Check Point Research @_CPResearch_ Twitter profile

Last Seen Profiles

@simpBVerfG

@panadama_

@neilbhatt4

@aliaa2059938

@omdop

@Web3kiwiTech

@natanrolnik

@OnlyFinsVal

@njalegoeddie

@rutlandagric

@officialeiji

@nyeshajoyce

@moco_mcom

@olsen30185

@r_shitei_staff

@Bubbles41824512

@Davidsgoldblatt

@babyxsunshine

@EconomiaJalisco

@JanBumba

@metrotrains

@GeorgetteH44607

@glueleaders

@horthoe

@YagyouNEKO

@easypeazy01

@Hottest_milf1

@povertyevidence

@tempoweb

@onoka_onomoku

@SnowbirdAlerts

@FundCientifica

@Anna__Leggy

@Mitternacht08

@Dentoshi

@aliamissy

Check Point Research

@_CPResearch_

4 years

We discovered a 17-year-old vulnerability in all of Windows DNS Servers. SIGRed (CVE-2020-1350) is a wormable, critical vulnerability that can be used to achieve full Domain Administrator privileges.

SIGRed - Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers...

Research by: Sagi Tzadik Introduction DNS, which is often described as the “phonebook of the internet”, is a network protocol for translating human-friendly computer hostnames into IP addresses....

research.checkpoint.com

10

762

1K

Check Point Research

@_CPResearch_

4 years

We launched our new Malware Evasion Encyclopedia, which contains over 50 techniques used by various malwares to detect virtualized and sandboxed environments. We hope this effort would allow for better understanding and analysis of modern attacks.

Malware Evasion Encyclopedia

Evasion techniques

evasions.checkpoint.com

14

527

989

Check Point Research

@_CPResearch_

3 years

Confirmed! TEARDROP the memory-only dropper from the #SUNBURST attack was uploaded to VirusTotal and available for analysis.

4

274

644

Check Point Research

@_CPResearch_

3 years

A fresh BlueKeep exploit + loader, written by the exploit developer known as "PlayBit" and named by him "BlackKeep". The sample is available on Virus Total (6/68):

3

182

471

Check Point Research

@_CPResearch_

2 years

Based on @ContiLeaks , we made an interactive graph of Conti members' relations and share some insights: 🥳Impressive level of self-organization 🥳Bonuses, prizes and bring-your-friend programs 🥳New friends and career growth! 👀Looming threat of prison

9

191

474

Check Point Research

@_CPResearch_

4 years

Based on the insights from of our research, we are happy to present our new Anti-Debug Encyclopedia. All the techniques which are described in this encyclopedia are implemented in our ShowStopper open-source project as well!

Anti-Debug Tricks

anti-debug.checkpoint.com

4

246

467

Check Point Research

@_CPResearch_

2 years

#BREAKING We found files related to the attack against the Steel Industry in Iran. Initial analysis shows that the malware is connected to the attacks against Iran Railways last year, an attack that was thoroughly described in our previous research. Here's what we know so far >>

7

182

412

Check Point Research

@_CPResearch_

5 years

This is the story of how we discovered over 50 critical vulnerabilities in Adobe Reader #adobe

50 CVEs in 50 Days: Fuzzing Adobe Reader - Check Point Research

Research By: Yoav Alon, Netanel Ben-Simon Introduction The year 2017 was an inflection point in the vulnerability landscape. The number of new vulnerabilities reported that year was around 14,000,...

research.checkpoint.com

3

185

346

Check Point Research

@_CPResearch_

4 years

A malicious picture can trigger an Instagram vulnerability potentially resulting in RCE on mobile devices. Read our full technical paper here:

#Instagram_RCE: Code Execution Vulnerability in Instagram App for Android and iOS - Check Point...

Research by: Gal Elbaz Background Instagram, with over 100+ million photos uploaded every day, is one of the most popular social media platforms. For that reason, we decided to audit the security of...

research.checkpoint.com

1

189

350

Check Point Research

@_CPResearch_

2 years

For a reverse engineer, the ability to directly call a function from the analyzed binary can be a shortcut that bypasses a lot of grief. In this article, we explore and compare 3 ways of invoking functions: IDA Appcall, Dumpulator, and Unicorn Engine.

Native function and Assembly Code Invocation - Check Point Research

Introduction For a reverse engineer, the ability to directly call a function from the analyzed binary can be a shortcut that bypasses a lot of grief. While in some cases it is just possible to...

research.checkpoint.com

1

129

342

Check Point Research

@_CPResearch_

5 years

Reverse RDP Attack - How we broke the 3 most popular RDP clients.

