In this post we introduce Dark Cat, Anubis and Keyhole, three IcedID & Kakbot VNC backdoor variants NVISO observed. We'll follow by exposing common TTPs before revealing information leaked through the attackers' clipboard data.
Category: Videos
Cobalt Strike: Overview – Part 7
This is an overview of a series of 6 blog posts we dedicated to the analysis and decryption of Cobalt Strike traffic. We include videos for different analysis methods. In part 1, we explain that Cobalt Strike traffic is encrypted using RSA and AES cryptography, and that we found private RSA keys that can help … Continue reading Cobalt Strike: Overview – Part 7
Solving a CTF challenge: Exploiting a Buffer Overflow (video)
Capture The Flag (CTF) competitions are an entertaining way to practice and/or improve your skills. NVISO staff regularly participates in CTF competitions, in particular when the competition focuses on IT security. We produced a video with step-by-step analysis of a CTF executable containing a buffer overflow. This executable is running on a server, and by … Continue reading Solving a CTF challenge: Exploiting a Buffer Overflow (video)
Donât be lazy with P4ssw0rd$
Three challenges to making passwords user-friendly Following the interview of Bill Burr, author of NISTâs 2003 paper on Electronic Authentication, in which he announced that he regrets much of what he wrote, we stop and think. Why was the standard putting users at risk? Paraphrasing History: âTout pour le peuple; rien par le peupleâ. Perfectly … Continue reading Donât be lazy with P4ssw0rd$
Tracking threat actors through .LNK files
In the blog post .LNK downloader and bitsadmin.exe in malicious Office document we were asked the following question by Harlan Carvey: Did you parse the LNK file for things such as embedded MAC address, NetBIOS system name, any SID, and volume serial number? We did not do that at the time, however we see the value in … Continue reading Tracking threat actors through .LNK files
Videos: Analyzing an Office Maldoc with a VBA Emulator
We produced 2 videos for our blog post Analyzing an Office Maldoc with a VBA Emulator. The first video shows ViperMonkey in action: https://www.youtube.com/watch?v=jAUg2nrt4Fw The second video shows how to extract the EXE: https://www.youtube.com/watch?v=n5oRMmSdCr8