SSDP Distributed Reflection Denial of Service (DrDoS) Attacks may be biggest threat – Traffic Sample & Snort Rule

SSDP Distributed Reflection Denial of Service attacks are on the rise and may be the biggest threat right now. SSDP attacks do not have the biggest amplification number but they may have the most vulnerable systems to abuse in a reflection attack. Open source reports indicate that there are over 5 million vulnerable systems worldwide as of August 2015. One of our dedicated servers was attacked by this DoSnet earlier this morning. We detected over 155,000 unique IP addresses involved in the attack and bandwidth spikes from 100MB/sec to 500MB/sec. The actual statistics are not confirmable as there was massive […]

Penetration Testing Red Team Reverse Shell Cheat Sheet

If it’s not possible to add a new account / SSH key / .rhosts file and just log in, your next step is likely to be either trowing back a reverse shell or binding a shell to a TCP port.  This page deals with the former. Your options for creating a reverse shell are limited by the scripting languages installed on the target system – though you could probably upload a binary program too if you’re suitably well prepared. The examples shown are tailored to Unix-like systems.  Some of the examples below should also work on Windows if you use […]

Lokibot IOC Feed InfoStealer Trojan malware PCAP file download traffic sample

Latest indicators of compromise from our our Lokibot IOC feed. Lokibot is an information stealing (infostealer) trojan targeting users worldwide. It’s was designed for the primary purpose of perpetrating fraud and identity theft. Lokibot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.  TypeStealer  Originex-USSR territory  First seen3 May, 2015  Last seen11 February, 2020 Also known as LokiLokiPWS 2020-02-11 00:44:29.440705 IP > Flags [P.], seq 1:517, ack 1, win 16450, length 516: HTTP: GET /E/3609779.exe HTTP/1.1 E..,+.@…@…V.k. ..’.P…./.”.P.@BlZ..GET /E/3609779.exe HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, […]

Zenpak Trojan Malware PCAP File Download Traffic Sample

Dateadded (UTC) Malware URL Status Tags Reporter 2020-02-08 16:42:22 Online exe @abuse_ch 2020-02-08 16:42:18 Offline exe @abuse_ch 2020-02-08 16:42:12 Offline exe @abuse_ch 2020-02-08 16:42:03 Online exe @abuse_ch What Trojan.Win32.Zenpak.usq virus can do? Executable code extraction Attempts to connect to a dead IP:Port (1 unique times) Creates RWX memory Expresses interest in specific running processes A process created a hidden window HTTP traffic contains suspicious features which may be indicative of malware related traffic Performs some HTTP requests Unconventionial language used in binary resources: Sindhi The binary likely contains encrypted or compressed data. Uses Windows utilities for basic functionality […]

Themida Malware Trojan PCAP File Download Traffic Sample

Acronis Suspicious Ad-Aware Trojan.GenericKD.33042201 AegisLab Trojan.Win32.Stralo.a!c Alibaba Packed:Win32/Themida.9b7a1eb0 ALYac Trojan.GenericKD.33042201 SecureAge APEX Malicious Arcabit Trojan.Generic.D1F82F19 Avast Win32:Trojan-gen AVG Win32:Trojan-gen Avira (no cloud) HEUR/AGEN.1038489 BitDefender Trojan.GenericKD.33042201 CAT-QuickHeal Trojandownloader.Stralo CrowdStrike Falcon Win/malicious_confidence_100% (W) Cybereason Malicious.45a019 Cylance Unsafe Cyren W32/Trojan.KCYB-5076 2020-02-08 20:29:34.973179 IP > Flags [P.], seq 926682144:926682556, ack 616271298, win 16425, length 412: HTTP: GET /download.php?file=marg.exe HTTP/1.1 E…..@…….V./J’=…P7<. $…P.@).<..GET /download.php?file=marg.exe HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, / Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: Connection: Keep-Alive 2020-02-08 20:29:35.825646 IP […]