Introduction Recently we have seen several phishing attempts using macro enabled word attachments to load the Hancitor download trojan. The macros in these documents use routine windows API functions with a callback parameter in order to run shellcode directly in memory without the need to drop further files to disk. This entry follows the analysis
Overview Process Hollowing is a common technique used by modern malware to create a process which appears legitimate when viewed in tools such as Task Manager, but whose code has in fact been replaced with malicious content. This post will outline the API calls used in Process Hollowing and will explain how to follow the
Today, Citrix released the CTX219580 security advisory containing the fixes for the five vulnerabilities. It has to be noted that all the exchanges with the Citrix Security Response Team were very pleasant, and they provided us with regular updates about the correction status of the vulnerabilities. Citrix Provisioning Services is a Citrix product, which allows
Since October 24th, our Threat Intelligence team has been collecting many news related to a new family of ransomware named itself “BadRabbit.” This emerging threat seemingly first targeted institutions and companies in Russia and Ukraine, among them media group Interfax, Kiev’s metro system, and Odessa Airport. The ransomware spread towards other countries such as Bulgaria,
Seit dem 24. Oktober hat unser Threat Intelligence-Team zahlreiche Nachrichten über eine neue Schadsoftware-Familie erhalten, die sich selbst als „BadRabbit‟ bezeichnet. Zielgruppe der neuen Bedrohung waren zunächst Institutionen und Unternehmen in Russland und in der Ukraine, darunter die russische Nachrichtenagentur Interfax, die U-Bahn in Kiew und der Flughafen in Odessa. Doch dann wurden weitere Angriffe
This malware report aims at giving a technical analysis of the BadRabbit ransomware using the Orion Malware analysis platform. It gives a technical interpretation of the Orion Malware report and focuses on discussing the similarities and distinctions between BadRabbit and NotPetya’s design and behaviour. What’s the Difference Between Bad Rabbit and NotPetya? BadRabbit is made
There are many ways to contribute to the cyber security of a company, either from a technological point of view or from a procedural point of view. This concept, translated into a company’s cyber security architecture must always be aligned with the strategic needs of the business and its risk appetite; otherwise you could be
Critical infrastructure operated by Industrial Control Systems (ICS) form the backbone of modern societies. However, as opposed to safety, cyber security in ICS has not been addressed at a level adequate to the criticality of these systems. Most ICS and their communication protocols have been designed and implemented in the pre-internet era with limited to
Sysmon is a widely known and powerful tool that could be used as an EDR. Through this short analysis, a programming mistake has been identified when Sysmon converts the registry root key names to their abbreviations. Even if this bug does not seem to lead to a vulnerability, it is interesting to describe it. First,
The Bromium vSentry solution is a product deployed on end-user workstations which takes advantage of hardware virtualisation features in order to isolate untrusted or exposed software. As part of this analysis, it is possible for a non-privileged user to cause a Denial of Service (DoS) in the client side application of Bromium vSentry 4.0.3.2060. A
