Ethical Hacking Techniques

Malware Analysis Exercises #5 - Analyzing a simple process injection Process Injection occurs when code is injected into the memory space of another running process. This allows the injected code to execute within the selected process. Figure 1: It is loading some libraries such as vcruntime140d.dll, ucrtbase.dll, kernelbase.dll, kernel32.dll, and ntdll.dll, and you can notice some interesting functions. Figure 2: You can see some interesting functions being used. GetCurrentProcess, which returns a pseudohandle of the current process, and TerminateProcess, used to terminate a process. GetProcAddress, commonly used in code injections to locate the addresses of functions exported from DLL libraries. GetCurrentProcessId and GetSystemTimeAsFileTime retrieve the process ID and the system time in file format. Figure 3: There are several byte addition instructions (with ADD BYTE PTR), register manipulation, and memory access ([rdi], [rbp], [rsi], etc.), which suggest write and read operations, which are quite common in code injection routines or modification of a process's structures. Additionally, you can notice the presence of a conditional code (jb instructions), which may indicate flow control based on a condition or comparison, and you can also see the reference to "notepad.exe", which could be the target where the code will be injected. Figure 4: The call to OpenProcess is crucial in some injection techniques, as it opens the process where the code will be injected. The presence of the instruction test eax, eax after the call to OpenProcess serves to check if the function was successfully executed, indicating that the process was opened without errors and memory allocation, data writing, and execution could proceed. Figure 5: call qword ptr ds:[<&VirtualAllocEx>] makes a call to the VirtualAllocEx function, which allocates memory in the notepad process. This can be noted, as there are a series of data movement instructions in the registers (mov). call qword ptr ds:[<&WriteProcessMemory>] after allocating the memory in the notepad process, this instruction calls the WriteProcessMemory function, which is responsible for writing the payload into the memory allocated in the process. call qword ptr ds:[<&CreateRemoteThread>] calls the CreateRemoteThread function, which creates a new thread inside the notepad process to execute the injected code. And you can see other instructions that are moving data and manipulating information in memory. More details about Process Injection by Usman Sikander: https://lnkd.in/e6XRSaS4 Others Malware Analysis Exercises: https://lnkd.in/dyn2dWcf Dissecting Wndows Malware Series - Process Injection by 8kSec https://lnkd.in/ePXg24MB Source Code: https://lnkd.in/eaJe9MDS #malwareanalysis #redteam #cybersecurity #malwareanalysisexercises #blueteam

A 2MB PNG file hid malware — delivered through a Teams vishing attack. At a recent AISI - Expert Cybersécurité, Infrastructure & Gouvernance talk, they shared an incident response case that stood out. The attacker: 1/ Used Microsoft Teams for a vishing call 2/ Convinced the target to download a file (part of the pretext), also work with ClickFix attacks 3/ Hid the malware inside a 2MB PNG using steganography. Result? The payload sat on disk while scanners looked the other way. This isn’t brand new, but it’s unusual. And dangerous. Why? Because it blends the familiar (Teams calls, PNG files) with a technique that most defenses aren’t tuned to catch. Attackers don’t need to invent something radical. They just need to combine what works in unexpected ways. Great talk Maminiaina RABAKOSON! (Image source: ANY.RUN on PDF Steganography)

🚨 Bybit Hack Update The TRM Labs team, along with our partners across the ecosystem, continue to follow the stolen funds from North Korea's $1.5 billion hack of Bybit. As of February 26, we’ve tracked over $400 million in stolen funds being laundered across multiple blockchains. As you can see from our investigator's graph on screen, the attackers are hopping through wallets, swapping tokens, and using decentralized exchanges and cross-chain bridges in an attempt to obfuscate their activities. While the North Korean hackers experimented with different assets early on, nearly all of the stolen eeth is now being converted into Bitcoin. Some funds briefly moved through Binance Smart Chain and Solana, but right now, most of that Bitcoin is just sitting there, barely moved. So, what’s next? Traditionally, we'd expect North Korea to funnel the stolen funds into a mixer. But, no mixer can reasonably obscure the volumes associated with this hack, especially given the speed at which the funds are moving now. Instead, we could be seeing an intensified version of North Korea’s "flood the zone" tactic, overwhelming compliance teams, blockchain analysts, and law enforcement agencies with rapid, high-frequency transactions across multiple platforms, thereby complicating tracking efforts. But a critical countermeasure is Bybit’s innovative bounty program that will pay out 10% on any frozen transaction. That means we’re likely to see a surge of both amateur and professional blockchain investigators joining the hunt, which will putt even more pressure on the attackers. The next few weeks will be pivotal in determining whether investigators can stay ahead of the attackers or if the launderers can successfully cash out. Read more here: https://lnkd.in/g4VfcsBE

