk Attacks need to have a form of communication with their victim machines, also known as Command and Control (C2) [1]. This can be in the form of a continuous connection or connect the victim machine directly.…