Ghidra v9.0.1 Released: Security Fixes and New Features.

Reading time ~1min

Ghidra is a software reverse engineering (SRE) suite of tools developed by NSA’s Research Directorate. The latest version of Ghidra (v9.0.1.) addresses security issues and bugs as well as introduces some improvements to enhance the overall user experience. One of the most notable fixes is an XXE vulnerability that could allow an attacker to trick a user into opening or restoring a specially crafted project.

A new feature was also added on version 9.0.1 – a script that shows all equates within the current selection.

Continue reading “Ghidra v9.0.1 Released: Security Fixes and New Features.”

Ghidra: All you Need to Know about the NSA’s Reverse Engineering Tool

Reading time ~10min

Ghidra is a Software Reverse Engineering (SRE) framework created and maintained by the National Security Agency (NSA) Research Directorate. Ghidra is an open-source tool that allows security researchers and malware analysts to ‘hack’ into the code behind the software.

The program’s 1.2 million lines of code are designed to reverse the compiler process, decompiling executable code into assembly listings and finally into approximate C code. Capabilities include disassembly, assembly, decompilation, graphing control flows through functions, scripting, inspecting symbols and references, identifying variables, data along with hundreds of other features. It’ll all be very familiar to you if you used similar reverse engineering tools, such as IDA, Binary Ninja, Radare, Hopper, Snowman etc.

Continue reading “Ghidra: All you Need to Know about the NSA’s Reverse Engineering Tool”

PayPal Phishing Text Message: Account Under Review

Reading time ~3min

Today we detected a text message sent to UK mobile phones pretending to come from PayPal! Aw yes, probably classic phishing, huh…?

The text advises their ‘victims’ to visit a link so they can enter their credentials due to their account being reviewed.  The text message states “Your account is currently under review. Please complete the security form to avoid restrictions.[.]co[.]uk“.

Continue reading “PayPal Phishing Text Message: Account Under Review”

IOCs: Monero Mining Malware Families

Reading time ~5min

A recent study conducted by Recorded Future on 150 of the most prominent Dark Web message boards, marketplaces, and illicit services reveals that Litecoin is currently the second most widespread cryptocurrency among cyber-criminals. Researchers found Litecoin payment systems implemented on 30% of the sites they investigated, while Dash came second with a 20% share. Bitcoin Cash, Ethereum, and Monero came next, with 13%, 9%, and 6% respectively.

There are several ways that exist when distributing cryptocurrency miner malware. In our opinion based on the malware we currently see in the wild, Monero cryptocurrency is by far the most dominant choice for cyber-criminals due to its capabilities that is offering anonymity. Monero was the favorite on English-speaking sites, while Russian-speaking portals preferred Litecoin since they are left alone by the Russian authorities.

Continue reading “IOCs: Monero Mining Malware Families”

Windows Batch Script APT Simulator ToolSet

Reading time ~1min

APT Simulator is a toolset that allows you to make a system to look as if it has been compromised by an Advanced Persistence Threat (APT) actor. There are multiply use-cases to use this tool. For example,  it can allow attack simulation against your SOC environment to measure the effectiveness of your team against time-to-respond and time-to-contain during an incident. Another use-case could be to launch it in a PC to train your team against Digital Forensics and Incident Response (DFIR) capabilities.

Continue reading “Windows Batch Script APT Simulator ToolSet”

Adobe Flash 0-day Indicators of Compromise (IOCs)

Reading time ~3min

Another day, another Adobe Flash vulnerability – this content platform that just never wants to get decommissioned.

Earlier this week another Adobe Flash 0-day vulnerability was disclosed which is actively being exploited in the wild by attackers. Adobe published a security advisory (APSA18-01) concerning a Flash vulnerability (CVE-2018-4878). Adobe describes the CVE-2018-4878 flaw and confirms that all Flash Players up to v28.0.0.137 are affected. The issue affects Adobe Flash Player Desktop Runtime on Linux, Mac, and Windows, as well as Flash Player for Google Chrome and Microsoft Edge.

