Malware-based attacks on ATMs – A summary

ATM

Introduction Today we will take a first look at malware-based attacks on ATMs in general, while future articles will go into more detail on the individual subtopics. ATMs have been robbed by criminal gangs around the world for decades. A successful approach since ~ 20 years is the use of highly flammable gas, which is … Continue reading Malware-based attacks on ATMs – A summary

Analysis of a trojanized jQuery script: GootLoader unleashed

Update 24/10/202: We have noticed 2 changes since we published this report 3 months ago. The code has been adapted to use registry key “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Personalization” instead of “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Phone” (sample SHA256 ed2f654b5c5e8c05c27457876f3855e51d89c5f946c8aefecca7f110a6276a6e) When the payload is Cobalt Strike, the beacon configuration now contains hostnames for the C2, like r1dark[.]ssndob[.]cn[.]com and r2dark[.]ssndob[.]cn[.]com (all prior CS samples we … Continue reading Analysis of a trojanized jQuery script: GootLoader unleashed

Hunting Emotet campaigns with Kusto

Introduction Emotet doesn't need an introduction anymore - it is one of the more prolific cybercriminal gangs and has been around for many years. In January 2021, a disruption effort took place via Europol and other law enforcement authorities to take Emotet down for good. [1] Indeed, there was a significant decrease in Emotet malicious … Continue reading Hunting Emotet campaigns with Kusto

Kernel Karnage – Part 9 (Finishing Touches)

It's time for the season finale. In this post we explore several bypasses but also look at some mistakes made along the way. 1. From zero to hero: a quick recap As promised in part 8, I spent some time converting the application to disable Driver Signature Enforcement (DSE) into a Beacon Object File (BOF) … Continue reading Kernel Karnage – Part 9 (Finishing Touches)

Kernel Karnage – Part 8 (Getting Around DSE)

When life gives you exploits, you turn them into Beacon Object Files. 1. Back to BOFs I never thought I would say this, but after spending so much time in kernel land, it’s almost as if developing kernel functionality is easier than writing user land applications, especially when they need to fly under the radar. … Continue reading Kernel Karnage – Part 8 (Getting Around DSE)

Kernel Karnage – Part 7 (Out of the Lab and Back to Reality)

This week I emerge from the lab and put on a different hat. 1. Switching hats With Interceptor being successful in blinding $vendor2 sufficiently to run a meterpreter reverse shell, it is time to put on the red team hat and get out of the perfect lab environment. To do just that, I had to … Continue reading Kernel Karnage – Part 7 (Out of the Lab and Back to Reality)

Kernel Karnage – Part 6 (Last Call)

With the release of this blogpost, we’re past the halfway point of my internship; time flies when you’re having fun. 1. Introduction - Status Report In the course of these 6 weeks, I’ve covered several aspects of kernel drivers and EDR/AVs kernel mechanisms. I started off strong by examining kernel callbacks and why EDR/AV products … Continue reading Kernel Karnage – Part 6 (Last Call)

Kernel Karnage – Part 3 (Challenge Accepted)

While I was cruising along, taking in the views of the kernel landscape, I received a challenge … 1. Player 2 has entered the game The past weeks I mostly experimented with existing tooling and got acquainted with the basics of kernel driver development. I managed to get a quick win versus $vendor1 but that … Continue reading Kernel Karnage – Part 3 (Challenge Accepted)

Kernel Karnage – Part 1

I start the first week of my internship in true spooktober fashion as I dive into a daunting subject that’s been scaring me for some time now: The Windows Kernel. 1. KdPrint(“Hello, world!\n”); When I finished my previous internship, which was focused on bypassing Endpoint Detection and Response (EDR) software and Anti-Virus (AV) software from … Continue reading Kernel Karnage – Part 1

How malicious applications abuse Android permissions

Introduction Many Android applications on the Google Play Store request a plethora of permissions to the user. In most cases, those permissions are actually required by the application to work properly, even if it is not always clear why, while other times they are plainly unnecessary for the application or are used for malicious purposes. … Continue reading How malicious applications abuse Android permissions