I created a Pentest Guide with a Complete Breakdown. Whether you're an aspiring Pentester or an organization looking for one, this will give you an understanding of what the service is and how it differs. Penetration Testing comes in all flavors, here is a breakdown: 🖥 White box | Gray box | Black box White box = your pentester has the keys, diagrams, and all kind of other information. This is great for an extremely thorough assessment. Gray box - your pentester has some information but not everything. They have the correct IPs and URLs to test, but they aren't totally informed. This would simulate an attacker that had "some" information about the org. Black box - you give them nothing. The tester starts at the perimeter and treats your org like a stranger. Slow, noisy, and excellent at revealing blind spots in detection and monitoring. 👮♂️ External vs Internal External - this tests the edge of your organization, such as internet-facing apps, VPNs, and other exposed services. Think "what can someone access from the outside". Internal - this assumes someone is already inside such as a phished employee or even a rogue contractor. It finds lateral-movement gaps, trusts, and privilege escalation paths. 🟣 🔴 Pentest | Red Team | Purple Team Pentest - this is a focused and scoped security assessment that is going to provide a list of findings and remediation. It's great for compliance and checklists. Red team - this is an adversary simulation. Longer, stealthy, multi-vector. Goal is to accomplish mission objectives such as exfiltrating data and persisting in the network) Purple team - this is when offensive teams and defensive teams are working together and learning in real time. Defense is watching for alerts while offense is moving within the network. 👁🗨 Other Scope Examples: Web app pentest — OWASP-style, auth, injection, business logic. Network pentest — host misconfigurations, open ports, weak services. Cloud pentest — IAM misconfigurations, improper S3 buckets, etc. API pentest — broken auth, object-level authorization flaws. Mobile pentest — reverse engineering, insecure storage, weak cert pinning. IoT/Embedded — firmware, radio protocols, physical interfaces. Social engineering / Phishing — usually an easy path in Physical — tailgating, badge cloning, on-site access. ✔ Before any pentest, you should be prepared to fix the findings. A penetration test does no good if your team is not ready to remediate. Please ♻ to help others learn about the practice of pentesting. ❓ Questions? My DMs are always open. #cybersecurity #informationsecurity #infosec #pentesting

🚨Five Eyes Trends on Exploits: Insights from the 2023 Top Routinely Exploited Vulnerabilities Earlier this week, the cybersecurity agencies of the Five Eyes nations—the U.S., U.K., Australia, Canada, and New Zealand—issued a stark warning that highlights a new reality: zero-day vulnerabilities are becoming the “new normal” in cyber exploits. This marks a significant departure from 2022 and 2021 when older, more established vulnerabilities were most frequently targeted. Today, adversaries are increasingly exploiting freshly disclosed zero-day vulnerabilities, often within hours of discovery. The advisory reveals that many of these targeted devices (think of VPNs, SSL gateways, and remote management consoles) are on the periphery of an organization’s network. Do you recognize a trend here? 👀 These edge devices are prime targets and typically lack robust logging or agent-based monitoring capabilities. It can challenging for organizations to know when these type of devices have been pwned. Organizations frequently face a race condition with adversaries— from initial exploitation of the vulnerability, to community recognition, vendor patch release, and eventual patching by the organization. This trend underscores the importance of employing Zero Trust principles, where nothing is blindly trusted within the network. A properly architected Zero Trust and Secure Access Service Edge (SASE) approach can enable organizations to detect and block adversaries before they can cause significant compromise. The advisory explicitly encourages leveraging CISA’s Zero Trust Maturity Model (ZTMM) and the Department of Defense’s Zero Trust guidance, pushing organizations toward a resilient, secure-by-design architecture. As the UK’s NCSC CTO Ollie Whitehouse observed, this “new normal… should concern end-user organizations and vendors alike as malicious actors seek to infiltrate networks.” To combat this, network segmentation and SASE solutions can play a critical role in halting lateral movement and keeping this “new normal” in check. 🛡️ With the right architecture, organizations can mitigate risks and stop threats before they gain a foothold. Full disclosure: I am a co-author of CISA's Zero Trust Maturity Model. The Five Eyes CSA is attached. The NCSC’s website with Mr. Whitehouse’s comments is cited in the comments. #technology #softwareengineering #programming #strategy #computersecurity #cloudcomputing #informationsecurity #zscaler #riskmanagement #cybersecurity #zerotrust

