Clik here to view.
BotnetKernel (MS:Win32/Phdet.S) an evolution of BlackEnergy
I didn't find any advert for what seems to be an evolution of the Ddos bot/botnet BlackEnergy : Microsoft:Backdoor:Win32/Phdet.S : BotnetKernel Bot.Here is a C&C panel :BotnetKernel C&C Panel :...
View ArticleClik here to view.
From Alureon/Wowliks to Poweliks botnet (distribution in Affiliate mode)
At begining of February 2014 a sample pushed via Sweet Orange caught my attention :Alureon(MS)/wowliks(Eset) pushed in Sweet Orange2014-02-03[OT]:The same Sweet Orange thread operator (mean same...
View ArticleClik here to view.
Bye Bye Flash EK ? (and Windigo group adapting)
Some days ago researchers following closely the exploit kit landscape started to notice some problem on Flash EK (afaik first noticed by Will Metcalf from Emerging Threats)Few days after on underground...
View ArticleClik here to view.
SkyShare : Evolution Mining Botnet System
At begining of the year, an advert for a mining botnet appeared on underground :Piece of the Advert on the UndergroundOriginal text of the Advert :------------------------------------------Предлагаю...
View ArticleClik here to view.
"Crypto Ransomware" CTB-Locker (Critroni.A) on the rise
Critroni.AAdvertised since middle of june on Underground, CTB-Locker (Curve-Tor-Bitcoin Locker) is flagged Critroni.A by Microsoft. It seems at second half of june it was mainly used against russians,...
View ArticleClik here to view.
A ScarePakage variant is targeting more countries : impersonating Europol and...
(image from GadgetMaxim.comOn July 16th Lookout wrote about a new "police ransomware" on Android. They named it ScarePakage. (aliases : Eset:Android/Locker.B ,...
View ArticleClik here to view.
CVE-2014-0515 (Flash 13.0.0.182 and earlier) integrating Exploit Kits
Discovered by Kaspersky in April in watering hole attack, soon after used in operation targeting Banking information in Japan/Korea by Symantec, reached Exploit DB at begining of may, then in...
View ArticleClik here to view.
Angler EK : now capable of "fileless" infection (memory malware)
Matrix - Agent Jackson avoiding bullets(First edition : I asked help to study this - Hopefully, more technical details to come soon)Few days ago I spotted a new pattern in some Angler EK threads :New...
View ArticleClik here to view.
Say Hello to Astrum EK
Artist’s impression shows the structure of the Milky WayNASA/JPL-Caltech/ESO/R. HurtI was chasing something else (the Kovter adfraud's Sweet Orange thread - Kovter is not a ransomware anymore (since at...
View ArticleClik here to view.
CVE-2013-7331 and Exploit Kits
Thanks to EKWatcher and his decoding skills saving me a lot of time.As we can see more and more of those "XMLDOM" checks in exploit kits i decided to write here some of the checks spotted. This is a...
View ArticleClik here to view.
CVE-2014-0556 (Adobe Flash Player) integrating Exploit Kits
A proof of concept (for Flash 14.0.0.145) of a heap-based buffer overflow patched on September 9th, affecting Flash 13.0.0.<244, 14.0.0.<=179 15.0.0.<152 was published on September 30th on...
View ArticleClik here to view.
CVE-2014-0569 (Flash Player) integrating Exploit Kit
<this post has been edited multiple time to fix some error, bring some new elements. may still be changed >My goal was to grab CVE-2014-0556 when i landed yesterday on Fiesta but according to...
View ArticleClik here to view.
The worst of Windows "Police Locker" is also available on Android
Sad DanboAuthor: Erik mit k One year ago, I blogged about a nasty evolution of Kovter using sick method to ensure people are shocked and in doubt enough to pay ransom.A week ago doing some Android...
View ArticleClik here to view.
CVE-2014-8440 (Flash up to 15.0.0.189) and Exploit Kits
Once again that's fast. Nine day (or less?) after patchthe vulnerability is being exploited in blind mass attack. No doubt about it : the team behind Angler is really good at what it does. Angler EK...
View ArticleClik here to view.
Neutrino : The come back ! (or Job314 the Alter EK)
Disclaimer: Once again I won't go in deep analysis of the EK in that post.It's more a connecting the dots one.Big thanks: Timo Hirvonen, @Malc0de , @EKWatcher, @node5 for all the help on this.In...
View ArticleClik here to view.
CVE-2014-6332 (Internet Explorer) and Exploits Kits
For this CVE referer to :http://technet.microsoft.com/security/bulletin/MS14-064The first encounter I had with this CVE in exploit kit, was in the Sweet Orange from the actor pushing DarkShell via KR...
View ArticleClik here to view.
Call me Null Hole maybe ?
Disclaimer : I won't study this one in details. The global logic should not be far from The Styxy Cool or Styx itself. Once again just a "connecting some dots" post.Since many months what i was...
View ArticleClik here to view.
Critroni += NL and IT
CTB Locker += NL & ITStudying the Revslider infection schemes I get redirected on the "Revslider Case 3" (cf Sucuri Blog post) to Nuclear PackRevslider Case 3 - Path to Nuclear Pack delivering...
View ArticleClik here to view.
Inside Android LockOut System aka PornDroid
When i wrote "The worst of Windows "Police Locker" is also available on Android" I thought this was a "rare" threat and was not really likely to achieve its goal.I was wrong.It did not take long for...
View ArticleClik here to view.
Guess who's back again ? Cryptowall 3.0
Help_Decrypt.html TitleThanks : @Horgh_RCE for all the reversing workExactly one month since last Cryptowall binary. Can we say goodbye ?— kafeine (@kafeine) December 18, 2014(If i am wrong that last...
View Article