1

190

311

Check Point Research

@_CPResearch_

11 months

A deep dive into reverse-engineering Rust core features

Rust Binary Analysis, Feature by Feature - Check Point Research

Problem Statement You attempt to analyze a binary file compiled in the Rust programming language. You open the file in your favorite disassembler. Twenty minutes later you wish you had never been...

research.checkpoint.com

1

130

300

Check Point Research

@_CPResearch_

1 year

☠️ Rorschach is a new strain of ransomware hitting US-Based companies 🔒 It was deployed using DLL sideloading of Cortex XDR dump tool 🤖 Rorschach is highly customizable and contains the use of direct syscalls. Read more :

2

129

291

Check Point Research

@_CPResearch_

1 year

🚨 We discovered 3 vulnerabilities in Microsoft Message Queuing (MSMQ) service, including #QueueJumper (CVE-2023-21554), a Critical vulnerability that could allow unauthorized attackers to remotely execute code. More details in our blog 👉 #PatchNow

4

110

283

Check Point Research

@_CPResearch_

5 years

Just presented at DEFCON our innovative technique for exploiting SQLite memory corruptions. Read all about it:

2

107

253

Check Point Research

@_CPResearch_

5 years

This is the story of how we found a 19 year old Code Execution vulnerability in WinRAR

6

142

243

Check Point Research

@_CPResearch_

5 years

Following the recent WhatsApp vulnerability we’ve decided to take a closer look to understand the technical details behind it.

0

140

249

Check Point Research

@_CPResearch_

4 years

Releasing the white-paper following our talk: "Bugs on the Windshield: Fuzzing the Windows Kernel" as presented at @BlueHatIL and @offensive_con earlier this year

Bugs on the Windshield: Fuzzing the Windows Kernel - Check Point Research

Research By: Netanel Ben-Simon and Yoav Alon Background: In our previous research, we used WinAFL to fuzz user-space applications running on Windows, and found over 50 vulnerabilities in Adobe Reader...

research.checkpoint.com

3

113

232

Check Point Research

@_CPResearch_

5 years

[CPR-Zero] CVE-2019-1159 (Windows 10 Kernel): Use-After-Free in the GetDCEx function in win32kfull.sys.

CPR-Zero: CVE-2019-1159

Check Point Research Vulnerability Repository

cpr-zero.checkpoint.com

0

113

219

Check Point Research

@_CPResearch_

3 years

We have uncovered an ongoing Chinese-based operation targeting a Southeast Asian government: #SharpPanda 🐼 ▶️ Malicious documents weaponized with #RoyalRoad ▶️ In-memory loaders deliver a previously unknown #VictoryDLL backdoor ▶️ Tools in development since at least 2017

3

115

216

Check Point Research

@_CPResearch_

2 years

Can you trust a file's digital signature? 🤔 A new #Zloader campaign abuses CVE-2013-3900 for defense evasion. 🔥 HTA content appended to a signed Microsoft DLL, without breaking trust 🔥 MSHTA used to execute the appended script 🔥 CVE-2013-3900 still unpatched by default

8

82

218

Check Point Research

@_CPResearch_

3 years

A #WindowsSandbox deep dive. Even though it mixes the widely documented #HyperV / #WindowsContainers technologies, we still lack the internals of its great features - dynamic base image, file linking and more. Kudos @_alex_il_ for the great analysis.

Playing in the (Windows) Sandbox - Check Point Research

Research By: Alex Ilgayev Introduction Two years ago, Microsoft released a new feature as a part of the Insiders build 18305 – Windows Sandbox. This sandbox has some useful specifications: Integrated...

research.checkpoint.com

2

102

204

Check Point Research

@_CPResearch_

4 years

[CPR-Zero] CVE-2020-9497 & CVE-2020-9498 (Apache Guacamole): Remote Code Execution and Privilege Escalation in Apache Guacamole-server

CPR-Zero: CVE-2020-9497 (v1)

Check Point Research Vulnerability Repository

cpr-zero.checkpoint.com

1

120

197

Check Point Research

@_CPResearch_

2 years

The 32bit version of CVE-2021-1732 was recently uploaded to Virus Total from Pakistan. The 0-day exploit was used by Bitter APT and developed by the US-based offensive company Exodus Intelligence (aka “Moses”).

1

80

188

Check Point Research

@_CPResearch_

4 years

Our researchers were able to fingerprint and track PlayBit — a prominent exploit developer whose Windows LPE exploits were used by infamous crime groups like REvil and Maze. We analyzed their exploitation techniques and share some intelligence about them.

Exploit Developer Spotlight: The Story of PlayBit - Check Point Research

Research By: Eyal Itkin and Itay Cohen Introduction Exploits have always been an important and integral part of malicious attacks. They allow attackers to gain capabilities that are not easy to...

research.checkpoint.com

0

71

189

Check Point Research

@_CPResearch_

5 years

Tired of C malware? So is everyone, including some malicious actors. Take a tour of malware written in Java, Rust, Pascal and other unlikely contenders; and ponder whether the people behind these are on to something, or just too clever for their own good.

