[This is a Guest Diary by Nicole Phillips, an ISC intern as part of the SANS.edu BACS program]

In a previous diary, I talked about stack strings[1] with a practical example of them. Since my SEC670 class, I’m even more interested in malware obfuscation techniques. I had a look at process names. When you list running processes on a computer, can you trust what you see? If you're facing a rootkit, malicious processes can be simply hidden (the API calls or commands to list processed have been tampered). But a malicious process can also mimic a non-suspicious name by masquerading their name. This technique (T1036 in the MITRE ATT&CK framework[2]) has been used by attackers in many campaigns. A good example of the Velvet Ant Chinese group[3]. The goal is to hide the “malware” process name by replacing it with something that won’t attract the Security Analyst’s eyes or defeat security controls.

The vulnerability

Webshells have been popular for a long time. We already covered this topic across multiple diaries[1][2]. I spent some time to track them[3] and slighly paid less attention to them but today I found another one. It seems to be a new player (pushed on Github two months ago). 

I detected an interesting phishing email this morning. It targets a major Belgian bank:

[This is a Guest Diary by Adam Nason, an ISC intern as part of the SANS.edu BACS program]

[This is a guest diary submitted by Varun Murdula]

Yesterday, a reader reported to us a malicious ZIP archive (SHA256: a0104921a2d37ab87482ac9a9f5c3713479c118846c3e999178e75b81620c094[1]). Once unzipped, it contains a VHDX file that discloses a malicious JavaScript after being mounted (which is automatic on modern Windows OSs):

I like it when a fellow handler posts a diary entry about images with malicious content. Last one is Xavier: "The Evil MSI Background is Back!".

Back in 2023, I wrote a diary[1] discussing how commonly X-Frame-Options and CSP headers containing the frame-ancestors directive were used on 1 million most popular domains on the internet (based on the Tranco list[2]), and how they were set. Given that three years have passed since then, I thought it might be interesting to repeat the analysis and see what – if anything – has changed in the meantime.