We discovered a 17-year-old vulnerability in all of Windows DNS Servers.
SIGRed (CVE-2020-1350) is a wormable, critical vulnerability that can be used to achieve full Domain Administrator privileges.
We launched our new Malware Evasion Encyclopedia, which contains over 50 techniques used by various malwares to detect virtualized and sandboxed environments.
We hope this effort would allow for better understanding and analysis of modern attacks.
A fresh BlueKeep exploit + loader, written by the exploit developer known as "PlayBit" and named by him "BlackKeep".
The sample is available on Virus Total (6/68):
Based on
@ContiLeaks
, we made an interactive graph of Conti members' relations and share some insights:
🥳Impressive level of self-organization
🥳Bonuses, prizes and bring-your-friend programs
🥳New friends and career growth!
👀Looming threat of prison
Based on the insights from of our research, we are happy to present our new Anti-Debug Encyclopedia. All the techniques which are described in this encyclopedia are implemented in our ShowStopper open-source project as well!
#BREAKING
We found files related to the attack against the Steel Industry in Iran.
Initial analysis shows that the malware is connected to the attacks against Iran Railways last year, an attack that was thoroughly described in our previous research.
Here's what we know so far >>
For a reverse engineer, the ability to directly call a function from the analyzed binary can be a shortcut that bypasses a lot of grief. In this article, we explore and compare 3 ways of invoking functions: IDA Appcall, Dumpulator, and Unicorn Engine.
☠️ Rorschach is a new strain of ransomware hitting US-Based companies
🔒 It was deployed using DLL sideloading of Cortex XDR dump tool
🤖 Rorschach is highly customizable and contains the use of direct syscalls.
Read more :
🚨 We discovered 3 vulnerabilities in Microsoft Message Queuing (MSMQ) service, including
#QueueJumper
(CVE-2023-21554), a Critical vulnerability that could allow unauthorized attackers to remotely execute code.
More details in our blog 👉
#PatchNow
Releasing the white-paper following our talk: "Bugs on the Windshield: Fuzzing the Windows Kernel" as presented at
@BlueHatIL
and
@offensive_con
earlier this year
We have uncovered an ongoing Chinese-based operation targeting a Southeast Asian government:
#SharpPanda
🐼
▶️ Malicious documents weaponized with
#RoyalRoad
▶️ In-memory loaders deliver a previously unknown
#VictoryDLL
backdoor
▶️ Tools in development since at least 2017
Can you trust a file's digital signature? 🤔
A new
#Zloader
campaign abuses CVE-2013-3900 for defense evasion.
🔥 HTA content appended to a signed Microsoft DLL, without breaking trust
🔥 MSHTA used to execute the appended script
🔥 CVE-2013-3900 still unpatched by default
A
#WindowsSandbox
deep dive.
Even though it mixes the widely documented
#HyperV
/
#WindowsContainers
technologies, we still lack the internals of its great features - dynamic base image, file linking and more.
Kudos
@_alex_il_
for the great analysis.
The 32bit version of CVE-2021-1732 was recently uploaded to Virus Total from Pakistan. The 0-day exploit was used by Bitter APT and developed by the US-based offensive company Exodus Intelligence (aka “Moses”).
Our researchers were able to fingerprint and track PlayBit — a prominent exploit developer whose Windows LPE exploits were used by infamous crime groups like REvil and Maze.
We analyzed their exploitation techniques and share some intelligence about them.
Tired of C malware? So is everyone, including some malicious actors. Take a tour of malware written in Java, Rust, Pascal and other unlikely contenders; and ponder whether the people behind these are on to something, or just too clever for their own good.
In recent months, we built a profile of 2 prominent exploit developers — Volodya and PlayBit.
Our blog post details our methodology and explains how we were able to fingerprint their exploits to ultimately track 16 Windows LPE exploits sold by them.
Let's explore the link between
#Rhadamanthys
stealer and
#HiddenBee
coin miner!
