Nowadays it’s almost impossible to not write about EquationGroup Leak, so I’m going to start my “blog post” pushing the following picture (realised by Kaspersky Lab) which would cut-out every doubts about the leak paternity. EquationGroup VS ShadowBrokers’s Leak The leaked dump contains a set of exploits, implants and tools for hacking firewalls (code name: […]Read more "Summing up the ShadowBrokers Leak"
I wrote a little bit about Ransomware general view and Ransomware general infection methods here. Today, after some more months working on the field and after having meet much more Ransomware than I thought, I’d like to write a little bit about how to “fight them”. Before starting the review of some of the most known […]Read more "Fighting Ransomware Threats"
Once upon a time breaking the Stack (here) was a metter of indexes and executables memory areas (here). Then it came a DEP protection (here) which disabled a particular area from being executable. This is the fantastic story of ROP (Return Oriented Programming) from which I’ve been working for long time in writing exploiting and […]Read more "From ROP to LOP bypassing Control FLow Enforcement"
Back in 2011 blogs (here, here, here) and papers (here, here, here, here) described a widely used Malware technique to hide malicious actions called: Process Hollowing. Nowadays we are experiencing some “flashbacks” to this delightful technique, so I decided to write a little bit about it, just in case someone needs a “refresh”. Process hollowing is a […]Read more "Process Hollowing"
It happens from time to time people asking me what are the most “notorious hacking groups”. On February 2015 I wrote a little bit on most notorious group in 2015 (here) but today things changed a little bit. It’s hard to answer to such a question since we need a strong definition of “notorious”, do […]Read more "Notorious Hacking Groups in mid 2016"
Most of my readeres exactly know what code caves are while many other people out there (maybe occasional readers) could wonder why I am writing about codecaves in 2016 since it is a well know technique (published in 2006) to inject a malicious payload inside Windows Portable Executables. Well, today I want to disclouse a […]Read more "Looking For Caves in Windows Executables"
Today I want to share a quick’n dirty analysis of a brand new Crypt0l0cker version realised for the Italian market and spread over emails (such as: ENEL Bolletta). Unfortunately I do not have much time to invest in that analysis but we will analyse how we might be able to recover mostly of the encrypted […]Read more "Recovering Files From Brand New Crypt0l0cker"