All articles tagged as:


ExplodingCan - A vulnerability review

A few months ago, my colleagues over at Secarma released a review of ExplodingCan, one of the many exploits released as part of the ShadowBrokers dump. At the time I was asked to complete a review of the vulnerability, specifically how this affected a vulnerable server and if anything could be done to protect users. My analysis of the vulnerability can now be found over at Secarma Labs: Enjoy :)…

Read more »

Analysis of APT28 hospitality malware (Part 2)

In the first part of this malware review, we looked at the VBA code used by APT28 to drop a DLL onto the victims' machine as part of their recently highlighted hospitality campaign. In this post, we will look at the dropped file, and understand just what it does, and how we can analyse it using IDA Pro. So we know from the first post that we have a DLL, which is run using the following command: rundll32.exe %APPDATA%\user.dat,#1 Loading the extracted DLL into IDA, the first thing that we notice is that we have an exported function of load with an ordinal of 1: We know from the rundll32.exe com…

Read more »

Analysis of APT28 hospitality malware

This week, FireEye published a writeup of yet another APT28 campaign, this time targeting the hospitality sector: Exposing Russian hackers #APT28 and their targeting of hotels & travelers. Also first targeted use of ETERNALBLUE.— Nick Carr (@ItsReallyNick) August 11, 2017 I'm always interested to see the latest APT group techniques, so I decided to review the malware to see how the dropper worked (and see if there were any goodies I could add to my toolkit). The dropper was shown to be a typical Word .docm file (MD5: 9b10685b774a78…

Read more »

Industroyer C2 Communication

As part of my day job, I work for Secarma (previously known as Pentest Limited) as a Senior Penetration Tester. During engagements, the question of malware threats is increasingly raised, in part due to media focus on APT groups such as APT28, and malware campaigns such as WannaCry. While looking into another malware variant recently uncovered by ESET, Industroyer, I started reviewing the protocol used to communicate with the backdoor component of the malware. Details of the research have been published under Secarma Labs, which can be found here. A video demonstrating the malware in action,…

Read more »

Exploiting with pwndbg - Solving PlaidCTF 2016 SmartStove

This bank holiday weekend I spent a bit of time updating my docker containers (I know, rock-n-roll!). One of the tools I've been hearing good things about is pwndbg, an open source plugin for GDB which aims to help with exploit development. I've always been a fan of peda, which provides similar functionality, but seeing the integration that pwndbg had with radare2, I couldn't help but give it a shot. To install the tool, I used the provided installation instructions: git clone cd pwndbg ./ One of the snags I ran into early was a nasty error message when…

Read more »