THREAT CAMPAIGN: HOW REMCOS RAT WAS DEPLOYED VIA A WEAPONIZED DOCUMENT AND STEGANOGRAPHY ℹ️ The Autoriteti Kombëtar për Sigurinë Kibernetike / National Cyber Security Authority of Albania analyzed a malware campaign leveraging steganography and exploiting CVE-2017-11882, a well-known Microsoft Office vulnerability. This malware campaign primarily targeted infrastructures in Albania through a phishing attack distributing a malicious Word document. 📍 ATTACK CHAIN 1. PHISHING EMAIL ◽ A phishing email is sent containing the document Pro+Build_25-020-000009[.]docx. 2. DOCX OPENED ◽ A hidden command is executed in the background. 3. DOWNLOADED .DOC ◽ Once the document is opened, it automatically downloads another .doc document from: hxxps[:]//kutt[.]ar-email[.]com[.]br/WYMDyt?&syria 4. CVE-2017-11882 ◽ The downloaded document exploits CVE-2017-11882 (Microsoft Word Remote Code Execution vulnerability - RCE). 5. ARBITRARY COMMAND FROM HTA ◽ Arbitrary commands from an HTA file inside the .doc file are executed. 6. DOWNLOAD GIF ◽ The HTA file downloads a GIF from 74[.]208[.]123[.]191, renames it to .vbs, and saves it in %APPDATA%. 7. VBS SCRIPT ◽ The VBS script executes and starts PowerShell, which: - Downloads image[.]jpg from 67[.]217[.]247[.]193. - Uses steganography to extract the payload. - Loads the extracted payload using PowerShell Reflection. 8. "VAI" FUNCTION ◽ The VAI function is invoked from Task Scheduler, executing with string parameters: Remcos Payload encoded[.]txt and Caspol[.]exe. 9. CASPOL[.]EXE ◽ The Remcos shellcode is injected into Caspol[.]exe. 10. C&C EXFILTRATION ◽ The Remcos Trojan exfiltrates all sensitive data to the C2 server at 216[.]9[.]225[.]75 (VPS). PDF: https://lnkd.in/d6_iCj9K #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection #cyberdefense

Penetration Testing Tip of the Week! Don't use alert boxes to prove your Cross-Site Scripting vulnerability finding. You are a manual, experienced tester - prove your value and justify the finding! Continuing on my theme of distinguishing your manual testing effort from automated tools, use that effort to provide value where a tool can't, such as demonstrating unique exploits for common vulnerabilities, like Cross-Site Scripting (XSS). Use some scripting knowledge and combine the XSS vulnerability with a CSRF to: 🔸 Change the user's password to a known value 🔸 Add a new user to the application 🔸 Do *anything* that requires admin rights Alternatively, set up a remote server (Burp's collaborator is a great tool for this) and exfiltrate: 🔸 Session cookies 🔸 User lists 🔸 User profiles 🔸 Passwords (if available) 🔸 Internal data Be responsible, of course - don't exfiltrate more data than you need and don't steal actual production data, if you don't have to. But, don't just pop an alert box and assume that your client will take the finding seriously. #security #cybersecurity #penetrationtesting #pentesting #reporting #providevalue