This vulnerability allows the attacker to perform Remote Code Execution (RCE) through a malformed Flash object. KISA (Korean CERT) also confirmed the vulnerability and published an advisory about the Adobe Flash 0-day. In addition, Talos identified that attackers are already exploiting this vulnerability with a Flash object embedded in a Microsoft Excel document. By opening the Office document, the exploit (SWF object) is being executed and attempts to download the payload from a compromised website. The SWF object installs ROKRAT, a remote administration tool that Talos has been tracking since January 2017.

Continue reading “Adobe Flash 0-day Indicators of Compromise (IOCs)”

IOCs: Malware Authors Utilising Spectre/Meltdown Processor Vulnerabilities

Reading time ~2min

The recently disclosed processor vulnerabilities which affect most major processors, including ARM, Intel and AMD processors would not be left by malware authors unexploited. The Spectre and Meltdown CPU vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) that attempt to exploit  “chip flaws” on affected processors, may allow an attacker to access sensitive data by bypassing several memory isolation mechanisms used by vendors that aim to increase CPU performance. This “chip flaw” may allow an attacker to even access memory information that is allocated for kernel-related tasks. Essentially, every processor that is developed since 1995 by the above chip manufactures, is vulnerable. Until the chip manufactures release workable patches that do not degrade CPU performance and cause several issues, user’s remain vulnerable to attacks, and more specifically malware that is exploiting the above-mentioned disclosed vulnerabilities.

Below we have a list of hashes of several possible malware families utilising the those vulnerabilities. MalwareHunters Team is consistently analysing and tracking several malware samples, therefore stay tuned as we update this list. In the meantime, ensure you stay up-to-date with the latest security patches on your web browser, AV, and any other software up-to-date.

Continue reading “IOCs: Malware Authors Utilising Spectre/Meltdown Processor Vulnerabilities”

Comparing WannaCry, NotPetya and Bad Rabbit

Reading time ~15min

All you need to know: Comparing WannaCry vs NotPetya vs Bad Rabbit

On 14 April 2017, Easter holiday, the mysterious ShadowBrokers group that over the past 7-8 months has leaked several gigabytes worth of the NSA’s weapons on software exploits published its most critical cyber weapon release on GitHub.

The latest release of the 0-days exploits targeted several Windows OS, including Windows XP, Windows Server 2012, Windows 8 and Windows 2008 R2. Microsoft addressed those vulnerabilities a few days later and were no longer 0-day exploits. As reported on Friday 14 April by Emptywheel, a ShadowBrokers release from early January gave NSA officials notice of some of the exploit names obtained by the mysterious person or group that was included on the Friday’s release. The extra time Microsoft needed to patch the bugs might have something to do with February’s unprecedented canceling of Patch Tuesday, or simply because Microsoft has paid off the Shadow Brokers secretly for the vulnerabilities.

Continue reading “Comparing WannaCry, NotPetya and Bad Rabbit”

HashCat 4.0 Released: One of the fastest GPU Password Crackers

Reading time ~5min

Hashcat is the world’s fastest and most advanced password recovery utility, supporting five unique modes of attack for over 200 highly optimised hashing algorithms. Hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and MacOS, and has facilities to help enable distributed password cracking.

Continue reading “HashCat 4.0 Released: One of the fastest GPU Password Crackers”

New Ransomware dubbed ‘Bad Rabbit’ used NSA’s EternalRomance Exploit

Reading time ~10min

Earlier last week, a newly identified ransomware affected several computer systems around Europe.

The new strain of ransomware dubbed as ‘Bad Rabbit’ spreading primarily in Russia, Ukraine, Turkey, and Germany is utilising one of the leaked NSA’s exploits leaked by WikiLeaks earlier this year. According to several malware researchers and subsequent analysis, an NSA exploit (EternalRomance) was used to distribute itself and move across the network.

Cybersecurity firm Kaspersky Lab was monitoring the malware and compared it to the WannaCry and Petya attacks that caused so much chaos earlier this year. Continue reading “New Ransomware dubbed ‘Bad Rabbit’ used NSA’s EternalRomance Exploit”