Xavier – Page 6 – WindowsTechs.com

[SANS ISC] CinaRAT Delivered Through HTML ID Attributes

Posted on February 11, 2022 by Xavier

I published the following diary on isc.sans.edu: “CinaRAT Delivered Through HTML ID Attributes“: A few days ago, I wrote a diary about a malicious ISO file being dropped via a simple HTML file. I found another sample that again drops a malicious ISO file but this time, it is much

The post [SANS ISC] CinaRAT Delivered Through HTML ID Attributes appeared first on /dev/random.

Continue reading [SANS ISC] CinaRAT Delivered Through HTML ID Attributes→

[SANS ISC] Obscure Wininet.dll Feature?

Posted on January 21, 2022 by Xavier

I published the following diary on isc.sans.edu: “Obscure Wininet.dll Feature?“: The Internet Storm Center relies on a group of Handlers who are volunteers and offer some free time to the community besides our daily job. Sometimes, we share information between us about an incident or a problem that we are facing and

The post [SANS ISC] Obscure Wininet.dll Feature? appeared first on /dev/random.

Continue reading [SANS ISC] Obscure Wininet.dll Feature?→

[SANS ISC] RedLine Stealer Delivered Through FTP

Posted on January 20, 2022 by Xavier

I published the following diary on isc.sans.edu: “RedLine Stealer Delivered Through FTP“: Here is a piece of malicious Python script that injects a RedLine stealer into its own process. Process injection is a common attacker’s technique these days (for a long time already). The difference, in this case, is that

The post [SANS ISC] RedLine Stealer Delivered Through FTP appeared first on /dev/random.

Continue reading [SANS ISC] RedLine Stealer Delivered Through FTP→

[SANS ISC] Custom Python RAT Builder

Posted on January 7, 2022 by Xavier

I published the following diary on isc.sans.edu: “Custom Python RAT Builder“: This week I already wrote a diary about “code reuse” in the malware landscape but attackers also have plenty of tools to generate new samples on the fly. When you received a malicious Word documents, it has not been

The post [SANS ISC] Custom Python RAT Builder appeared first on /dev/random.

Continue reading [SANS ISC] Custom Python RAT Builder→

[SANS ISC] Malicious Python Script Targeting Chinese People

Posted on January 6, 2022 by Xavier

I published the following diary on isc.sans.edu: “Malicious Python Script Targeting Chinese People“: This week I found a lot of interesting scripts as this is my fourth diary in a row! I spotted a Python script that targets Chinese people. The script has a very low VT score (2/56) (SHA256:aaec7f4829445c89237694a654a731ee5a52fae9486b1d2bce5767d1ec30c7fb).

The post [SANS ISC] Malicious Python Script Targeting Chinese People appeared first on /dev/random.

Continue reading [SANS ISC] Malicious Python Script Targeting Chinese People→

[SANS ISC] Code Reuse In the Malware Landscape

Posted on January 5, 2022 by Xavier

I published the following diary on isc.sans.edu: “Code Reuse In the Malware Landscape“: Code re-use is classic behavior for many developers and this looks legit: Why reinvent the wheel if you can find some pieces of code that do what you are trying to achieve? If you publish a nice

The post [SANS ISC] Code Reuse In the Malware Landscape appeared first on /dev/random.

Continue reading [SANS ISC] Code Reuse In the Malware Landscape→

[SANS ISC] A Simple Batch File That Blocks People

Posted on January 4, 2022 by Xavier

I published the following diary on isc.sans.edu: “A Simple Batch File That Blocks People“: I found another script that performs malicious actions. It’s a simple batch file (.bat) that is not obfuscated but it has a very low VT score (1/53). The file hash is cc8ae359b629bc40ec6151ddffae21ec8cbfbcf7ca7bda9b3d9687ca05b1d584. The file is detected by

The post [SANS ISC] A Simple Batch File That Blocks People appeared first on /dev/random.

Continue reading [SANS ISC] A Simple Batch File That Blocks People→

[SANS ISC] McAfee Phishing Campaign with a Nice Fake Scan

Posted on January 3, 2022 by Xavier

I published the following diary on isc.sans.edu: “McAfee Phishing Campaign with a Nice Fake Scan“:

I spotted this interesting phishing campaign that (ab)uses the McAfee antivirus to make people scared. It starts with a classic email tha… Continue reading [SANS ISC] McAfee Phishing Campaign with a Nice Fake Scan→

Velociraptor & Loki

Posted on December 21, 2021 by Xavier

Velociraptor is a great DFIR tool that becomes more and more popular amongst Incident Handlers. Velociraptor works with agents that are deployed on endpoints. Once installed, the agent automatically “phones home” and keep s a connection with the server… exactly like a malware with it’s C2 server but this time

The post Velociraptor & Loki appeared first on /dev/random.

Continue reading Velociraptor & Loki→

[SANS ISC] More Undetected PowerShell Dropper

Posted on December 21, 2021 by Xavier

I published the following diary on isc.sans.edu: “More Undetected PowerShell Dropper“: Last week, I published a diary about a PowerShell backdoor running below the radar with a VT score of 0! This time, it’s a dropper with multiple obfuscation techniques in place. It is also important to mention that the injection technique used is similar

The post [SANS ISC] More Undetected PowerShell Dropper appeared first on /dev/random.

Continue reading [SANS ISC] More Undetected PowerShell Dropper→