1

72

168

Check Point Research

@_CPResearch_

4 years

In recent months, we built a profile of 2 prominent exploit developers — Volodya and PlayBit. Our blog post details our methodology and explains how we were able to fingerprint their exploits to ultimately track 16 Windows LPE exploits sold by them.

Graphology of an Exploit - Hunting for exploits by looking for the author's fingerprints - Check...

Just like programmers leave their fingerprints in their code, so do exploit developers. We were able to apply the same techniques used to track malware authors and APT groups to draw a digital...

research.checkpoint.com

3

81

178

Check Point Research

@_CPResearch_

8 months

Let's explore the link between #Rhadamanthys stealer and #HiddenBee coin miner! In our latest blog, @hasherezade walks you through the custom executable formats, evolution, and features of this interesting, multilayer malware toolkit.

From Hidden Bee to Rhadamanthys - The Evolution of Custom Executable Formats - Check Point Research

Research by: hasherezade Highlights Introduction Rhadamanthys is a relatively new stealer that continues to evolve and gain in popularity. The earliest mention was in a black market advertisement in...

research.checkpoint.com

5

80

180

Check Point Research

@_CPResearch_

3 years

How can defenders survive in a post-SolarWinds-breach world? We dive into some choice SUNBURST and TEARDROP features, and comfort ourselves with the knowledge that even extraordinary cybercriminals sometimes reach for ordinary tools.

SUNBURST, TEARDROP and the NetSec New Normal - Check Point Research

Foreword In December 2020, a large-scale cyberattack targeting many organizations – predominantly tech companies, mainly in the United States, but not only there – was discovered to have been going...

research.checkpoint.com

5

85

173

Check Point Research

@_CPResearch_

4 years

#ViciousPanda : Chinese APT group after Mongolian targets. The attackers leveraged weaponized COVID-19 documents to deliver a previously unknown RAT. The irony was not lost on us. 🐼 Read more @

3

97

170

Check Point Research

@_CPResearch_

2 years

You’re curious about vulnerability research, but taken aback by the cloud of terms to memorize, processes to follow and names to know? We’ve got you. This breezy, ultra-dense course will introduce you to the who, the what, the why and the how of the field.

Vulnerability Research - Check Point Software

www.checkpoint.com

1

45

163

Check Point Research

@_CPResearch_

2 years

Technical details on APT35 attempts to exploit Log4j vulnerability: 💣Both targeted attacks and mass-scanning 💎CharmPower: still-in-development Powershell-based modular toolkit 🧩Shared infrastructure with previous mobile and ransomware campaigns.

0

55

167

Check Point Research

@_CPResearch_

9 months

Analyzing a #Rhysida ransomware intrusion case❗❗❗ 👩🏻‍💻 Analysis of the attackers TTPs 🛠️ Related Tools - PowerShell #SystemBC , #PsExec , #PortStarter ⛓️ Technical links and correlation with #ViceSociety Read more here -->

The Rhysida Ransomware: Activity Analysis and Ties to Vice Society - Check Point Research

Introduction The Rhysida ransomware group was first revealed in May this year, and since then has been linked to several impactful intrusions, including an attack on the Chilean Army. Recently the...

research.checkpoint.com

2

91

177

Check Point Research

@_CPResearch_

4 years

Looking to learn about system exploitation, but don't know where to start? This (very) detailed guide covers all the basics. Contains 21 detailed CTF solutions, plenty of theory, and zero times the phrase "exercise left to the reader".

"I want to learn about exploitation! Where do I start?" - Check Point Research

A comprehensive exploitation ("hacking") tutorial based on Georgia Tech's pwnable.kr exercises. Theory, hands-on exercises and detailed solutions.

research.checkpoint.com

0

70

164

Check Point Research

@_CPResearch_

1 year

North Korean ROKRAT is still alive and kicking! Check out our research on APT37 activities: 📄 Lures involving South Korean government affairs 🔗 LNK-based infection chains 👾 Usage of commodity malware 💻 Technical Analysis of ROKRAT Read more:

1

79

167

Check Point Research

@_CPResearch_

4 years

Stay tuned for our technical publication regarding #SIGRed (CVE-2020-1350) at 12 (PST) - Critical vulnerability in Windows DNS

2

83

168

Check Point Research

@_CPResearch_

3 years

New loader by #Lazarus - Operation In(ter)ception🕵️ 🔹 Reused decoy and obfuscated macros 🔹 Loader compiled on 2021-01-12 🔹 Creates a bloated copy of msiexec.exe 🔹 Scheduled task with VBS for persistence 🔹 Indirect command execution with pcalua.exe

2

64

158

Check Point Research

@_CPResearch_

1 year

We analyzed #RaspberryRobin 's built-in exploits and explain how to identify and bypass each of the malware's many anti-analysis tricks and evasions. Check out our blog 👉

5

53

162

Check Point Research

@_CPResearch_

5 years

Earlier this year Symantec revealed that APT3 was using NSA-like exploits in 2016, before The Shadow Brokers' leak. Our researchers took a technical deep dive to the Chinese exploits to explain how that might have happened.