In our latest blog,
@hasherezade
walks you through the custom executable formats, evolution, and features of this interesting, multilayer malware toolkit.
How can defenders survive in a post-SolarWinds-breach world?
We dive into some choice SUNBURST and TEARDROP features, and comfort ourselves with the knowledge that even extraordinary cybercriminals sometimes reach for ordinary tools.
#ViciousPanda
: Chinese APT group after Mongolian targets.
The attackers leveraged weaponized COVID-19 documents to deliver a previously unknown RAT.
The irony was not lost on us. 🐼
Read more @
You’re curious about vulnerability research, but taken aback by the cloud of terms to memorize, processes to follow and names to know?
We’ve got you. This breezy, ultra-dense course will introduce you to the who, the what, the why and the how of the field.
Technical details on APT35 attempts to exploit Log4j vulnerability:
💣Both targeted attacks and mass-scanning
💎CharmPower: still-in-development Powershell-based modular toolkit
🧩Shared infrastructure with previous mobile and ransomware campaigns.
Looking to learn about system exploitation, but don't know where to start? This (very) detailed guide covers all the basics. Contains 21 detailed CTF solutions, plenty of theory, and zero times the phrase "exercise left to the reader".
North Korean ROKRAT is still alive and kicking! Check out our research on APT37 activities:
📄 Lures involving South Korean government affairs
🔗 LNK-based infection chains
👾 Usage of commodity malware
💻 Technical Analysis of ROKRAT
Read more:
New loader by
#Lazarus
- Operation In(ter)ception🕵️
🔹 Reused decoy and obfuscated macros
🔹 Loader compiled on 2021-01-12
🔹 Creates a bloated copy of msiexec.exe
🔹 Scheduled task with VBS for persistence
🔹 Indirect command execution with pcalua.exe
We analyzed
#RaspberryRobin
's built-in exploits and explain how to identify and bypass each of the malware's many anti-analysis tricks and evasions.
Check out our blog 👉
Earlier this year Symantec revealed that APT3 was using NSA-like exploits in 2016, before The Shadow Brokers' leak. Our researchers took a technical deep dive to the Chinese exploits to explain how that might have happened.
Our researchers found that CVE-2017-0005, a 0-Day attributed to the Chinese APT31, is a replica of an Equation Group 0-Day, that was caught and repurposed by APT31 during 2014, 3 years before the Shadow Brokers leak.
Read the complete story on our blog.
We took a look at
#Azov
#Ransomware
— a new destructive data wiper:
- Manually crafted in Assembly using FASM
- Multi-threaded intermittent overwriting (looping 666 bytes) of original data content
- Effective, fast, and unfortunately unrecoverable data wiper
An RCE we found in Edge's PDF parser. Just a glimpse - stay tuned for an up and coming blog post describing over 50 vulnerabilities we found in Adobe Reader.
Cuckoo and CAPE sandbox evasion in one legitimate Windows API function call? It is possible due to issues we found in Cuckoo and CAPE monitor.
@CapeSandbox
@cuckoosandbox
We are glad to publish our review of one of the biggest and most interesting malware operations in existence.
How does it work? Who is behind it? Read all about it.
A primer on cryptographic attacks, explained in a simple way with approachable examples. Learn about Downgrade attacks, Precomputations, Oracles, brand-name SSL vulnerabilities (CRIME, POODLE...) -- and the surprising connections between them.
New activity by Iranian-based threat actor Educated Manticore/PHOSPHORUS:
🎯Iraq-themed lures aimed at Israeli targets
🧩New multi-stage in-memory infection chains
🤓Custom toolset with advanced techniques (mixed-mode assembly!)
🕵️New version of PowerLess backdoor
Read more:…
#GuLoader
? No,
#CloudEyE
. Revealing the service behind GuLoader: Italian company earned up to $500,000 helping cybercriminals to deliver malware using cloud drives.
Today's stumped researcher is tomorrow's outdated signature and next week's ransomware infection. We explain more than you ever wanted to know about the high-profile and super-fragmented landscape of Gozi derivatives.
