Krishnendu Paul
Allowing #XLSM and #XLSB files ? Stop it to save your Infra
I understand that a company having legacy systems running always. But, are you permitting XLSM and XLSB filetypes ? #STOP it as fast as possible !! Following images are from a malware packer, possibly related with latest #Zloader and other infections. Credit @DissectMalware [https://twitter.com/DissectMalware]From the 2nd screenshot it
Update #Python modules #pip regularly #NotetoSelf
We update our linux boxes almost regularly, so Debian/Ubuntu user like me run apt update && apt upgrade -y regularly. But, we miss updating python library regularly which breaks a lot of python modules or make them outdated. Sharing 2 methods to do it easily with single liner.
#TA505 find subdomain to download #Dropper #Malware
So ... if you have main domain from #TA505 TTPs and want to download the dropper file from actual subdomain , following is the method So, found 2 TTPs today from twitter But, subdomains are not there. Without disturbing the poster, goto https://[DOMAIN] It will show you a certificate error page.
#Yara Rule for #TA505 Latest Campaign
rule ta505_downloader { meta: author = "Krishnendu Paul" description = "TA505 June 2020" strings: $meta_hex = "document.getElementById" $meta_app = "template.innerHTML" $meta_filetype = "iframeTemplate" $meta_b = "element.innerHTML" condition: all of ($meta_*) and filesize < 250000 }
Enable #WSL2 on #Windows10 #Note
Prerequisite 1. Windows 10 version 2004 ( If you are not on 2004 yet, use Windows Update Assistant [https://www.microsoft.com/en-in/software-download/windows10] ) 2. Intel Virtualization Option should be enabled in BIOS. In Command Prompt, type: dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart dism.exe /online /enable-feature /featurename:
Easy #YARA Strings #Hunting for #Malware - The Lazy Man's Way
I am not your Regular #BlueTeam #YARA #Guru who is writing yara for everything everyday. But, was assigned for a task where I need to find-out a proper Yara for a specific class of new gen malwares where AV or SHA/MD5 based IOC's are not working. Even
[Custom #YARA ] #XLS #macro based #malware downloader using URLDownloadToFileA
Received numbers of sample submission of invoice themed XLS which are not getting detected on VT [https://virustotal.com] properly using any reputed Anti Virus engine. There is nothing abnormal happening except it is showing following screen when opened. Pretty unusual - huh ! So, after finding few sample which is
#Twitter #Video Upload #Fix (Your Media File Could Not Be Processed)
I am not regular on #Twitter. But, sometimes I do, and today I tried to post a video in twitter. Failed ( !!? )- with an error message "Your Media File Could Not Be Processed" without further explanation what I am doing wrong ! Then I tried from my mobile as
My View on #Maze #Malware #Cognizant version #InfoSec
Yes, it is a known story now that IT Giant #Congizant suffering from Maze Malare infection partly. Lot of their system got encrypted and hackers asking for Ransom ! There are other malwares, but one of the tactics used by Maze / ChaCha group to put pressure on their victim is to