2

96

153

Check Point Research

@_CPResearch_

3 years

Our researchers found that CVE-2017-0005, a 0-Day attributed to the Chinese APT31, is a replica of an Equation Group 0-Day, that was caught and repurposed by APT31 during 2014, 3 years before the Shadow Brokers leak. Read the complete story on our blog.

The Story of Jian - How APT31 Stole and Used an Unknown Equation Group 0-Day - Check Point Research

Research by: Eyal Itkin and Itay Cohen There is a theory which states that if anyone will ever manage to steal and use nation-grade cyber tools, any network would become untrusted, and the world...

research.checkpoint.com

0

82

149

Check Point Research

@_CPResearch_

2 years

We took a look at #Azov #Ransomware — a new destructive data wiper: - Manually crafted in Assembly using FASM - Multi-threaded intermittent overwriting (looping 666 bytes) of original data content - Effective, fast, and unfortunately unrecoverable data wiper

2

49

151

Check Point Research

@_CPResearch_

5 years

An RCE we found in Edge's PDF parser. Just a glimpse - stay tuned for an up and coming blog post describing over 50 vulnerabilities we found in Adobe Reader.

4

70

127

Check Point Research

@_CPResearch_

2 years

A deep dive into #EquationGroup 's DoubleFeature — The logging component of the post-exploitation framework DanderSpritz

A Deep Dive into DoubleFeature, Equation Group's Post-Exploitation Dashboard - Check Point Research

Earlier this year, Check Point Research published the story of “Jian” — an exploit used by Chinese threat actor APT31 which was “heavily inspired by” an almost-identical exploit used by the Equation...

research.checkpoint.com

1

65

131

Check Point Research

@_CPResearch_

4 years

[CPR-Zero] CVE-2020-0791 (Windows 10 Kernel): Out-Of-Bounds Read\Write in the StrechBlt function in win32kfull.sys

CPR-Zero: CVE-2020-0791

Check Point Research Vulnerability Repository

cpr-zero.checkpoint.com

0

60

128

Check Point Research

@_CPResearch_

4 years

[CPR-Zero] CVE-2020-1247 (Windows 10 Kernel): Out-Of-Bounds Read\Write in the StrechBlt function in win32kfull.sys

CPR-Zero: CVE-2020-1247

Check Point Research Vulnerability Repository

cpr-zero.checkpoint.com

0

47

130

Check Point Research

@_CPResearch_

4 years

[CPR-Zero] CVE-2020-1350 (Windows DNS Server): Integer Overflow leading to Heap-Based Buffer Overflow (SIGRed)

CPR-Zero: CVE-2020-1350

Check Point Research Vulnerability Repository

cpr-zero.checkpoint.com

0

49

126

Check Point Research

@_CPResearch_

2 years

Cuckoo and CAPE sandbox evasion in one legitimate Windows API function call? It is possible due to issues we found in Cuckoo and CAPE monitor. @CapeSandbox @cuckoosandbox

Invisible Sandbox Evasion - Check Point Research

Cuckoo and CAPE sandbox evasion in one legitimate Windows API function call? It is possible due to issues we found in Cuckoo and CAPE monitor.

research.checkpoint.com

0

65

128

Check Point Research

@_CPResearch_

3 years

We are glad to publish our review of one of the biggest and most interesting malware operations in existence. How does it work? Who is behind it? Read all about it.

Stopping Serial Killer: Catching the Next Strike - Check Point Research

Brief When we look at a prevalent malware family, we give credit to its authors regarding the established malicious infrastructure. New malicious activity is flowing smoothly, command-and-control...

research.checkpoint.com

1

64

130

Check Point Research

@_CPResearch_

5 years

[CPR-Zero] CVE-2019-1164 (Windows 10 Kernel): Out-Of-Bounds Read\Write in the StrechBlt function in win32kfull.sys

CPR-Zero: CVE-2019-1164

Check Point Research Vulnerability Repository

cpr-zero.checkpoint.com

0

59

122

Check Point Research

@_CPResearch_

5 years

A primer on cryptographic attacks, explained in a simple way with approachable examples. Learn about Downgrade attacks, Precomputations, Oracles, brand-name SSL vulnerabilities (CRIME, POODLE...) -- and the surprising connections between them.

2

72

128

Check Point Research

@_CPResearch_

1 year

New activity by Iranian-based threat actor Educated Manticore/PHOSPHORUS: 🎯Iraq-themed lures aimed at Israeli targets 🧩New multi-stage in-memory infection chains 🤓Custom toolset with advanced techniques (mixed-mode assembly!) 🕵️New version of PowerLess backdoor Read more:…

0

60

127

Check Point Research

@_CPResearch_

4 years

#GuLoader ? No, #CloudEyE . Revealing the service behind GuLoader: Italian company earned up to $500,000 helping cybercriminals to deliver malware using cloud drives.

