Exobot Source Code Available

Exobot Source Code Available

Exobot source code has been leaked and released in darkweb. The code proved to be version 2.5 of the Exobot banking trojan, also known as the "Trump Edition," one of Exobot's last version before its original author gave up on its development. To avoid proliferations of malware samples based on the source code here presented, security restrictions have been applied to download.(Please note that archive is encrypted !! Only accredited security vendors, vetted security researchers and law … [Read more]

Nuova campagna Ursnif rivolta all’Italia

Nuova campagna Ursnif rivolta all'Italia

Una nuova campagna melevola riconducibile al noto trojan Ursnif si sta probabilmente diffondendo in queste ore prendendo come target primari utenze italiane. La primaria risorsa di rete adibita a veicolare il malware risulta attestata sul dominio "pagamento.us", da cui è stato generato il seguente grafico relazionale:E' importante chiarire che le relazioni qui presentate potrebbero appartenere a società e profili fittizi o del tutto inconsapevoli di quanto accaduto !Per … [Read more]

WannaCry! Un ransomware dal codice grossolano mette in ginocchio il cyber-spazio.

WannaCry! Un ransomware dal codice grossolano mette in ginocchio il cyber-spazio.

Nel momento in cui scrivo, tutti i professionisti dell'IT Security avranno già sentito parlare del ransomware che sta terrorizzando il mondo: WannaCry. Dal 12/05 ogni blog specializzato nel settore oltre che la stampa in genere, non fa che parlare dei danni (reali, ipotetici o presunti) che l'incrontrollata diffusione di tale codice starebbe causando. Da circa un paio di giorni ho iniziato a studiare in maniera abbastanza approfondita diversi campioni (malware samples) appartenenti alla campagna … [Read more]

EyePyramid – A truly mysterious malware is shaking Italy !

EyePyramid - A truly mysterious malware is shaking Italy !

EyePyramid. This is the name of the malware that is shaking the Italian institutions as well as the private sector of this country. I recovered, from open sources and from a collection of malware, some samples probably belonging to the family in object. I elaborated as well a simple behavioral workflow after my first analysis available for download. EyePyramid is not an advanced threat. It's a malware built in vb.net and leans to a whole infrastructure built on Microsoft products. This is … [Read more]

XVir anti-APT Scanner 1.0 beta available for download

XVir anti-APT Scanner 1.0 beta available for download

XVir is a software designed and developed by Emanuele De Lucia. It scans folders and files looking for APT threats and has real-time monitor capabilities. It is distinguished from a common anti-malware software by its specialization on APT threats. The project is still in the experimental stage and the number of signatures available is currently limited. These signatures (updated daily) are produced independently on the basis of personal researches and through a net of collection nodes belonging … [Read more]

Talking points about data governance in Internet of Things

Talking points about data governance in Internet of Things

Attached to this post are some presentation slides that I used as starting point for discussion in a seminar about the importance of data governance in the Internet of things. IoT today is really an hot topic and having to deal with data governance and management has implication in security, ethics, business and economic as well. Moreover, in addition to privacy issues, there are also those issues related to the direct security of the devices and their communications. In short, a very vast topic … [Read more]

Anti-Rootkit Evasion (blinding GMER)

Anti-Rootkit Evasion (blinding GMER)

During a discussion with colleagues about the ability of modern malware to evade the most common anti-virus solutions, a fixed point seemed to be using anti-rootkit tools to thoroughly check the status of a system. One of the most reliable and trustworthy (and widely used) seems to be undoubtedly GMER. It was widely believed that only very advanced malware (certainly sponsored by governments or by Microsoft itself) could simultaneously hide its presence within the system and to mock, at the same … [Read more]

Dridex Downloader Analysis

Dridex Downloader Analysis

This morning I received on my company box an email with an attached .xlsm file named D92724446.xlsm coming from [email protected] Central and local AV engines did not found anything malicious and also a multiengine scan got 0/57 as result. I decided to investigate a little more in-depth in order to confirm that was a malicious file and to extract at least the code I was imagining being inside this document. These are some general info collected about the received file: Name: … [Read more]

A look at SANS Brussels Challenges

A look at SANS Brussels Challenges

This morning, a colleague of mine pointed out me to some reversing “challenges” addressed to participants of SANS Brussels 2015 (what? I was not there?). Why not to take a quick look and try to solve them ? I hope to publish the solutions/suggestions is not cause of rage for mentors of SANS, for whom I have a lot of esteem. However, at the time of this writing these challenges are online and accessible without any particular restriction at https://www.sansemea.com/challenges.php, therefore I … [Read more]

Pattern-Based Approach for In-Memory ShellCodes Detection

Pattern-Based Approach for In-Memory ShellCodes Detection

This topic has been dealt in one of my last technical articles. The document shows as it’s possible to approach an incident investigation on the basis of common instructions used by shellcodes to achieve their goals. The analysis is conducted within a memory dump. In this regard have been developed some yara custom rules that can be used as an aid for experienced analyst to quickly locate malicious code. Note, however, that this is a very wide topic (have you ever heard of padding, permutations, … [Read more]