The malware is behind billions in banking and credit-card losses.
Link: https://threatpost.com/carbanak-source-code-complex-malware/144059/
Tag: Malware
Application News – Application Security Weekly #58 Application Security Weekly #58
In the Application Security News, Breach at IT outsourcer Wipro, SCP serves the file it wants, Confluence Path traverses to RCE, another Local PrivEsc on Windows, easier sandboxing for C and C++ APIs, and Computer Science plus Ethics! Bugs, Breaches, and More! Breach at IT Outsourcer Wipro SCP Serves the File It Wants […]
The post Application News – Application Security Weekly #58 Application Security Weekly #58 appeared first on Security Weekly.
Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/RJxQ7ssiw_Q/
Evil TeamViewer Attacks Under the Guise of the U.S. State Department
The attack is targeting financial regulators and embassy staff– but probably isn’t the work of an APT.
Link: https://threatpost.com/teamviewer-attacks-state-department/144014/
WannaCry Hero Pleads Guilty to Kronos Malware Charges
The malware researcher has pleaded guilty to two out of 10 charges; one with creating the Kronos malware and the other with conspiracy.
Link: https://threatpost.com/wannacry-hero-pleads-guilty-to-kronos-malware-charges/143997/
Microsoft’s Latest Patch Hoses Some Antivirus Software
McAfee, Sophos and Avast are among the antivirus software suites impacted.
Link: https://threatpost.com/microsofts-latest-patch-hoses-some-antivirus-software/143978/
Cyber News Rundown: Phishing Attack on Global IT Outsourcer
Reading Time: ~2 min.Major IT Outsourcer Suffers After Phishing Attack Global IT services provider Wipro announced they are in the process of investigating a data possibly affecting some of their clients. These types of companies are popular for hackers because, by breaching a single IT service company, they gain access to a far larger pool of victims through […]
The post Cyber News Rundown: Phishing Attack on Global IT Outsourcer appeared first on Webroot Blog.
Link: https://www.webroot.com/blog/2019/04/19/cyber-news-rundown-phishing-attack-on-global-it-outsourcer/
Easter Attack Affects Half a Billion Apple iOS Users via Chrome Bug
The U.S-focused eGobbler malvertising attacks are exploiting an unpatched Google Chrome bug.
Link: https://threatpost.com/easter-attack-apple-ios/143901/
fireELF – Fileless Linux Malware Framework
fireELF is a opensource fileless linux malware framework thats crossplatform and allows users to easily create and manage payloads. By default is comes with ‘memfd_create’ which is a new way to run linux elf executables completely from memory, without having the binary touch the harddrive.FeaturesChoose and build payloads.Ability to minify payloads.Ability to shorten payloads by uploading the payload source to a pastebin, it then creates a very small stager compatible with python <= 2.7 which allows for easy deployment.Output created payload to file.Ability to create payload from either a url or a local binary.Included payload memfd_createThe only included payload 'memfd_create' is based on the research of Stuart, this payload creates an anonymous file descriptor in memory it then uses fexecve to execute the binary directly from the file descriptor. This allows for the execution completely in memory which means that if the linux system gets restarted, the payload will be no where to be found.Creating a PayloadBy default fireELF comes with 'memfd_create' but users can develop their own payloads. By default the payloads are stored in payloads/ and in order to create a valid payload you simply need to include a dictonary named 'desc' with the parameters 'name', 'description', 'archs', and 'python_vers'. An example desc dictonary is below:desc = {"name" : "test payload", "description" : "new memory injection or fileless elf payload", "archs" : "all", "python_vers" : ">2.5"}In addition to the ‘desc’ dictonary the entry point the plugin engine i built uses requires a main function which will automatically get passed two parameters, one is a boolean that if its true it means its getting passed a url the second parameter it gets passed is the data. An example of a simple entry point is below:def main(is_url, url_or_payload): returnIf you have a method feel free to commit a payload!ScreenshotsInstallationDownload the dependencies by running:pip3 -U -r dep.txtfireELF is developed in Python 3.x.xUsageusage: main.py [-h] [-s] [-p PAYLOAD_NAME] [-w PAYLOAD_FILENAME] (-u PAYLOAD_URL | -e EXECUTABLE_PATH)fireELF, Linux Fileless Malware Generatoroptional arguments: -h, –help show this help message and exit -s Supress Banner -p PAYLOAD_NAME Name of Payload to Use -w PAYLOAD_FILENAME Name of File to Write Payload to (Highly Recommended if You’re not Using the Paste Site Option) -u PAYLOAD_URL Url of Payload to be Executed -e EXECUTABLE_PATH Location of ExecutableDownload fireELF
Ubiquitous Bug Allows HIPAA-Protected Malware to Hide Behind Medical Images
The ubiquitous nature of the flaw opens the door for rapidly spreading, crippling cyberattacks.