GuLoader? No, CloudEyE. - Check Point Research

Revealing the service behind GuLoader: Italian company earned up to $500,000 helping cybercriminals to deliver malware using cloud drives.

research.checkpoint.com

2

63

115

Check Point Research

@_CPResearch_

4 years

[CPR-Zero] CVE-2020-1310 (Windows 8.1/10 Kernel): Use-After-Free in win32k.sys triggered from Desktop Window Manager

CPR-Zero: CVE-2020-1310

Check Point Research Vulnerability Repository

cpr-zero.checkpoint.com

0

60

121

Check Point Research

@_CPResearch_

4 years

Today's stumped researcher is tomorrow's outdated signature and next week's ransomware infection. We explain more than you ever wanted to know about the high-profile and super-fragmented landscape of Gozi derivatives.

Gozi: The Malware with a Thousand Faces - Check Point Research

Introduction Most of the time, the relationship between cybercrime campaigns and malware strains is simple. Some malware strains, like the gone-but-not-forgotten GandCrab, are intimately tied to a...

research.checkpoint.com

2

56

112

Check Point Research

@_CPResearch_

2 years

#TwistedPanda - a Chinese espionage operation against Russia: 🎯 Targets research defense institutes specialized in R&D of electronic warfare systems ⛏️ Multi-layer loader installs highly obfuscated #SPINNER backdoor 🐼 Active since at least June 2021 👉

1

52

123

Check Point Research

@_CPResearch_

6 months

Getting GPT to do basic malware analysis -- all the brick walls we hit and all the ways we bypassed them and got a PoC to actually work

GPT vs Malware Analysis: Challenges and Mitigations - Check Point Research

Key Takeaways Introduction GPT technology is the current tech cycle’s veritable miracle. The skeptics insist that it just has the appearance of intelligence, and try to cast it as ‘just the latest...

research.checkpoint.com

1

62

124

Check Point Research

@_CPResearch_

4 years

#RampantKitten : Iranian APT going after Iranian dissidents and expats. This espionage operation is active since at least 2014 and includes: 💻Windows Trojans 📱Android Backdoor 🎣Telegram spear-phishing Read more @

Rampant Kitten - An Iranian Espionage Campaign - Check Point Research

Introduction Check Point Research unraveled an ongoing surveillance operation by Iranian entities that has been targeting Iranian expats and dissidents for years. While some individual sightings of...

research.checkpoint.com

1

73

113

Check Point Research

@_CPResearch_

1 year

Iranian threat actor Agrius resurfaces in targeted Ransomware attacks in Israel: 🇮🇷 Agrius continues its destructive attacks against Israeli targets 🦜New custom ransomware- Moneybird 🤖TTPs remain largely the same Read the full report-->

3

52

122

Check Point Research

@_CPResearch_

3 years

We have recently discovered 4 security issues applicable in most MS-Office products. Read all the details here: cc @sagitz_ @NetanelBenSimon

Fuzzing the Office Ecosystem - Check Point Research

Research By: Netanel Ben-Simon and Sagi Tzadik Introduction Microsoft Office is a very commonly used software that can be found on almost any standard computer. It is also integrated inside many...

research.checkpoint.com

1

54

117

Check Point Research

@_CPResearch_

3 years

We continue gathering new and most interesting sandbox evasion techniques. Compare process time measures, GUI controls Evasions? Read about this and more in our updated Malware Evasion Encyclopedia.

Malware Evasion Encyclopedia

Evasion techniques

evasions.checkpoint.com

0

43

115

Check Point Research

@_CPResearch_

4 years

[CPR-Zero] CVE-2020-1510 (Windows 10 Kernel): Out-Of-Bounds Read in the StrechBlt function in win32kfull.sys

CPR-Zero: CVE-2020-1510

Check Point Research Vulnerability Repository

cpr-zero.checkpoint.com

1

42

112

Check Point Research

@_CPResearch_

1 year

New report: a Chinese-based operation targeting a Southeast Asian government. 🇨🇳 Initial infection using #SharpPanda toolset. 🧩 New version of modular multi-stage #SoulFramework , previously unattributed. 🤦 Still using #RoyalRoad . 👉Read more:

4

72

118

Check Point Research

@_CPResearch_

7 months

CP<r> introduces a new method for running hidden implanted code in #ReadyToRun (R2R) compiled .NET binaries ➡️ R2R stomping ⬅️ 🤓Implementation and resulting problems 🛠️Techniques and tools to analyze R2R stomped Assemblies ⚠️Detecting R2R stomping

R2R stomping – are you ready to run? - Check Point Research

Research by: Jiri Vinopal Highlights Abstract What if we told you that the reality you perceive with your very own eyes is not always what it seems? That the .NET code you witness executing within...

research.checkpoint.com

0

69

117

Check Point Research

@_CPResearch_

1 year

Our latest research uncovers a custom router implant used by the Chinese state-sponsored APT group #CamaroDragon . We analyzed the inner workings of the implant, named 'Horse Shell', and compare it with implants deployed by other threat groups.

