Decoding network data from a Gh0st RAT variant

During a forensic investigation in March 2018 we were able to retrieve some files which appeared to be linked with a well-known group named Iron Tiger. From our research, we believe that the perpetrator hasn’t shown any advanced technical capabilities in this attack. In fact, the main goal was to mine cryptocurrency. During the investigation … Continue reading Decoding network data from a Gh0st RAT variant

Cisco ASA series part eight: Exploiting the CVE-2016-1287 heap overflow over IKEv1

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. Exodus Intel released how they exploited [1] CVE-2016-1287 for IKEv2 in February 2016, but there wasn't anything public for IKEv1. This blog post documents … Continue reading Cisco ASA series part eight: Exploiting the CVE-2016-1287 heap overflow over IKEv1

Cisco ASA series part seven: Checkheaps

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. As part of our ongoing series we would like to talk about Cisco's Checkheaps security and stability mechanism. More specifically, we’ll look at how … Continue reading Cisco ASA series part seven: Checkheaps

Cisco ASA series part six: Cisco ASA mempools

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. In part six, we document some of the details around Cisco ASA mempools and how the mempool-related functions wrap more traditional heap functions in … Continue reading Cisco ASA series part six: Cisco ASA mempools

Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco ASA

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. This article is meant to provide a summary of some key functionality for dlmalloc-2.8.x and introduce a debugging plugin called libdlmalloc [1] that is … Continue reading Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco ASA

Cisco ASA series part three: Debugging Cisco ASA firmware

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. We have developed a small framework of tools to automate the debugging of most Cisco ASA firmware files using gdb, while supporting both real … Continue reading Cisco ASA series part three: Debugging Cisco ASA firmware

Cisco ASA series part two: Static analysis & datamining of Cisco ASA firmware

This article is part of a series of blog posts. If you haven’t already, we recommend that you read the introduction article prior to this one. During our research, we ended up wanting to analyse a large number of Cisco ASA firmware files. Most importantly, we needed to mine exploit targets for both CVE-2016-1287 and CVE-2016-6366 and … Continue reading Cisco ASA series part two: Static analysis & datamining of Cisco ASA firmware

Cisco ASA series part one: Intro to the Cisco ASA

We’ve spent a bunch of time investigating Cisco ASA devices and their firmware while looking into exploiting CVE-2016-1287, CVE-2016-6366, and other bugs. Part of this research has involved data mining numerous Cisco ASA firmware files to generate new exploit targets. We took the time to write some tools to more effectively analyse or debug certain … Continue reading Cisco ASA series part one: Intro to the Cisco ASA

Signaturing an Authenticode anomaly with Yara

Earlier this week ESET released a paper[1] about Gazer, a new toolset associated with a sophisticated attack group. One interesting quote from the paper stood out: “The compilation date appears to be 2002 but is likely to be faked because the certificate was issued in 2015" This led to an interesting challenge: can these samples … Continue reading Signaturing an Authenticode anomaly with Yara

Smuggling HTA files in Internet Explorer/Edge

In this blog post, we will demonstrate how attackers can serve malicious HTML Application (HTA) [1] files in a way that may bypass traditional proxy filtering. We will also cover some defensive mechanisms that can be used to prevent such attacks. Background When carrying out Red Team engagements for our clients, we often attempt to gain code … Continue reading Smuggling HTA files in Internet Explorer/Edge