Link: https://threatpost.com/hipaa-protected-malware-medical-images/143890/
FLASHMINGO – Automatic Analysis Of SWF Files Based On Some Heuristics
Automatic Analysis Of SWF Files Based On Some Heuristics. Extensible Via Plugins.InstallInstall the Python (2.7) packages listed in requirements.txt.You can use the following command: pip install -r requirements.txtIf you want to use the decompilation functionality you need to install Jython. Ubuntu/Debian users can issue apt install jythonClone the project or download the zip file.WhatFLASHMINGO is an analysis framework for SWF files. The tool automatically triages suspicious Flash files and guides the further analysis process, freeing precious resources in your team. You can easily incorporate FLASHMINGO’s analysis modules into your workflow.WhyTo this day forensic investigators and malware analysts must deal with suspicious SWF files. If history repeats itself the security threat may even become bigger beyond Flash’s end of life in 2020. Systems will continue to support a legacy file format that is not going to be updated with security patches anymore. Automation is the best way to deal with this issue and this is where FLASHMINGO can help you. FLASHMINGO is an analysis framework to automatically process SWF files that enables you to flag suspicious Flash samples and analyze them with minimal effort. It integrates into various analysis workflows as a stand-alone application or a powerful library. Users can easily extend the tool’ s functionality via custom Python plugins.HowArchitectureFLASHMINGO is designed with simplicity in mind. It reads a SWF file and creates an object (SWFObject) representing its contents and structure. Afterwards FLASHMINGO runs a series of plugins acting on this SWFObject and returning their values to the main program.Below a mandatory ASCII art flow diagram: +———-+ | | +————+———–>+ PLUGIN 1 +————+ | | | | | | | +———-+ | | | | | | +———-+ | | | | | |+———+ | +———–>+ PLUGIN 2 +——–+ ||SWF FILE +———–>+ FLASHMINGO | | | | |+———+ | | +———-+ | | | | | | | | | | | | | | | | +—–v—v-+ | | | | | | | | +—–+——+————————->+ SWFOBJECT | ^ | | | | | | +—–+—–+ | | | | | | +—————————————+When using FLASHMINGO as a library in your own projects, you only need to take care of two kind of objects:one or many SWFObject(s), representing the sample(s)a Flashmingo object. This acts essentially as a harness connecting plugins and SWFObject(s).Plugins!FLASHMINGO plugins are stored in their own directories under… you guessed it: plugins When a Flashmingo object is instantiated, it goes through this directory and process all plugins’ manifests. Should this indicate that the plugin is active, this is registered for later use. At the code level, this means that a small plugin_info dictionary is added to the plugins list.Plugins are invoked via the run_plugin API with two arguments:the plugin’s namethe SWFObject instanceOptionally, most of the plugins allow you to pass your own user data. This is plugin dependent (read the documentation) and it can be more easily be explained with an example. The default plugin SuspiciousNames will search all constant pools for strings containing suspicious substrings (for example: ‘overflow’, ‘spray’, ‘shell’, etc.) There is a list of common substrings already hard-coded in the plugin so that it can be used as-is. However, you may pass a list of your own defined substrings, in this case via the names parameter.Code example:fm = Flashmingo()print fm.run_plugin(‘DangerousAPIs’, swf=swf)print fm.run_plugin(‘SuspiciousNames’, swf=swf, names=[‘spooky’])Default pluginsFLASHMINGO ships with some useful plugins out of the box:binary_datadangerous_apisdecompilersuspicious_constantssuspicious_loopssuspicious_namestemplate :)Extending FLASHMINGOA template plugin is provided for easy development. Extending FLASHMINGO is rather straightforward. Follow these simple steps:Copy the templateEdit the manifestOverride the run methodAdd your custom codeYou are ready to go :)FLASHMINGO as a libraryAPISee the docs directory for autogenerated documentationSee FireEye’s blog post for an exampleFront-endsConsoleCreate Documentation$ pip install sphinxcontrib-napoleonAfter setting up Sphinx to build your docs, enable napoleon in the Sphinx conf.py file:In conf.py, add napoleon to the extensions listextensions = [‘sphinxcontrib.napoleon’]Use sphinx-apidoc to build your API documentation:$ sphinx-apidoc -f -o docs/source projectdirThis creates .rst files for Sphinx to process$ make htmlThat’s it! :)Download Flashmingo
Link: http://feedproxy.google.com/~r/PentestTools/~3/ACw-482_MOc/flashmingo-automatic-analysis-of-swf.html