Mindblown: a blog about philosophy.

Office malware has been around for a long time. In the past I’ve written several blog posts [ 1 , 2 , 3 , 4 ] about the basics and beyond. In this article we’ll focus on Excel Formula (XF) 4.0. I wasn’t too familiar with XF 4.0 before I started looking into it, so…

Table of contents Introduction Technical details of SQL injection in stored procedures Honey query integrity algorithm: detection of SQL injection in stored procedures Technical details of SSRF Detection of SSRF Technical details of persistent cross-site scripting Detection of persistent cross-site scripting in databases Conclusion References Introduction Web application vulnerabilities are an important entry vector for…

Table of contents Overview Understanding the attack model: Kubernetes for cryptomining operations Research analysis Remote server hosting packages Dissecting NVIDIA installation scripts Querying metadata server Installing Linux kernel headers Self deletion and file cleanup OS specific driver installation NVIDIA drivers deployment on Ubuntu NVIDIA drivers deployment on Debian Non GCS API support: direct downloading via…

Table of contents Introduction Collector-stealer distribution mechanisms KMSAuto activation utility bundled with Collector-stealer Collector-stealer downloading via fake miner web portal Technical analysis Malware history and objective Portable executable file structure Import address table and critical functions Obfuscation routine On-demand pseudo number generator Extracting screenshots via keyboard operations Client-side data access Network communication Command-and-control panel design…

Copyright © 1994 Virus Bulletin Ltd (This article was published in the February 1994 issue of Virus Bulletin.) In 1989, Joe Wells encountered his first virus: Jerusalem. Wells disassembled the virus, and from that moment onward, has been intrigued by the properties of these small pieces of self-replicating code. In less than five years from…

Table of contents Introduction The goal of this article Gathering the data needed to understand the VBA world Generating the Python 3.x code The VBA application world Conclusions References Introduction Obfuscation is an old trick every malware researcher and scanner engine needs to get around in order to find the real content of the sample…

Table of contents Overview Background Understanding the design of the AZORult C&C panel AZORult C&C web panel layout AZORult C&C panel components Cookie creation for authenticated session Stolen password data storage and retrieval in C&C panel AZORult C&C panel vulnerabilities Unrestricted access to configuration file Guest and anonymous access allows traffic stats Information disclosure via…

Excel Formula, or XLM – does it ever stop giving pain to researchers? Last week I received a new sample using the xlsb file format that supposedly contained malicious code. I had a quick look, and wow – this was different. An initial check on VirusTotal ( VT ) showed that it hadn’t been uploaded…

Table of contents Introduction Why ISPs? Trend insights: DNS hijacking attacks Targeted attacks Anatomy of ISP-oriented implants Operation ‘DeadlyKiss’ Technical tips Threat hunting tips Evora Technical details Threat hunting tips RGDoor IIS BackDoor Technical details Conclusions References Introduction The information contained herein relates to what I observed throughout 2019 during my analysis and research activities.…

Table of contents Abstract 1. Introduction 2. Attack exploiting Sanshiro’s vulnerability 2.1 Summary of the vulnerability 2.2 Delivery of the zero-day exploit Detail of CVE-2014-0810 (JVNDB-2014-000011) 2.3 The bundled malware with the exploit 2.4 Attack timeline 3. Attack exploiting Ichitaro’s vulnerability 3.1 Summary of Ichitaro 3.2 CVE-2014-7247 Summary of the vulnerability Detail of the shellcode…