The Dragon Who Sold His Camaro: Analyzing Custom Router Implant - Check Point Research

Check Point Research (CPR) exposes a malicious firmware implant for TP-Link routers allowed attackers to gain full control of infected devices and access compromised networks while evading detection....

research.checkpoint.com

3

60

116

Check Point Research

@_CPResearch_

3 years

Meet Indra, the group of hackers behind the attack against Iran Railways and several Syrian companies with ties to the Iranian regime. We analyzed their operations, the evolution of their tools, and their presence on social media.

Indra — Hackers Behind Recent Attacks on Iran - Check Point Research

Check Point Research reveals that a threat actor named Indra is responsible for the attacks against targets in Iran, as well as against companies in Syria.

research.checkpoint.com

1

48

108

Check Point Research

@_CPResearch_

2 years

As #Bumblebee continues to evolve, we take a deeper look at some of its features and recent changes including — - Target-dependent dropped payloads - Peculiarities of its configuration - Experimentation with different delivery methods Read our blog >>

0

43

110

Check Point Research

@_CPResearch_

1 year

Amid the crisis in Azerbaijan’s breakaway region of Nagorno-Karabakh, our new report reveals Azerbaijani political surveillance using #OxtaRAT malware: 🕵️AutoIT/JPEG polyglot file 🎯Targets activists in Azerbaijan🇦🇿 and entities in Armenia🇦🇲 Read more >>

3

49

105

Check Point Research

@_CPResearch_

1 year

Always had "fuzz a real program, find a real bug" on your to-do list? This speedy lab with libtiff and AFL++ will sort you out. Focused on learning and not just copy-pasting, with minimal hassle & boilerplate.

The Blitz Tutorial Lab on Fuzzing with AFL++ - Check Point Research

From zero to fuzzing a real program -- quickly, clearly, and with minimal confusion.

research.checkpoint.com

1

29

112

Check Point Research

@_CPResearch_

8 months

🔍 We are Uncovering a surprising connection between prominent dual-use software Remcos and GuLoader. Our investigation points to an individual deeply entrenched in the cybercriminal community. Stay tuned for the full story! 💻🕵️‍♂️

Unveiling the Shadows: The Dark Alliance between GuLoader and Remcos - Check Point Research

Introduction In a recent disturbing development, software advertised as legitimate has become the weapon of choice for cybercriminals. Two notable examples of this behavior are the Remcos RAT (remote...

research.checkpoint.com

1

61

111

Check Point Research

@_CPResearch_

5 years

[CPR-Zero] CVE-2019-1014 (Windows 10 Kernel): Race condition leading to Use-After-Free in the OpenClipboard function in win32kfull.sys

CPR-Zero: CVE-2019-1014

Check Point Research Vulnerability Repository

cpr-zero.checkpoint.com

0

59

103

Check Point Research

@_CPResearch_

2 years

#Mekotio Banker returns with improved stealth and ancient encryption

2

22

103

Check Point Research

@_CPResearch_

2 years

An old sample of the Lamberts (probably #WhiteLambert ) appeared on VirusTotal. This driver file intel440x.sys is also mentioned by name on the infamous drv_list.txt from The Shadow Brokers' leak. The logic itself is contained inside a compressed resource.

2

35

104

Check Point Research

@_CPResearch_

5 years

A critical vulnerability we found in all Windows Image Distribution Services can make it the weakest point in your network

0

67

96

Check Point Research

@_CPResearch_

4 years

Our researchers found multiple vulnerabilities in TikTok leading to account manipulation

Tik or Tok? Is TikTok secure enough? - Check Point Research

Researchers: Alon Boxiner, Eran Vaknin, Alexey Volodin, Dikla Barda, Roman Zaikin December 2019 Available in over 150 markets, used in 75 languages globally, and with over 1 billion users, TikTok...

research.checkpoint.com

2

59

100

Check Point Research

@_CPResearch_

5 years

Our research team have just finished analyzing #DeJaBlue . It looks like Microsoft was vulnerable to a variant on the vulnerability we found last year in FreeRDP: @NetanelBenSimon @EyalItkin

0

57

99

Check Point Research

@_CPResearch_

5 years

We just released CPR-Zero, an on-going repository containing detailed information regarding the majority of the vulnerabilities we discover and disclose, even if they are not featured in a particular publication. Stay Tuned.

