Hunting for Remote Management Tools

In today's digital landscape, Remote Management and Monitoring (RMM) tools have become indispensable for organizations seeking to streamline IT operations, enhance productivity, and ensure seamless remote support. However, within our threat hunting and incident response engagements we often see that these tools, while beneficial, can also pose significant security risks if not properly managed. This … Continue reading Hunting for Remote Management Tools →

Covert TLS n-day backdoors: SparkCockpit & SparkTar

This report documents two covert TLS-based backdoors identified by NVISO: SparkCockpit & SparkTar. Both backdoors employ selective interception of TLS communication towards the legitimate Ivanti server applications.

XOR Known-Plaintext Attacks

In this blog post, we show in detail how a known-plaintext attack on XOR encoding works, and automate it with custom tools to decrypt and extract the configuration of a Cobalt Strike beacon. If you are not interested in the theory, just in the tools, go straight to the conclusion 🙂 . A known-plaintext attack … Continue reading XOR Known-Plaintext Attacks →

The SOC Toolbox: Analyzing AutoHotKey compiled executables

A quick post on how to extract AutoHotKey scripts from an AutoHotKey script compiled executable.

IcedID & Qakbot’s VNC Backdoors: Dark Cat, Anubis & Keyhole

In this post we introduce Dark Cat, Anubis and Keyhole, three IcedID & Kakbot VNC backdoor variants NVISO observed. We'll follow by exposing common TTPs before revealing information leaked through the attackers' clipboard data.

Investigating an engineering workstation – Part 4

Finally, as the last part of the blog series we will have a look at the network traffic observed. We will do this in two sections, the first one will cover a few things useful to know if we are in the situation that Wireshark can dissect the traffic for us. The second section will … Continue reading Investigating an engineering workstation – Part 4 →