Wednesday, April 26, 2017

Karmen Ransomware Uses Anti-Analysis Stuffs From Raas Service

Security experts from Recorded Future have spotted a new ransomware as a service (RaaS) called Karmen. This service allows amateur customers to customize and initiate a ransomware campaign in a few steps. It also allows users to track infected systems, including information such as the number of infected machines, earned revenue, and available updates for the malware. Karmen RaaS costs $175. Once owned, the author can decide the ransom prices and the duration of the period in which the victims can pay the ransom. Karmen is basically based on the open-source ransomware Hidden Tear, which was released in August 2015 for educational purposes.

The first Karmen infections were reported in December 2016, infecting hosts in Germany and the United States. It is a multi-threaded and multi-language ransomware that supports .NET 4.0 and uses the AES-256 encryption standard. It is .NET dependent and requires PHP 5.6 and MySQL. It also exhibits anti-sandbox features thus evading detection.

post made by

Microsoft Fix REC Bug In Skype

Microsoft fixed a vulnerability in its instant messaging app Skype that could be exploited by attackers to execute arbitrary remote code on the system or to phish credentials. This vulnerability, dubbed “Spyke” was discovered by an independent security researcher Zacharis Alexandros in the Windows versions of Skype. The vulnerability primarily affects Windows clients installed on public machines, such as libraries, airports, or on smart televisions but users of other OS’s might be vulnerable. The attackers would require local access to the login screen of a running Skype instance to exploit the vulnerability. The Skype instance contains an embedded Internet Explorer browser for authentication purpose. Attackers can circumvent this normal authentication process to abuse the app’s login via Facebook functionality to convert Skype into "Spyke", an "owned" malicious process. Once compromised, attackers can use Skype to Fingerprint the Internal Browser (IE), Execute code in the context of the Skype process, Phish credentials and finally to cover communication traces. Microsoft addressed the vulnerability a month ago with the release of the updated version but has not provided any public acknowledgement.

Best Practice:
Pushing this patch update in your system will bring you to safer side.
Update this kind of software to latest version.

post made by

Locky Ransomware Is Back!!!

Researchers have observed, a new wave of spam messages that comes with emails spoofing payment receipts with various subjects, like "Receipt 435," "Payment Receipt 2724," "Payment-2677," and so on. The email contains PDF attachments with non-descriptive names like P72732.pdf which prompts the user to open an embedded Word document. Once opened, the word document asks the user to enable macros. Enabling the macro unleashes Locky malware code which is downloaded, decrypted, and saved to %Temp%\redchip2.exe. The malware is then executed and the files on victim’s computer are rapidly encrypted and saved with .OSIRIS extension. A ransom note is displayed on the victim machine instructing them to download and install Tor and to go to a certain address and make Bitcoin payment. Since the malicious word doc is embedded in the PDF attachment, it makes it easier to evade detection.

Best Practice:
Keeping a backup of the data is first and foremost step. Keeping the security patches updated will helpful in combating this kind of attack.

post made by

Financial Malware In Delta Air Payment Receipts

Researchers have identified spam emails imitating as Delta Air payment receipts spreading financial and banking malware. This new phishing campaign is taking advantage of summer season purchase. Heimdal Security discovered that these spam emails, disguised as Delta Airlines receipts, and are designed to trick victims into downloading malware. The attacker sends fake confirmation emails to victims, who panic under the impression someone booked a ticket using their identity and click the email's embedded links. This redirects them to compromised websites which load malicious Word docs onto the users system. Such documents are usually infected with Hancitor malware, which acts as a "bridge" for additional malware downloads. Malware get activated when the user download and execute the document. Then malware connects the victim machine to the attacker server.

Best Practice:
Don't open the attachment from unknown user, spam mails. It might contain malware inside the attachment.

post made by

Wednesday, April 5, 2017

ClamAV False Positive On Java Malware Signature

Couple of days back, lot of Linux utilities were detected as java malware by ClamAV (open source Antivirus).
Antivirus release the signatures after testing the definition with huge collection of clean file set. But ClamAV missed that today. They detected more clean file as Java malware agent. In that list of signature, we can 100+ java malware signature were created as new signature and those signatures trigger clean files (stayed in VT as clean file for around three years).

These snapshots are proof for how long it is in the system and only clamav detect it as malware, it is a false positive.
The following signatures are creating false positive:
Signature and clean file in VT. All these files are in Virustotal for more than 2-3 years.
Java.Malware.Agent-6202827-0  :
Java.Malware.Agent-6203297-0 :
Java.Malware.Agent-6205980-0 :
Java.Malware.Agent-6205983-0 :
Java.Malware.Agent-6206104-0 :
Java.Malware.Agent-6206112-0 :

Post created by

Monday, April 3, 2017

Splunk Address Multiple Vulnerabilities Last Week

Splunk is a big data platform and also used in various SOC as SIEM tool for log analysis. Splunk is the leader in Operational Intelligence platform. Splunk customers use the splunk to do monitoring, searching, analyzing and visualize machine data. Volume of data collected in the splunk is very high. 

Splunk Enterprise 6.5.3, and Splunk Light 6.5.2 address multiple vulnerabilities:

  • Persistent Cross Site Scripting in Splunk Web (SPL-134841)
  • Information Leakage via JavaScript (CVE-2017-5607)


Refer this link for the details and mitigation for both the vulnerabilities :


Affected Products and Components


Persistent Cross Site Scripting in Splunk Web (SPL-134841)

Affected Product Versions: Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.6, 6.3.x before 6.3.10, 6.2.x before 6.2.14 and Splunk Light before 6.5.2

Affected Components: All Splunk Enterprise components running Splunk Web.


Information Leakage via JavaScript (CVE-2017-5607)

Affected Product Versions: Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.6, 6.3.x before 6.3.10, 6.2.x before, 6.1.x before 6.1.13, 6.0.x before 6.0.14, 5.0.x before 5.0.18 and Splunk Light before 6.5.2

Affected Components: All Splunk Enterprise components.



Below the proof-of-concept JavaScript code published in the advisory:

Object.defineProperty( Object.prototype, “$C”, { set:function(val){
//prompt(“Splunk Timed out:\nPlease Login to Splunk\nUsername:
“+val.USERNAME, “Password”)
for(var i in val){
alert(“”+i+” “+val[i]);


For more details regarding information leakage via Javascript:

It contains exploit/POC and how to produce the exploit :

Post created by

Saturday, April 1, 2017

The official Exploit Database repository

The exploit db is well known archieve of public exploits which is widely used by pentester and security researchers for their testing purpose. Most of the submission in this exploits are proof of concepts and less advisories.  - This is the exploit database git repository link.

Also there is exploit database binary exploits:

These databases are updated daily so that security researchers, pen testers and vulnerability researchers utilise its full potential, its all because of more number proof of concepts and regular update of the exploit database.

Post created by

Setting up breakpoints in VirtualAlloc and VirtualProtect during malware analysis:

 Malware analysts add breakpoints in functions like `VirtualProtect` and `VirtualAlloc` for several key reasons: Understanding Malware Behav...