The risk of insecure WiFi has just increased, with the revelation of the Nearest Neighbor attack, used in 2022 by the Russian GRU. Attacking WiFi is usually assumed to require close access - “war driving” to discover networks, and then connecting from an antenna close to the target. According to cyber security firm Volexity, in early 2022, attackers from Russian military intelligence agency GRU (aka APT28, aka Fancy Bear) were able to compromise a Washington DC-based office across the street from their target, then use WiFi from the compromised WiFi network to attack the target network. This method of attack reduces operational risk, as it can be carried out from abroad rather than risking a “Mission Impossible” team on the ground. We can probably assume this style of attack is already in use elsewhere. As with most cybersecurity, the basics apply here: 🔵 Upgrade to a strong WiFi security protocol such as WPA3-Enterprise 🔵 Apply MAC address filtering to only allow known NICs to connect to your WiFi 🔵 Use separate WiFi networks for IOT devices (anyone remember the casino that got hacked using the fish tank thermometer?) 🔵 Segment your networks to prevent lateral movement (see NIST SP 800-207 for advice on how to do this well, aka “Zero Trust”) 🔵 Consider using Ethernet and avoid WiFi altogether! It’s faster and more reliable…

𝗛𝗼𝘄 𝘁𝗵𝗲 𝗣𝗮𝗸𝗶𝘀𝘁𝗮𝗻-𝗕𝗮𝘀𝗲𝗱 𝗦𝗶𝗱𝗲𝗖𝗼𝗽𝘆 𝗔𝗣𝗧 𝗶𝘀 𝗘𝘃𝗮𝗱𝗶𝗻𝗴 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗶𝗻 𝟮𝟬𝟮𝟱 The Pakistan-linked SideCopy APT group has significantly upgraded its tactics since late December 2024. Now targeting critical infrastructure; including railways, oil & gas, and ministries of external affairs. The group is becoming increasingly sophisticated and evasive. 𝗞𝗲𝘆 𝗗𝗲𝘃𝗲𝗹𝗼𝗽𝗺𝗲𝗻𝘁𝘀: Shift in Staging Mechanism: Transition from HTA files to MSI packages Advanced Techniques: DLL side-loading, reflective loading, AES decryption via PowerShell 𝗡𝗲𝘄 𝗧𝗼𝗼𝗹𝘀𝗲𝘁: > Customised Xeno RAT, > Spark RAT > Debut of a new malware: CurlBack RAT 𝗜𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲: Use of compromised domains and fake websites for phishing and payload delivery 𝗪𝗵𝘆 𝗶𝘁 𝗺𝗮𝘁𝘁𝗲𝗿𝘀: SideCopy's evolving tactics are designed to bypass many traditional security controls, posing a serious risk to organisations that lack multi-layered defences. Our experts at Seqrite Labs have published a detailed technical analysis covering: ✅ Their new modus operandi 🔒 Malicious domains and indicators you need to block immediately 🎯 Targeted sectors and organisations 🧩 Why current protections may be failing to detect this threat 📄 Complete IOCs: Domains, IPs, Files, C2s, Windows/Linux artifacts 👉 Read the full blog for actionable insights: https://lnkd.in/dRWNixTe #ThreatIntel #SideCopyAPT #CyberSecurity #SeqriteLabs #APTAnalysis #RATmalware #IOC #DefendBetter Quick Heal Seqrite

One key area we focused on was how malware interacts with DLLs (Dynamic Link Libraries). DLLs are shared libraries that contain functions used by multiple programs. Instead of rewriting code, Windows programs (including malware) simply call DLLs to perform common tasks like network connections, file access, or UI rendering. 🔍 Why does this matter in malware analysis? Malware often imports functions from DLLs like kernel32.dll, user32.dll, or ws2_32.dll. By analyzing which DLLs are imported, we can predict behavior before executing the file. Tools like Dependency Walker help us explore these imports in detail. As SOC analysts, we also watch for malicious DLL behaviors like: *DLL sideloading, where attackers drop a fake DLL next to a legitimate program *Export manipulation, where malware mimics the expected functions of trusted DLLs *Suspicious load paths, like DLLs running from Temporary file paths instead of places where legitimate programs typically store DLLs. Every unexpected or unusual DLL import is a clue. Learning to trace those patterns helps us catch threats early, often before any real damage is done. Here are some important DLLs and their functions: