I've recently come across an APT named Dimnie by Palo Alto's Unit42 (full report here). The purpose of Dimnie is to exfiltrate sensitive data to the attacker. The peculiarity about Dimnie is that it does so with a peculiar trick. Dimnie changes the HTTP Host header to point to a
Notice: As noted by @Antelox this is just a loader that drops LokiBot, not LokiBot itself.
Loki is a credential harvester bot sold in Russian underground forums and black markets.
For this blogpost, the goal will be to defeat/patch Loki's anti measures to be able to properly
We are presented with a Word document that has macros. The VBA code for the macros is obfuscated but we can clearly see that it is using some interesting Win32 API calls like
CallWindowProc, which later renames.
Thus, we can just
Cerber is a popular ransomware that it's still active. In this blogpost, we will analyze and dump Cerber's config using the Cuckoo Sandbox for it.
Prior analysis of Cerber already exist (like this one by Hasherezade).
As state by Hasherezade, Cerber stores it's configuration in an RCDATA resource bundled in
In this post I will analyze one on the ELF files captured on my honeypot. First, a dynamic analysis will be performed. Once we aknowledge it's behaviour we will move onto a more in-deep static analysis.
We are presented with a 32-bit ELF un-stripped executable.
$ file 05fd293845e7517bcfc6e8a7fa845ef101bf716c5ec6d40c74c6f7e8aed656bf 05fd293845e7517bcfc6e8a7fa845ef101bf716c5ec6d40c74c6f7e8aed656bf: