Windows Anti-Debug techniques - OpenProcess filtering

This week I took a break from SYSTEM chasing to review some anti-debugging techniques. With quite a few Bug Bounty programs available relying on client-side applications, I thought I'd share one of the techniques used by numerous security products (and apparently game anti-cheat engines) to stop you from debugging core components, and just how we can go about bypassing this. Obviously it goes without saying, but the technique shown in this post is not a vulnerability, if an attacker has this le... Read More »

ExplodingCan - A vulnerability review

A few months ago, my colleagues over at Secarma released a review of ExplodingCan, one of the many exploits released as part of the ShadowBrokers dump. At the time I was asked to complete a review of the vulnerability, specifically how this affected a vulnerable server and if anything could be done to protect users. My analysis of the vulnerability can now be found over at Secarma Labs: https://www.secarma.co.uk/labs/explodingcan-a-vulnerability-review/ Enjoy :)... Read More »

Analysis of APT28 hospitality malware (Part 2)

In the first part [https://blog.xpnsec.com/apt28-hospitality-malware/] of this malware review, we looked at the VBA code used by APT28 to drop a DLL onto the victims' machine as part of their recently highlighted hospitality campaign. In this post, we will look at the dropped file, and understand just what it does, and how we can analyse it using IDA Pro. So we know from the first post that we have a DLL, which is run using the following command: rundll32.exe %APPDATA%\user.dat,#1 Loading t... Read More »

Analysis of APT28 hospitality malware

This week, FireEye published a writeup of yet another APT28 campaign, this time targeting the hospitality sector: > Exposing Russian hackers #APT28 [https://twitter.com/hashtag/APT28?src=hash] and their targeting of hotels & travelers. Also first targeted use of ETERNALBLUE. https://t.co/iiHh71UQeF pic.twitter.com/SIMeDd7MTM [https://t.co/SIMeDd7MTM] — Nick Carr (@ItsReallyNick) August 11, 2017 [https://twitter.com/ItsReallyNick/status/896018119214465024] I'm always interested to see the lates... Read More »