The mimi (mimikatz) side of #NotPetya

(Please note some of the internal links are in Spanish)
One of the things that most caught our attention from the #NotPetya malware lab is the module that appears to contain code from the mimikatz tool. It is an automation of the process of any pentest that we believe is worth studying and treat it with love, to learn.
For the analysis we focus on the 32-bit version of the binary:
[Read more…]

The Evolution of Trickbot

From the malware lab of S2 Grupo we have been monitoring the movements of a Trojan known as Trickbot. Its relationship with Dyre, another older Trojan with which it shares many design features, and the speed at which it evolves, has captured our interest ever since we saw the first samples.

This malware is usually categorized as a banking Trojan since it has so far been very oriented towards data theft relating to banking, but its modular design allows to expand its capabilities at any time so as to perform any kind of extra action.

During its early versions, some very good analyses were already done such as those of @hasherezade in the malwarebytes blog and Xiaopeng Zhang in that of Fortinet. But the development of Trickbot has continued during the last few months, reaching version 17 in less than 6 months. So we thought that it would be interesting to check the changes it has undergone during its evolution and to delve deeper into some of its most curious techniques when performing different actions.
[Read more…]

Honeyspider 2.0 – Workflows

Some time ago we wrote about HoneySpider 2.0 and we made a quick look at its functionalities. Now let’s see one of the key pieces of this new version: workflows. We assume you have already installed HoneySpider 2.0 or that you are using the virtual machine provided by the project.... Leer Más

JavaSnoop – Debugging Java applications

(Please note this post was published last 12th sept. 2012 in the Spanish version of this blog)... Leer Más

Customizing “Cuckoo Sandbox”

(Please note this post was originally published in the Spanish version of Security Art Work last 19th Nov 2012)... Leer Más

TCPdump DROP privileges

I’m sure many of you know tcpdump and use it frequently. As we all know when it is run without privileges to capture packets on a network interface it displays the following message:

$ /usr/sbin/tcpdump -i eth0
tcpdump: eth0: You don't have permission to capture on that device
(socket: Operation not permitted)

[Read more…]