101010.pl

ANY.RUN🚨 New <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#phishing</a> campaign uses <a href="https://infosec.exchange/tags/DBatLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#DBatLoader</a> to drop <a href="https://infosec.exchange/tags/Remcos" class="mention hashtag" rel="nofollow noopener" target="_blank">#Remcos</a> RAT. The infection relies on <a href="https://infosec.exchange/tags/UAC" class="mention hashtag" rel="nofollow noopener" target="_blank">#UAC</a> bypass with mock directories, obfuscated .cmd scripts, Windows <a href="https://infosec.exchange/tags/LOLBAS" class="mention hashtag" rel="nofollow noopener" target="_blank">#LOLBAS</a> techniques, and advanced persistence techniques. At the time of analysis, the samples had not yet been submitted to <a href="https://infosec.exchange/tags/VirusTotal" class="mention hashtag" rel="nofollow noopener" target="_blank">#VirusTotal</a> ⚠️🔗 Execution chain: <a href="https://infosec.exchange/tags/Phish" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phish</a> ➡️ Archive ➡️ DBatLoader ➡️ CMD ➡️ SndVol.exe (Remcos injected) 👨‍💻 <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener" target="_blank">#ANYRUN</a> allows analysts to quickly uncover stealth techniques like LOLBAS abuse, injection, and UAC bypass, all within a single interactive analysis session. See analysis: <a href="https://app.any.run/tasks/c57ca499-51f5-4c50-a91f-70bc5a60b98d/?utm_source=mastodon&utm_medium=post&utm_campaign=dbatloader&utm_term=150525&utm_content=linktoservice" rel="nofollow noopener" translate="no" target="_blank">https://app.any.run/tasks/c57ca499-51f5-4c50-a91f-70bc5a60b98d/?utm_source=mastodon&utm_medium=post&utm_campaign=dbatloader&utm_term=150525&utm_content=linktoservice</a>🛠️ Key techniques: 🔹 <a href="https://infosec.exchange/tags/Obfuscated" class="mention hashtag" rel="nofollow noopener" target="_blank">#Obfuscated</a> with <a href="https://infosec.exchange/tags/BatCloak" class="mention hashtag" rel="nofollow noopener" target="_blank">#BatCloak</a> .cmd files are used to download and run <a href="https://infosec.exchange/tags/payload" class="mention hashtag" rel="nofollow noopener" target="_blank">#payload</a>. 🔹 Remcos injects into trusted system processes (SndVol.exe, colorcpl.exe). 🔹 Scheduled tasks trigger a Cmwdnsyn.url file, which launches a .pif dropper to maintain persistence. 🔹 Esentutl.exe is abused via LOLBAS to copy cmd.exe into the alpha.pif file. 🔹 UAC bypass is achieved with fake directories like “C:\Windows “ (note the trailing space), exploiting how Windows handles folder names. ⚠️ This threat uses multiple layers of stealth and abuse of built-in Windows tools. Behavioral detection and attention to unusual file paths or another activity are crucial to catching it early. <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener" target="_blank">#ANYRUN</a> Sandbox provides the visibility needed to spot these techniques in real time 🚀

Wietze<a href="https://infosec.exchange/tags/LOLBAS" class="mention hashtag" rel="nofollow noopener" target="_blank">#LOLBAS</a> project update:Entries now have placeholders for paths, URLs, and more. This makes it easier to visually see what parts are "variable", and for LOLBAS API users (<a href="https://lolbas-project.github.io/api/" rel="nofollow noopener" translate="no" target="_blank">https://lolbas-project.github.io/api/</a>) it'll be easier to use with automation.Check it out: ⭐ <a href="https://lolbas-project.github.io" rel="nofollow noopener" translate="no" target="_blank">https://lolbas-project.github.io</a>

infosystirWalk through a customer incident with me!What happens when attackers can SEO their fake application to the first page of search results, alerts fire along the way, and you have a customer and secops team that are top notch!<a href="https://www.blumira.com/masked-application-attack-incident-report/" rel="nofollow noopener" translate="no" target="_blank">https://www.blumira.com/masked-application-attack-incident-report/</a><a href="https://infosec.exchange/tags/incidentresponse" class="mention hashtag" rel="nofollow noopener" target="_blank">#incidentresponse</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener" target="_blank">#dfir</a> <a href="https://infosec.exchange/tags/smbsecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#smbsecurity</a> <a href="https://infosec.exchange/tags/lolbas" class="mention hashtag" rel="nofollow noopener" target="_blank">#lolbas</a> <a href="https://infosec.exchange/tags/bankingindustry" class="mention hashtag" rel="nofollow noopener" target="_blank">#bankingindustry</a> <a href="https://infosec.exchange/tags/creditunions" class="mention hashtag" rel="nofollow noopener" target="_blank">#creditunions</a>

