OpenSSH User Enumeration Vulnerability: a Close Look

Intro An OpenSSH user enumeration vulnerability (CVE-2018-15473) became public via a GitHub commit. This vulnerability does not produce a list of valid usernames, but it does allow guessing of usernames. In this blog post, we take a closer look at this vulnerability and propose mitigation and monitoring actions. Technical details This vulnerability manifests itself in […]

Compiling Our Python Decompiler

Following the feedback we get for our py2exe decompiler (a decompiler for Windows executables created by py2exe1), we noticed that there is a community need for this tool. Most of the feedback comments are requests for help related to missing dependencies and similar problems. However, a couple of months ago, there had been an API-breaking release […]

PowerShell Inside a Certificate? – Part 3

In the first part of this series, we explained the internal structure of certificates and how this knowledge can help us detect fake certificates. In this part, we will provide different rules that you can use in your organization to detect these certificates. YARA This is the YARA rule that started this research: This YARA […]

PowerShell Inside a Certificate? – Part 2

In our previous blogpost, we developed a method to detect certificate files that do not contain a real certificate. Trojanized certificates like these are often not detected by AV and IDS. Although we found all kinds of payloads, fake certificates containing a Windows executable appear to be the most common. In this post we will […]

PowerShell Inside a Certificate? – Part 1

With the help of a specifically crafted YARA rule developed by NVISO analysts, we found multiple certificate files (.crt) that do not contain a certificate, but instead a malicious PowerShell script. In this blog post, we explain how we crafted this YARA rule. Certificates Certificate files in Windows can have different extensions, like .cer and […]

Shortcomings of blacklisting in Adobe Reader and what you can do about it

A variation of a class of malicious PDFs appeared in the wild. In this blog post, we will show you how to protect your systems and how to analyze these PDFs. The PDFs embed a file type with extension .SettingContent-ms that can be used on Windows 10 to execute arbitrary code. We have observed on […]

Sextortion Scam With Leaked Passwords Succeeds

Following the forum post on sextortion emails being spammed to innocent victims, we were curious to see if this scam would indeed be successful. We have observed similar scam campaigns before, but now the scammers seem to include the victim’s password as well, creating a sense of legitimacy. During our analysis we observed 3 payments to the […]

Extracting a Windows Zero-Day from an Adobe Reader Zero-Day PDF

In May 2018, when ESET published a blog post covering PDFs with 2 zero days, our interest was immediately piqued. Promptly after our analysis of these PDFs, we send out an early warning to our customers. Now that Microsoft published a blog post with the detailed analysis of the zero days, we find it appropriate […]

Creating custom YARA rules

In a previous post, we created YARA rules to detect compromised CCleaner executables (YARA rules to detect compromised CCleaner executables). We will use this example as an opportunity to illustrate how the creation of these custom YARA rules was performed. In its blog post, Talos shared 3 hashes as Indicators Of Compromise (IOCs): 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff 6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9 […]