Miguel Ángel Martos Has the Office as We Know It Come to an End? 2020 has had a difficult start. We have learned that what was “usual” may not be the best. We should reconsider this idea of “the office” as the centre...
ElevenPaths Telefónica’s ElevenPaths enhances its global IoT security capabilities with Subex This collaboration provisions the offering of IoT Threat Detection, an incident monitoring and response service for IoT environments.This solution has the capability of learning and modelling the legitimate behaviour...
ElevenPaths Cybersecurity Weekly Briefing August 8-14 Hackers attempt to exploit critical vulnerability in F5 BIG-IP ADC The FBI has issued a Private Industry Notification warning that a group of Iranian hackers have been trying to exploit...
ElevenPaths Keys to Implementing a 360 Corporate Digital Identity We analyze the identity management issues and the characteristics that a comprehensive solution of this kind must have in all organizations.
Innovation and Laboratory Area in ElevenPaths DIARIO Already Detects “Stomped” Macros, But What Are They Exactly? Few weeks ago, we presented DIARIO, the malware detector that respects the privacy of users, and we continue to improve it so that it detects more and better. We...
Innovation and Laboratory Area in ElevenPaths New TheTHE Version with URLScan and MalwareBazaar Plugins The first time an IoC lay on your hands. Let’s say it is a hash, URL, IP or a suspicious domain. You need to know some basic information. Is...
Innovation and Laboratory Area in ElevenPaths DIARIO Already Detects “Stomped” Macros, But What Are They Exactly? Few weeks ago, we presented DIARIO, the malware detector that respects the privacy of users, and we continue to improve it so that it detects more and better. We...
ElevenPaths #CyberSecurityPulse: Dude, Where Are My Bitcoins? Numerous types of attacks are affecting cryptocurrency users: families of malware that steal wallets, phishing attacks that try to forge platforms where users manage their bitcoins, applications that use...
Innovation and Laboratory Area in ElevenPaths DIARIO Already Detects “Stomped” Macros, But What Are They Exactly? Few weeks ago, we presented DIARIO, the malware detector that respects the privacy of users, and we continue to improve it so that it detects more and better. We...
Miguel Ángel Martos Has the Office as We Know It Come to an End? 2020 has had a difficult start. We have learned that what was “usual” may not be the best. We should reconsider this idea of “the office” as the centre...
ElevenPaths Download for Free Our New Book: ‘Irrational Decisions in Cybersecurity: How to Overcome Thinking Errors That Bias Your Judgements’ In the transmedia universe of Blade Runner, replicants are artificial human beings manufactured by bioengineering by Tyrell Corporation. They are physically indistinguishable from a human, except for one detail: their lack of...
ElevenPaths APTualizator (II): Deconstructing Necurs Rootkit and Tools for Detecting and Removing It This report has been drafted by Roberto Santos and Javier Rascón from the CSIRT-SCC (Security Cyberoperations Center) Research Team, in collaboration with ElevenPaths. At the end of June 2019, a big Spanish company was attacked and thousands of their computers were impacted. Such was...
ClipBanker Malware Tries to Stop Our Defence Tool CryptoClipWatcherInnovation and Laboratory Area in ElevenPaths 4 August, 2020 The malware capable of modifying the clipboard to “switch” the crypto wallet still exists. To fight it, ElevenPaths developed CryptoClipWatcher, a tool that monitors the clipboard and alerts if there are any unnoticed changes. ClipBanker malware takes this into account and tries to stop the process before infecting. The crypto clipboard hijacking technique has been common in malware for years. In 2018 we launched CryptoClipWatcher. Once installed, our tool will check whether, once a wallet or crypto address has been copied to the clipboard, it is changed before it is replaced with something else. We show here a video that explains how it works. ClipBanker Trojan, built in .NET, has been detecting our tool for some time now and trying to stop it. The last known sample we have checked is from May 2020. Let’s see how it works. How This Malware Works As we have mentioned, this malware monitors the clipboard to steal cryptocurrencies, but also exfiltrates private keys from the Wallet Import Format (WIF) through IP logger. The interesting point is how it protects itself from being analysed or stopped. To check if it is running on a virtual machine, it uses WMIC to query BIOS information, in particular it uses the command “wmic bios” and search for words like VBOX, VirtualBox, XEN, qemu, bochs and VM. To detect antiviruses, it also uses WMIC to ask Windows Security Center which products are available. The query is: ManagementObjectSearcher(‘root\\SecurityCenter2’, ‘SELECT * FROM AntivirusProduct’) And then it looks up our CCW. In the following function called CCW, it looks for whether there is a process with a specific name stored in the variable ccwProcessName. The variable is obfuscated: This is a base64 string and XOR f952db5f-fac5-4f65-8d60-db225f0c1c26 has been applied to it in base64. Once resolved: Our application runs with privileges in the system, so the process can only be stopped if the malware runs with those privileges as well. This is the sample we have analysed: 5dd16f9e2351216d683038f772ef8ca07373eb04d4e97b3a031bb98c1dca25c9 Cybersecurity and Pandemic (I): PeopleElevenPaths Joins OpenSSF to Enhance Open Source Software Security
Innovation and Laboratory Area in ElevenPaths DIARIO Already Detects “Stomped” Macros, But What Are They Exactly? Few weeks ago, we presented DIARIO, the malware detector that respects the privacy of users, and we continue to improve it so that it detects more and better. We...
Miguel Ángel Martos Has the Office as We Know It Come to an End? 2020 has had a difficult start. We have learned that what was “usual” may not be the best. We should reconsider this idea of “the office” as the centre...
ElevenPaths Telefónica’s ElevenPaths enhances its global IoT security capabilities with Subex This collaboration provisions the offering of IoT Threat Detection, an incident monitoring and response service for IoT environments.This solution has the capability of learning and modelling the legitimate behaviour...
Innovation and Laboratory Area in ElevenPaths New TheTHE Version with URLScan and MalwareBazaar Plugins The first time an IoC lay on your hands. Let’s say it is a hash, URL, IP or a suspicious domain. You need to know some basic information. Is...
Franco Piergallini Guida Adversarial Attacks: The Enemy of Artificial Intelligence (II) In Machine and Deep Learning, as in any system, there are vulnerabilities and techniques that allow manipulating its behaviour at the mercy of an attacker. As we discussed in...
ElevenPaths Cybersecurity Weekly Briefing September 19-25 New attack vector for vulnerability in Citrix Workspace Pen Test Partners security researcher Ceri Coburn has discovered a new attack vector for the CVE-2020-8207 vulnerability in Citrix Workspace corrected in...