#TwistedPanda
- a Chinese espionage operation against Russia:
🎯 Targets research defense institutes specialized in R&D of electronic warfare systems
⛏️ Multi-layer loader installs highly obfuscated
#SPINNER
backdoor
🐼 Active since at least June 2021
👉
#RampantKitten
: Iranian APT going after Iranian dissidents and expats.
This espionage operation is active since at least 2014 and includes:
💻Windows Trojans
📱Android Backdoor
🎣Telegram spear-phishing
Read more @
Iranian threat actor Agrius resurfaces in targeted Ransomware attacks in Israel:
🇮🇷 Agrius continues its destructive attacks against Israeli targets
🦜New custom ransomware- Moneybird
🤖TTPs remain largely the same
Read the full report-->
We continue gathering new and most interesting sandbox evasion techniques.
Compare process time measures, GUI controls Evasions?
Read about this and more in our updated Malware Evasion Encyclopedia.
New report: a Chinese-based operation targeting a Southeast Asian government.
🇨🇳 Initial infection using
#SharpPanda
toolset.
🧩 New version of modular multi-stage
#SoulFramework
, previously unattributed.
🤦 Still using
#RoyalRoad
.
👉Read more:
CP<r> introduces a new method for running hidden implanted code in
#ReadyToRun
(R2R) compiled .NET binaries ➡️ R2R stomping ⬅️
🤓Implementation and resulting problems
🛠️Techniques and tools to analyze R2R stomped Assemblies
⚠️Detecting R2R stomping
Our latest research uncovers a custom router implant used by the Chinese state-sponsored APT group
#CamaroDragon
. We analyzed the inner workings of the implant, named 'Horse Shell', and compare it with implants deployed by other threat groups.
Meet Indra, the group of hackers behind the attack against Iran Railways and several Syrian companies with ties to the Iranian regime.
We analyzed their operations, the evolution of their tools, and their presence on social media.
As
#Bumblebee
continues to evolve, we take a deeper look at some of its features and recent changes including —
- Target-dependent dropped payloads
- Peculiarities of its configuration
- Experimentation with different delivery methods
Read our blog >>
Amid the crisis in Azerbaijan’s breakaway region of Nagorno-Karabakh, our new report reveals Azerbaijani political surveillance using
#OxtaRAT
malware:
🕵️AutoIT/JPEG polyglot file
🎯Targets activists in Azerbaijan🇦🇿 and entities in Armenia🇦🇲
Read more >>
Always had "fuzz a real program, find a real bug" on your to-do list? This speedy lab with libtiff and AFL++ will sort you out. Focused on learning and not just copy-pasting, with minimal hassle & boilerplate.
🔍 We are Uncovering a surprising connection between prominent dual-use software Remcos and GuLoader. Our investigation points to an individual deeply entrenched in the cybercriminal community.
Stay tuned for the full story! 💻🕵️♂️
An old sample of the Lamberts (probably
#WhiteLambert
) appeared on VirusTotal.
This driver file intel440x.sys is also mentioned by name on the infamous drv_list.txt from The Shadow Brokers' leak. The logic itself is contained inside a compressed resource.
Our research team have just finished analyzing
#DeJaBlue
.
It looks like Microsoft was vulnerable to a variant on the vulnerability we found last year in FreeRDP:
@NetanelBenSimon
@EyalItkin
We just released CPR-Zero, an on-going repository containing detailed information regarding the majority of the vulnerabilities we discover and disclose, even if they are not featured in a particular publication. Stay Tuned.
This is 2023 and USB worms are still a concern:
🪱USB infections spread from Southeast Asia across countries and industries.
🤹Payloads:
#WispRider
and
#HopperTick
.
🐉Activity attributed to
#CamaroDragon
, a Chinese espionage threat actor.
👉Read more:
1/4 [CyberCrime Updates] We observed
#dotRunpeX
switching from older versions of vulnerable Process Explorer driver "procexp.sys" to Zemana AntiMalware driver "zam64.sys" to kill AV/EDR.