HuntressDid you know that the finger command can be used for data exfil? We recently had an incident where this type of activity was found <a href="https://www.huntress.com/blog/cant-touch-this-data-exfiltration-via-finger" rel="nofollow noopener" translate="no" target="_blank">https://www.huntress.com/blog/cant-touch-this-data-exfiltration-via-finger</a><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/lolbins" class="mention hashtag" rel="nofollow noopener" target="_blank">#lolbins</a> <a href="https://infosec.exchange/tags/lolbas" class="mention hashtag" rel="nofollow noopener" target="_blank">#lolbas</a> <a href="https://infosec.exchange/tags/exfil" class="mention hashtag" rel="nofollow noopener" target="_blank">#exfil</a> <a href="https://infosec.exchange/tags/mchammer" class="mention hashtag" rel="nofollow noopener" target="_blank">#mchammer</a> <a href="https://infosec.exchange/tags/CTI" class="mention hashtag" rel="nofollow noopener" target="_blank">#CTI</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://bird.makeup/users/keydet89" class="u-url mention" rel="nofollow noopener" target="_blank">@keydet89</a>

🛡 H3lium@infosec.exchange/:~# :blinking_cursor:"🔍 Researchers Uncover 12 New LOLBAS Binaries Used by Attackers 🕵️‍♂️"Hackers are increasingly using LOLBAS (Living-Off-the-Land Binaries-And-Scripts) to exploit legitimate tools and hide illicit actions. As LOLBAS gains traction, experts are seeking new detection methods. Stay vigilant! 💻🔒Researchers Discover 12 New LOLBAS Binaries Used by Attackers Introduction Living-Off-the-Land Binaries And Scripts (LOLBAS) is a popular methodology used by threat actors to exploit legitimate tools for hiding their illicit actions. As LOLBAS gains traction rapidly in cyber attacks, experts are actively seeking new methods to detect unknown malicious binaries for better defense mechanisms.New LOLBAS Binaries Discovered Cybersecurity researchers at Pentera Labs recently discovered new LOLBAS binaries that are actively used by threat actors to deploy malware. Over 3000 Windows binaries pose the LOLBAS discovery challenge. Even with the automation approach, researchers found 12 new files in 4 weeks, marking a 30% rise in known downloaders and executors.LOLBAS: An Evergreen Type of Cyber Attack LOLBAS has been a known concept in the cybersecurity landscape for some time now. However, it continues to gain its pace as one of the most dominant trends in cyber-attacks. It is important to understand how hackers are constantly seeking to exploit the legitimate tools within your systems and then turn them against you for their illicit purposes. Due to its exceptional capability to evade detection, LOLBAS remains a significant concern in cyber attacks. What makes it so powerful is its adeptness at utilizing pre-installed legit system tools to execute malicious actions.Detection of Binaries The automated solution generates the download attempt, lists binaries, and then it triggers the downloader via a simple HTTP command structure with two parts:The path of the potential downloader A URL to download the file from The second part involves an HTTP server for receiving feedback on download attempts, with log records indicating file download attempts. This automated method revealed 6 additional downloaders, leading to a 30% boost in the LOLBAS list with a total of 9 discoveries.In this scenario, a hacker will deploy the LOLBAS downloader to acquire powerful malware and then execute it stealthily using LOLBAS executors, disguising it as legitimate processes.The complete process could be automated via two tools:IDApython: It finds API call cross-references and decompiles. ChatGPT: It assists in analyzing function arguments’ connections for a solid POC. The proposed static approach surpasses the dynamic analysis by focusing on low-level details of the code like automating reverse engineering for deeper code insights, revealing structure, behavior, and potential issues. This complete analysis offers a proactive defense roadmap, empowering security pros to predict and prevent evolving cyber threats.Conclusion The discovery of new LOLBAS binaries and the development of automated methods for their detection underscore the evolving nature of cyber threats. As hackers continue to exploit legitimate tools for illicit purposes, the need for proactive and robust defense mechanisms becomes increasingly critical. By leveraging tools like IDApython and ChatGPT, and focusing on low-level details of the code, security professionals can gain deeper insights into potential threats and devise strategies to predict and prevent them.Source: <a href="https://cybersecuritynews.com/12-new-lolbas-binaries/" rel="nofollow noopener" target="_blank">Cybersecurity News</a>Tags: <a href="https://infosec.exchange/tags/LOLBAS" class="mention hashtag" rel="nofollow noopener" target="_blank">#LOLBAS</a> <a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cybersecurity</a> <a href="https://infosec.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatDetection</a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#InfoSec</a>

Recent searches

Search options

Administered by:

Server stats:

#LOLbas