Category Archives: rootkits

MoonBounce: the dark side of UEFI firmware

Posted on by

At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41. Continue reading MoonBounce: the dark side of UEFI firmware

Delivering vulnerable signed kernel drivers remains popular among attackers

Posted on by

ESET researchers took an in-depth look into the abuse of vulnerable kernel drivers. Vulnerabilities in signed drivers are mostly utilized by game cheat developers to circumvent anti-cheat mechanisms, but they have also been observed being used by sever… Continue reading Delivering vulnerable signed kernel drivers remains popular among attackers

77% of rootkits are used for espionage purposes

Posted on by

In a new report, Positive Technologies analyzes this past decade’s most infamous families of rootkits – programs that hide the presence of malicious software or traces of intrusion in victim systems. The study finds that the majority of roo… Continue reading 77% of rootkits are used for espionage purposes

GhostEmperor: From ProxyLogon to kernel mode

Posted on by

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor. Continue reading GhostEmperor: From ProxyLogon to kernel mode

Is W^X enforced against UEFI DXE drivers (firmware)? Could it be if we tried?

Posted on by

W^X is a critical security feature, allowing us a chance to perform security analysis on data that some entity on a computer wants to execute.
Windows implements this by requiring a process to call VirtualProtect. Because UEFI rootkits are… Continue reading Is W^X enforced against UEFI DXE drivers (firmware)? Could it be if we tried?

If two UEFI rootkits battle to perform / prevent an action, what determines which side can succeed? [closed]

Posted on by

Let’s take a very simple defense goal. I’m a UEFI DXE Driver and my only goal is to prevent a 100GB file located at C:\sacred
from being deleted or overwritten by the system under any circumnstances. My opponent (also a UEFI DXE Driver, so… Continue reading If two UEFI rootkits battle to perform / prevent an action, what determines which side can succeed? [closed]

Can a running SSH connection to a rootkit infected VPS be used to attack the remote client?

Posted on by

If a VPS running Debian 10 Xfce as a cloud desktop has been rootkit infected and there is an ongoing SSH connection with X2Go from a client to manage this server, is it possible for an attacker on the VPS to hijack the existing SSH connect… Continue reading Can a running SSH connection to a rootkit infected VPS be used to attack the remote client?

How to protect the host system against a rootkit on a virtual machine?

Posted on by

I need to create a virtual machine (Debian 10) with Virtualbox on a Linux host system. The VM will be used as an office desktop to access the Internet via browser and therefore needs to use the Internet-connection that is provided by the h… Continue reading How to protect the host system against a rootkit on a virtual machine?

How to securely create a bootable USB drive from a possibly infected system?

Posted on by

I’m not sure about my system so I want to completely wipe my HDD and reinstall Windows 10.
But I realized that an infected system can also infect a USB bootable drive.
Unfortunately, I don’t have access to a trusted system to create the US… Continue reading How to securely create a bootable USB drive from a possibly infected system?