3

52

100

Check Point Research

@_CPResearch_

11 months

This is 2023 and USB worms are still a concern: 🪱USB infections spread from Southeast Asia across countries and industries. 🤹Payloads: #WispRider and #HopperTick . 🐉Activity attributed to #CamaroDragon , a Chinese espionage threat actor. 👉Read more:

0

52

100

Check Point Research

@_CPResearch_

9 months

1/4 [CyberCrime Updates] We observed #dotRunpeX switching from older versions of vulnerable Process Explorer driver "procexp.sys" to Zemana AntiMalware driver "zam64.sys" to kill AV/EDR. Check Point customers remain protected. Previous publication:

DotRunpeX - demystifying new virtualized .NET injector used in the wild - Check Point Research

ImplMap2x64dbgInvoke-DotRunpeXextract

research.checkpoint.com

2

39

98

Check Point Research

@_CPResearch_

4 years

[CPR-Zero] CVE-2019-1286 (Windows Kernel): Null Pointer Dereference in the AlphaBlend function in win32kfull.sys

CPR-Zero: CVE-2019-1286

Check Point Research Vulnerability Repository

cpr-zero.checkpoint.com

0

50

89

Check Point Research

@_CPResearch_

3 years

Today we unveil the technical details of a long-running operation by IndigoZebra APT: * targeting high profile officials in Central Asia with spear-phishing emails * #xCaon backdoor - ITW since at least 2014 * new #BoxCaon variant uses Dropbox API as C&C

1

47

96

Check Point Research

@_CPResearch_

1 year

Defeating #dotRunpeX — New #virtualized .NET injector abusing advanced techniques to deliver numerous malware families. CP<r> provides an in-depth analysis of this threat introducing several PoC techniques for reversing protected/virtualized #dotnet code.

DotRunpeX - demystifying new virtualized .NET injector used in the wild - Check Point Research

ImplMap2x64dbgInvoke-DotRunpeXextract

research.checkpoint.com

1

43

99

Check Point Research

@_CPResearch_

1 year

New job opening! 🚀 Check Point Research is opening an *international* and *fully remote* team of Vulnerability Researchers and looking for experienced researchers, from different types of expertise (OS, Cloud, IoT, Mobile, ...), to join the team.

2

29

95

Check Point Research

@_CPResearch_

6 months

[1/5] CPR in collaboration with @sygnia_labs has been tracking #ScarredManticore , one of the most sophisticated Iranian threat actors uncovered to date. Attributed to the MOIS, it is linked to some of the most impactful Iranian intrusions in recent years.

From Albania to the Middle East: The Scarred Manticore is Listening - Check Point Research

Key Findings Introduction Check Point Research, in collaboration with Sygnia’s Incident Response Team, has been tracking and responding to the activities of Scarred Manticore, an Iranian nation-state...

research.checkpoint.com

2

52

99

Check Point Research

@_CPResearch_

8 months

Join us in exploring DNS Tunnels! 👷🏻‍♀️👷🏽 ⛏️Practical tips for analyzing DNS tunneling activities 🤖DeepDNS - using ML to hunt for DNS tunneling 🪙 Analysis of CoinLoader DNS backup C2 channel Read more -->

Tunnel Warfare: Exposing DNS Tunneling Campaigns using Generative Models – CoinLoader Case Study -...

Introduction Generative AI has been around for nearly a decade, strictly speaking, but the recent boom in this technology has inspired renewed interest in its possible applications to challenges...

research.checkpoint.com

1

47

96

Check Point Research

@_CPResearch_

3 years

Gamers Beware We recently turned our eyes to a major networking library used by a sizeable chunk of online gaming - Valve’s "Steam Sockets". Here is our report on the library, and the vulnerabilities we found in it.

Game On - Finding vulnerabilities in Valve’s “Steam Sockets” - Check Point Research

Research by: Eyal Itkin Overview The beautiful thing about video games is that there’s something for everyone. You can play as a 19-year-old Canadian redhead trying to climb a difficult mountain; or...

research.checkpoint.com

0

39

91

Check Point Research

@_CPResearch_

5 years

We released a new tool that helps you match open source library symbols in large binaries. Can be used to speed up your RE, discover 1-days and much more.

0

47

90

Check Point Research

@_CPResearch_

4 years

[CPR-Zero] CVE-2019-1256 (Windows Kernel): Null Pointer Deref in the GradientFill function in win32kfull.sys

CPR-Zero: CVE-2019-1256

Check Point Research Vulnerability Repository

cpr-zero.checkpoint.com

0

35

90

Check Point Research

@_CPResearch_

1 year

As the number of new #Azov #Ransomware -related samples is still growing and has already exceeded several thousands, we took a deep dive into its internal workings and technical features, revealing it not being a Skidsware but an advanced Polymorphic Wiper.

Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper - Check Point...

