In July 2018 a security researcher named Simon Choi reported that a group, which goes by the name Group123 (also known as APT37 or Reaper), used spear-phishing emails to spread their malicious payload [1]. Shortly afterwards it was revealed that the attacker was using an exploit for a vulnerability in Hangul Word (CVE-2017-8291) and that … Continue reading RokRat Analysis
Category: Tool Release
Introducing Azucar
Conducting a thorough Azure security build review or Azure security assessment can be difficult. Clicking through the Azure Ibiza [1] portal to review the details on many of its services, including, but not limited to, Azure Active Directory (Azure AD), resource groups, virtual machines, storage accounts, databases, database servers and other services isn’t always feasible. … Continue reading Introducing Azucar
Readable Thrift
Readable Thrift makes binary Thrift protocol messages easy to work with by converting them to and from a human-friendly format. This makes the manual analysis of and tampering with binary format Thrift messages just as easy as working with plaintext protocols like HTTP.
Decoding network data from a Gh0st RAT variant
During a forensic investigation in March 2018 we were able to retrieve some files which appeared to be linked with a well-known group named Iron Tiger. From our research, we believe that the perpetrator hasn’t shown any advanced technical capabilities in this attack. In fact, the main goal was to mine cryptocurrency. During the investigation … Continue reading Decoding network data from a Gh0st RAT variant
Decoder Improved Burp Suite plugin release part two
Summary In the previous blog post, we walked through the primary benefits of using Decoder Improved over the Burp Suite’s built-in decoder. This blog post will focus on adding new functionality to Decoder Improved by walking through implementing new trivial text modifiers and modes. At the end of this blog post, the reader will have … Continue reading Decoder Improved Burp Suite plugin release part two
Decoder Improved Burp Suite plugin release part one
Burp Suite’s built-in decoder component, while useful, is missing important features and cannot be extended. To remedy this, I developed Decoder Improved, a drop-in replacement Burp Suite plugin. It includes all of decoder’s functionality while fixing bugs, adding tabs, and includes an improved hex editor. Additionally, the plugin’s functionality is straightforward to extend to accommodate … Continue reading Decoder Improved Burp Suite plugin release part one
Poison Ivy string decryption
This is short and quick blog to share with you, as promised, the IDAPython script used to decrypt the strings in the Poison Ivy sample discussed in our previous blog post [1]. Before we can start decrypting the strings, we first need to locate the string decoding function. Looking through Poison Ivy's code, we can see a … Continue reading Poison Ivy string decryption
Analysing a recent Poison Ivy sample
In a recent blog post, Fortinet discussed a new version of Poison Ivy[1] spreading through malicious PowerPoint files. The PowerPoint file includes a .NET loader in a stream which goes on to load a variant of Poison Ivy. But there is some debate regarding whether this is a pure Poison Ivy variant or a hybrid … Continue reading Analysing a recent Poison Ivy sample
Berserko: Kerberos Authentication for Burp Suite
We’ve released a new tool called Berserko, which is a Burp Suite extension to perform Kerberos authentication. We use Burp Suite for web application security assessments and it gives us excellent results. However, anyone that has experience in pen testing in enterprise environments will be able to tell you that it's increasingly common to find … Continue reading Berserko: Kerberos Authentication for Burp Suite
iOS Instrumentation Without Jailbreak
This article describes a process of instrumenting an iOS application without a jailbroken device. Because of the absence of jailbreak in the latest versions of iOS and the requirement for testing applications on the latest versions of iOS, it is necessary to find ways of assessing iOS applications in non-jailbroken environments. In this post we … Continue reading iOS Instrumentation Without Jailbreak