HIDDEN COBRA Volgmer: A Technical Analysis

In November, US-CERT published two alerts about malicious activity by the North Korean government, referred to as HIDDEN COBRA [1][2]. These alerts addressed the remote administration tool FALLCHILL and a Trojan called Volgmer. We’ll focus on the latter in this blog post. Volgmer is a backdoor Trojan that was designed primarily to give covert access … Continue reading HIDDEN COBRA Volgmer: A Technical Analysis

Signaturing an Authenticode anomaly with Yara

Earlier this week ESET released a paper[1] about Gazer, a new toolset associated with a sophisticated attack group. One interesting quote from the paper stood out: “The compilation date appears to be 2002 but is likely to be faked because the certificate was issued in 2015" This led to an interesting challenge: can these samples … Continue reading Signaturing an Authenticode anomaly with Yara

Analysing a recent Poison Ivy sample

In a recent blog post, Fortinet discussed a new version of Poison Ivy[1] spreading through malicious PowerPoint files. The PowerPoint file includes a .NET loader in a stream which goes on to load a variant of Poison Ivy. But there is some debate regarding whether this is a pure Poison Ivy variant or a hybrid … Continue reading Analysing a recent Poison Ivy sample

Live Incident Blog: June Global Ransomware Outbreak

On Tuesday 27 June, we saw another outbreak of ransomware. This blog is live and will be updated as we know more. The ransomware is currently being discussed as a variant of Petya, which also modifies the Master Boot Record (MBR), although this ransomware also has traits similar to WannaCry in that it uses Eternal Blue … Continue reading Live Incident Blog: June Global Ransomware Outbreak

Microsoft Zero-Day Vulnerability – OLE2Link – Threat Intelligence and Signatures

NCC Group is currently aware of a zero-day vulnerability targeting Microsoft Office users which is being exploited in the wild by a number of threat actors including organised criminal gangs. NCC Group has identified various samples exploiting this issue from as far back as 2016. Click here to see NCC Group’s analysis: https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf In the … Continue reading Microsoft Zero-Day Vulnerability – OLE2Link – Threat Intelligence and Signatures

Sysinternals SDelete: When Secure Delete Fails

Introduction Securely erasing media is an important process for any IT department. There are numerous methods of ensuring that sensitive data is removed before items are reissued or disposed. And the removal of such data is also mandated by various standards such as ISO 27001, which states:  A.11.2.7 – “All items of equipment containing storage … Continue reading Sysinternals SDelete: When Secure Delete Fails

Derusbi: A Case Study in Rapid Capability Development

NCC Group’s Cyber Defence Operations team has released a technical note about the Derusbi Server variant, which we encountered on an engagement at the end of last year. The Derusbi Server variant is typically associated with advanced attackers (APT groups) and was the most sophisticated attempt to retain persistence on our client’s network.  Other activity … Continue reading Derusbi: A Case Study in Rapid Capability Development

Samba _netr_ServerPasswordSet Expoitability Analysis

tl;dr This is my analysis of the recent pre-auth Samba remote tracked by CVE-2015-0240[1]. It doesn’t appear to be very exploitable to me, but I’d love to be proven wrong. Note that since the time when I originally did this analysis someone has released their own PoC and analysis [8] showing why they don’t think … Continue reading Samba _netr_ServerPasswordSet Expoitability Analysis

Ghost Vulnerability (CVE-2015-0235)

Executive Summary An alert about a severe vulnerability discovered by the Qualys security team was issued on Tuesday, January 27 2015. This vulnerability allows a local or remote attacker to execute code within the context of an application linked with certain versions of the glibc library. The vulnerability is triggered by a buffer overflow in the gethostbyname() function, called … Continue reading Ghost Vulnerability (CVE-2015-0235)