RokRat Analysis

In July 2018 a security researcher named Simon Choi reported that a group, which goes by the name Group123 (also known as APT37 or Reaper), used spear-phishing emails to spread their malicious payload [1]. Shortly afterwards it was revealed that the attacker was using an exploit for a vulnerability in Hangul Word (CVE-2017-8291) and that … Continue reading RokRat Analysis

Introducing Azucar

Conducting a thorough Azure security build review or Azure security assessment can be difficult. Clicking through the Azure Ibiza [1] portal to review the details on many of its services, including, but not limited to, Azure Active Directory (Azure AD), resource groups, virtual machines, storage accounts, databases, database servers and other services isn’t always feasible. … Continue reading Introducing Azucar

Decoding network data from a Gh0st RAT variant

During a forensic investigation in March 2018 we were able to retrieve some files which appeared to be linked with a well-known group named Iron Tiger. From our research, we believe that the perpetrator hasn’t shown any advanced technical capabilities in this attack. In fact, the main goal was to mine cryptocurrency. During the investigation … Continue reading Decoding network data from a Gh0st RAT variant

Decoder Improved Burp Suite plugin release part two

Summary In the previous blog post, we walked through the primary benefits of using Decoder Improved over the Burp Suite’s built-in decoder. This blog post will focus on adding new functionality to Decoder Improved by walking through implementing new trivial text modifiers and modes. At the end of this blog post, the reader will have … Continue reading Decoder Improved Burp Suite plugin release part two

Decoder Improved Burp Suite plugin release part one

Burp Suite’s built-in decoder component, while useful, is missing important features and cannot be extended. To remedy this, I developed Decoder Improved, a drop-in replacement Burp Suite plugin. It includes all of decoder’s functionality while fixing bugs, adding tabs, and includes an improved hex editor. Additionally, the plugin’s functionality is straightforward to extend to accommodate … Continue reading Decoder Improved Burp Suite plugin release part one

Analysing a recent Poison Ivy sample

In a recent blog post, Fortinet discussed a new version of Poison Ivy[1] spreading through malicious PowerPoint files. The PowerPoint file includes a .NET loader in a stream which goes on to load a variant of Poison Ivy. But there is some debate regarding whether this is a pure Poison Ivy variant or a hybrid … Continue reading Analysing a recent Poison Ivy sample

Berserko: Kerberos Authentication for Burp Suite

We’ve released a new tool called Berserko, which is a Burp Suite extension to perform Kerberos authentication. We use Burp Suite for web application security assessments and it gives us excellent results. However, anyone that has experience in pen testing in enterprise environments will be able to tell you that it's increasingly common to find … Continue reading Berserko: Kerberos Authentication for Burp Suite

iOS Instrumentation Without Jailbreak

This article describes a process of instrumenting an iOS application without a jailbroken device. Because of the absence of jailbreak in the latest versions of iOS and the requirement for testing applications on the latest versions of iOS, it is necessary to find ways of assessing iOS applications in non-jailbroken environments. In this post we … Continue reading iOS Instrumentation Without Jailbreak