Highlights: Introduction During the past few weeks, we have shared the preliminary results of our investigation of the Azov ransomware on social media, as well as with Bleeping Computer. The below...

research.checkpoint.com

2

43

89

Check Point Research

@_CPResearch_

8 months

Analysis of behind the scenes of BBTok banker : 💸 Targets clients of more than 40 banks in LATAM 🕵 Deep Dive how the attacker dynamically creates his payload ⏰️ Glimpse into the changes in the banker's payload server Read more -->

Behind the Scenes of BBTok: Analyzing a Banker’s Server Side Components - Check Point Research

Introduction Check Point Research recently discovered an active campaign operating and deploying a new variant of the BBTok banker in Latin America. In the research, we highlight newly discovered...

research.checkpoint.com

1

34

92

Check Point Research

@_CPResearch_

5 years

New #APT33 attack?🤔 local-update[.]com/RawabiJob.hta HTA displays a job offer and impersonates a Saudi company ( @RawabiHolding ) Shares similarities with an old APT33 script local-update[.]com was recently seen in an attack exploiting CVE-2018-20250 @CurlyCyber

1

46

87

Check Point Research

@_CPResearch_

3 years

[CPR-Zero] CVE-2021-31939 (Outlook, Office): Use-After-Free in graph data parsing code in graph.exe

CPR-Zero: CVE-2021-31939

Check Point Research Vulnerability Repository

cpr-zero.checkpoint.com

0

30

87

Check Point Research

@_CPResearch_

4 years

[CPR-Zero] CVE-2020-0655 (Windows): Improper fix for CVE-2019-0887 uncovers Path Traversal issues in all versions of Windows

CPR-Zero: CVE-2020-0655

Check Point Research Vulnerability Repository

cpr-zero.checkpoint.com

1

49

86

Check Point Research

@_CPResearch_

10 months

Revealing the #BundleBot 🤖- a new #malware strain that abuses #dotnet bundle, self-contained format, multi-stage infection, and custom obfuscation resulting in an effective way to stay under the radar for several months.

BYOS - Bundle Your Own Stealer - Check Point Research

Highlights: Introduction During the past few months, we have been monitoring a new unknown stealer/bot, we dubbed BundleBot, spreading under the radar and abusing dotnet bundle (single-file),...

research.checkpoint.com

3

46

92

Check Point Research

@_CPResearch_

5 years

We are excited to release #macOS Malware Encyclopedia, an online portal with everything you need to know on macOS malware . All entries were written by our very own @shablolForce , with the help of @megabeets_ on design. Check it out:

2

47

87

Check Point Research

@_CPResearch_

7 months

Uncovering Stayin’ Alive operation, active since at least 2021: 📞 Targets telecoms in Asia 🇰🇿🇺🇿🇻🇳🇵🇰 🛠️ Spearphishing + DLL side-loading (such as CVE-2022-23748 in Zoom) 🐱 Linked to a China-affiliated threat actor, referred as ToddyCat 👉 Read more:

1

38

93

Check Point Research

@_CPResearch_

5 years

[CPR-Zero] CVE-2019-1096 (Windows 10 Kernel): Out-Of-Bounds Read in NtGdiPlgBlt syscall in win32kfull.sys

CPR-Zero: CVE-2019-1096

Check Point Research Vulnerability Repository

cpr-zero.checkpoint.com

0

45

83

Check Point Research

@_CPResearch_

2 years

We investigated the recent attack against Iranian Broadcasting and discovered tools utilized in this operation, including the evidence of usage of destructive wiper malware. This suggests that the damage might be more serious than officially reported.

EvilPlayout: Attack Against Iran’s State Broadcaster - Check Point Research

In the past few months, a new wave of cyberattacks has been flooding Iran. These attacks are far from minor website defacements – the recent wave is hitting national infrastructure and causing major...

research.checkpoint.com

4

50

82

Check Point Research

@_CPResearch_

2 years

It’s a HUGE loss for the threat intel community 💔 condolences to the family. R.I.P VK

2

11

88

Check Point Research

@_CPResearch_

3 years

[CyberCrime Updates] Interesting fact - these 8 IP addresses are continuously used in 61 #trickbot campaigns for almost 5 months to date: 24.162.214.166 45.36.99.184 60.51.47.65 62.99.76.213 82.159.149.52 97.83.40.67 103.105.254.17 184.74.99.214 All of them use 443 port.

1

25

86

Check Point Research

@_CPResearch_

5 months

We've recently conducted an analysis of the latest Linux ransomware campaigns, exploring key distinctions in maturity, objectives, and campaign patterns when compared to Windows ransomware. Stay tuned for insights! 🕵️‍♂️🔒

The Platform Matters: A Comparative Study on Linux and Windows Ransomware Attacks - Check Point...

Research by: Marc Salinas Fernandez Key Points Introduction During the last few months, we conducted a study of some of the top ransomware families (12 in total) that either directly developed...

research.checkpoint.com

1

51

93