In this post we introduce Dark Cat, Anubis and Keyhole, three IcedID & Kakbot VNC backdoor variants NVISO observed. We'll follow by exposing common TTPs before revealing information leaked through the attackers' clipboard data.
This is an overview of a series of 6 blog posts we dedicated to the analysis and decryption of Cobalt Strike traffic. We include videos for different analysis methods. In part 1, we explain that Cobalt Strike traffic is encrypted using RSA and AES cryptography, and that we found private RSA keys that can help … Continue reading Cobalt Strike: Overview – Part 7
Capture The Flag (CTF) competitions are an entertaining way to practice and/or improve your skills. NVISO staff regularly participates in CTF competitions, in particular when the competition focuses on IT security. We produced a video with step-by-step analysis of a CTF executable containing a buffer overflow. This executable is running on a server, and by … Continue reading Solving a CTF challenge: Exploiting a Buffer Overflow (video)
Three challenges to making passwords user-friendly Following the interview of Bill Burr, author of NIST’s 2003 paper on Electronic Authentication, in which he announced that he regrets much of what he wrote, we stop and think. Why was the standard putting users at risk? Paraphrasing History: “Tout pour le peuple; rien par le peuple”. Perfectly … Continue reading Don’t be lazy with P4ssw0rd$
In the blog post .LNK downloader and bitsadmin.exe in malicious Office document we were asked the following question by Harlan Carvey: Did you parse the LNK file for things such as embedded MAC address, NetBIOS system name, any SID, and volume serial number? We did not do that at the time, however we see the value in … Continue reading Tracking threat actors through .LNK files