Important Disclaimer: Software bugs are an inherent part of software development. They have always existed and will continue to exist due to the complexity of modern systems and the inherent limitations of human error. The presence of a bug does not necessarily indicate that a software product is fundamentally flawed Continue Reading
Unveiling AzzaSec Ransomware: Technical insights into the group’s locker.
AzzaSec emerged as an Italian hacktivist group leveraging ransomware to further their political and ideological objectives. In recent days a lot of media attention has been dedicated to this group, especially in conjunction with the announcement of a R-a-a-S (Ransomware-as-a-Service) program adopted by the group in question. Since AzzaSec sells Continue Reading
Unveiling Obfuscated Batch Scripts: From UTF-8 to UTF-16 BOM Conversion
This morning I observed an Internet Shortcut file (sha256:0817cd8b0118e2f023342ad016ef443fd4c2e4657a373f9023807a231d16b0fa – Fattura Elettronica 11817929720.url) designed to compromise an Italian organization, containing these instructions: The .lnk file in its turn showed the following commands: This instructions are designed to perform two main actions: it moves a file and then starts it. First, Continue Reading
A Reverse Engineer’s journey with PowerShell and XWorm
Every now and then you come across new malware variants and find something that attracts a little attention. A few days ago I acquired a VBS file, directed via a malspam campaign against an Italian organization, that was approximately 409 MB in size (sha256:ADF773B49D8306E08B5232039E0DEA143E2C015CDC731F1BE86D7DD92FCCA6A9). After thinking I might find something Continue Reading
XZ BackDoor (CVE-2024-3094): a Multi-Year Effort by an Advanced Threat Actor
With this post I would like to provide a technical dive and considerations about the recently disclosed XZ BackDoor vulnerability (CVE-2024-3094). This vulnerability, which affects the XZ Utils library, a widely used data compression utility in Linux distributions, had the potential for severe consequences, including remote code execution (RCE) and Continue Reading
A {Black}Cat and mouse game: How the gang’s operators have ‘unseized’ their Dedicated Leak Site
In recent days, the FBI was entrenched in a virtual struggle against the ransomware group known as ALPHV / BlackCat. This engagement unfolded subsequent to the FBI gaining control of the underlying infrastructure that the group had utilized to amass over $300 million in ransoms. In the early hours of Dec. 19, 2023, the darkweb Continue Reading
Under the shellcode of the ‘Operation Duck Hunt’. Analysis of the FBI’s ducks killer.
The “Duck Hunt” operation refers to a specific operation called “Operation Duck Hunt” that disrupted the Qakbot botnet. The Qakbot botnet was a sophisticated network of compromised computers that was used to distribute malware, steal sensitive information, and carry out other malicious activities. The operation to disrupt the Qakbot botnet Continue Reading
Rhysida: An old / new threat in the ransomware landscape
Rhysida is a relatively new ransomware group operating as a R-a-a-S (Ransomware-as-a-Service) provider. The corresponding ransomware has the particularity of making use of LibTomCrypt, a cryptographic library that allows attackers to leverage on robust encryption methods and a fast development. Rhysida appears to be written in C++ and compiled via MinGW; the payloads I’ve found are quite Continue Reading
ALPHV / BlackCat: Threat Assessment and Profile
BlackCat / ALPHV is known for high-profile attacks like those conducted against the italian luxury brand Moncler, the aviation company Swissport and more recently against GSE (Gestore Servizi Energetici SpA). The ransomware payload includes a lot of advanced features and is able to support a wide range of offensive operations and to impact different environment . It’s command-line driven Continue Reading
Reverse and Hunt: Between the jumps of ArguePatch
ARGUEPATCH is a patched version of a legitimate component of the Hex-Rays IDA Pro software. In detail it’s the remote IDA debugger server named win32_remote.exe and it’s basically designed to act as a loader by reading and decrypting an encrypted payload written to disk (CaddyWiper). It has been used against Ukrainian targets in destructive attacks and it’s believed to Continue Reading