Check Point customers remain protected.
Previous publication:
Today we unveil the technical details of a long-running operation by IndigoZebra APT:
* targeting high profile officials in Central Asia with spear-phishing emails
*
#xCaon
backdoor - ITW since at least 2014
* new
#BoxCaon
variant uses Dropbox API as C&C
Defeating
#dotRunpeX
— New
#virtualized
.NET injector abusing advanced techniques to deliver numerous malware families.
CP<r> provides an in-depth analysis of this threat introducing several PoC techniques for reversing protected/virtualized
#dotnet
code.
New job opening! 🚀 Check Point Research is opening an *international* and *fully remote* team of Vulnerability Researchers and looking for experienced researchers, from different types of expertise (OS, Cloud, IoT, Mobile, ...), to join the team.
[1/5] CPR in collaboration with
@sygnia_labs
has been tracking
#ScarredManticore
, one of the most sophisticated Iranian threat actors uncovered to date. Attributed to the MOIS, it is linked to some of the most impactful Iranian intrusions in recent years.
Join us in exploring DNS Tunnels! 👷🏻♀️👷🏽
⛏️Practical tips for analyzing DNS tunneling activities
🤖DeepDNS - using ML to hunt for DNS tunneling
🪙 Analysis of CoinLoader DNS backup C2 channel
Read more -->
Gamers Beware
We recently turned our eyes to a major networking library used by a sizeable chunk of online gaming - Valve’s "Steam Sockets".
Here is our report on the library, and the vulnerabilities we found in it.
We released a new tool that helps you match open source library symbols in large binaries. Can be used to speed up your RE, discover 1-days and much more.
As the number of new
#Azov
#Ransomware
-related samples is still growing and has already exceeded several thousands, we took a deep dive into its internal workings and technical features, revealing it not being a Skidsware but an advanced Polymorphic Wiper.
Analysis of behind the scenes of BBTok banker :
💸 Targets clients of more than 40 banks in LATAM
🕵 Deep Dive how the attacker dynamically creates his payload
⏰️ Glimpse into the changes in the banker's payload server
Read more -->
New
#APT33
attack?🤔
local-update[.]com/RawabiJob.hta
HTA displays a job offer and impersonates a Saudi company (
@RawabiHolding
)
Shares similarities with an old APT33 script
local-update[.]com was recently seen in an attack exploiting CVE-2018-20250
@CurlyCyber
Revealing the
#BundleBot
🤖- a new
#malware
strain that abuses
#dotnet
bundle, self-contained format, multi-stage infection, and custom obfuscation resulting in an effective way to stay under the radar for several months.
We are excited to release
#macOS
Malware Encyclopedia, an online portal with everything you need to know on macOS malware . All entries were written by our very own
@shablolForce
, with the help of
@megabeets_
on design. Check it out:
Uncovering Stayin’ Alive operation, active since at least 2021:
📞 Targets telecoms in Asia 🇰🇿🇺🇿🇻🇳🇵🇰
🛠️ Spearphishing + DLL side-loading (such as CVE-2022-23748 in Zoom)
🐱 Linked to a China-affiliated threat actor, referred as ToddyCat
👉 Read more:
We investigated the recent attack against Iranian Broadcasting and discovered tools utilized in this operation, including the evidence of usage of destructive wiper malware. This suggests that the damage might be more serious than officially reported.
[CyberCrime Updates] Interesting fact - these 8 IP addresses are continuously used in 61
#trickbot
campaigns for almost 5 months to date:
24.162.214.166
45.36.99.184
60.51.47.65
62.99.76.213
82.159.149.52
97.83.40.67
103.105.254.17
184.74.99.214
All of them use 443 port.
We've recently conducted an analysis of the latest Linux ransomware campaigns, exploring key distinctions in maturity, objectives, and campaign patterns when compared to Windows ransomware. Stay tuned for insights! 🕵️♂️🔒