SANS ISC – Page 3 – WindowsTechs.com

Someone is roping Apache NiFi servers into a cryptomining botnet

Posted on May 31, 2023 by Zeljka Zorz

If you’re running an Apache NiFi instance exposed on the internet and you have not secured access to it, the underlying host may already be covertly cryptomining on someone else’s behalf. The attack Indicators of the ongoing campaign were f… Continue reading Someone is roping Apache NiFi servers into a cryptomining botnet→

[SANS ISC] A Backdoor with Smart Screenshot Capability

Posted on February 9, 2023 by Xavier

I published the following diary on isc.sans.edu: “A Backdoor with Smart Screenshot Capability“: Today, everything is “smart” or “intelligent”. We have smartphones, smart cars, smart doorbells, etc. Being “smart” means performing actions depending on the context, the environment, or user actions. For a while, backdoors and trojans have implemented screenshot

The post [SANS ISC] A Backdoor with Smart Screenshot Capability appeared first on /dev/random.

Continue reading [SANS ISC] A Backdoor with Smart Screenshot Capability→

[SANS ISC] A First Malicious OneNote Document

Posted on January 25, 2023 by Xavier

I published the following diary on isc.sans.edu: “A First Malicious OneNote Document“: Attackers are always trying to find new ways to deliver malware to victims. They recently started sending Microsoft OneNote files in massive phishing campaigns. OneNote files (ending the extension “.one”) are handled automatically by computers that have the

The post [SANS ISC] A First Malicious OneNote Document appeared first on /dev/random.

Continue reading [SANS ISC] A First Malicious OneNote Document→

Google ads increasingly pointing to malware

Posted on January 18, 2023 by Zeljka Zorz

The FBI has recently warned the public about search engine ads pushing malware diguised as legitimate software – an old tactic that has lately resulted in too many malicious ads served to users searching for software, cracked software, drivers &#… Continue reading Google ads increasingly pointing to malware→

[SANS ISC] Do you collect “Observables” or “IOCs”?

Posted on November 10, 2022 by Xavier

I published the following diary on isc.sans.edu: “Do you collect “Observables” or “IOCs”?“: Indicators of Compromise, or IOCs, are key elements in blue team activities. IOCs are mainly small pieces of technical information that have been collected during investigations, threat hunting activities or malware analysis. About the last example, the malware analyst’s goal

The post [SANS ISC] Do you collect “Observables” or “IOCs”? appeared first on /dev/random.

Continue reading [SANS ISC] Do you collect “Observables” or “IOCs”?→

[SANS ISC] Another Script-Based Ransomware

Posted on November 9, 2022 by Xavier

I published the following diary on isc.sans.edu: “Another Script-Based Ransomware“: In the past, I already found some script-based ransomware samples written in Python or Powershell. The last one I found was only a “proof-of-concept” (my guess) but it demonstrates how easy such malware can be developed and how they remain

The post [SANS ISC] Another Script-Based Ransomware appeared first on /dev/random.

Continue reading [SANS ISC] Another Script-Based Ransomware→

[SANS ISC] Malicious Python Script Behaving Like a Rubber Ducky

Posted on July 20, 2022 by Xavier

I published the following diary on isc.sans.edu: “Malicious Python Script Behaving Like a Rubber Ducky“: Last week, it was SANSFIRE in Washington where I presented a SANS@Night talk about malicious Python scripts in Windows environment. I’m still looking for more fresh meat and, yesterday, I found another interesting one. Do you

The post [SANS ISC] Malicious Python Script Behaving Like a Rubber Ducky appeared first on /dev/random.

Continue reading [SANS ISC] Malicious Python Script Behaving Like a Rubber Ducky→

[SANS ISC] Malicious PowerShell Targeting Cryptocurrency Browser Extensions

Posted on June 22, 2022 by Xavier

I published the following diary on isc.sans.edu: “Malicious PowerShell Targeting Cryptocurrency Browser Extensions“: While hunting, I found an interesting PowerShell script. After a quick check, my first conclusion was that it is again a simple info stealer. After reading the code more carefully, the conclusion was different: It targets crypto-currency browser

The post [SANS ISC] Malicious PowerShell Targeting Cryptocurrency Browser Extensions appeared first on /dev/random.

Continue reading [SANS ISC] Malicious PowerShell Targeting Cryptocurrency Browser Extensions→

[SANS ISC] Houdini is Back Delivered Through a JavaScript Dropper

Posted on June 16, 2022 by Xavier

I published the following diary on isc.sans.edu: “Houdini is Back Delivered Through a JavaScript Dropper“: Houdini is a very old RAT that was discovered years ago. The first mention I found back is from 2013! Houdini is a simple remote access tool written in Visual Basic Script. The script is not very interesting

The post [SANS ISC] Houdini is Back Delivered Through a JavaScript Dropper appeared first on /dev/random.

Continue reading [SANS ISC] Houdini is Back Delivered Through a JavaScript Dropper→

[SANS ISC] Sandbox Evasion… With Just a Filename!

Posted on June 3, 2022 by Xavier

I published the following diary on isc.sans.edu: “Sandbox Evasion… With Just a Filename!“: Today, many sandbox solutions are available and deployed by most organizations to detonate malicious files and analyze their behavior. The main problem with some sandboxes is the filename used to submit the sample. The file can be

The post [SANS ISC] Sandbox Evasion… With Just a Filename! appeared first on /dev/random.

Continue reading [SANS ISC] Sandbox Evasion… With Just a Filename!→