Security Affairs

APRIL 14, 2020

“The emails all contained a malicious Rich Text Format (RTF) phishing lure with the file name 20200323- sitrep -63- covid -19. ” The messages use a weaponized rich text format (RTF) attachment that exploits the CVE-2012-0158 buffer overflow in Microsoft’s ListView / TreeView ActiveX controls in MSCOMCTL.OCX library.

Ransomware 126

Ransomware Phishing File names Encryption 126

Security Affairs

FEBRUARY 5, 2019

By exploiting the vulnerability it is possible to trigger the automatic execution of a specific python library included in the suite using a hidden onmouseover event. The expert pointed out that the python file, named “pydoc.py,” is already included in the LibreOffice software. Pierluigi Paganini.

File names 105

File names Libraries Security IT 105

Security Affairs

OCTOBER 10, 2018

“These lure documents use titles with government , military, and diplomatic themes, and the file names are written in English or Cyrillic languages. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. ” continues Symantec. Pierluigi Paganini.

Military 88

Military File names Government Libraries 88

Security Affairs

FEBRUARY 19, 2019

It spreads Shade/ Treshold variants, one of the most dangerous threats in the cyber crime scenario, known since its massive infection into the Russian panorama back in 2015, its expansion has been tracked by several CSIRTs and CERTs all across the world. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->.

Ransomware 79

Ransomware Mining File names Encryption 79

Security Affairs

OCTOBER 20, 2018

The plugin is widely adopted by numerous server-side platforms that support standard HTML form file uploads: PHP, Python, Ruby on Rails, Java, Node.js, Go, and others. Cashdollar discovered two PHP files named upload.php and UploadHandler.php in the package’s source, which contained the file upload code.

File names 96

File names Libraries Security Access 96

Security Affairs

SEPTEMBER 5, 2018

“Two exploit documents with Vietnamese-language file names were observed with file metadata unique to the GOBLIN PANDA adversary.” Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. ” reads the analysis published by CrowdStrike. Pierluigi Paganini.

Metadata 50

Metadata File names Libraries Government 50

Security Affairs

JUNE 5, 2019

“This malware, which we named BlackSquid after the registries created and main component file names, is particularly dangerous for several reasons.” According to the experts, BlackSquid has worm-like propagation capabilities and it can be used to launch brute-force attacks. ” states Trend Micro.

Mining 67

Mining File names Libraries IT 67

Security Affairs

MAY 7, 2019

The executable sample is a PE32 x86 file named “tester.exe”. This library provides access to the E X tension for F inancial S ervice (XFS) API, the communication interface needed to interact with AMT components such as PIN pad and cash dispenser. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->.

Libraries 67

Libraries e-Discovery Communications File names 67

Security Affairs

DECEMBER 4, 2018

The second stage of the infection chain is the “ ppc.cab ” file downloaded by the dropper to the “ %APPDATA%Roaming ” location: it actually is a Microsoft Cabinet archive embedding an executable file named “ puk.exe ”. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. Pierluigi Paganini.

Archiving 84

Archiving File names Libraries Communications 84

Security Affairs

SEPTEMBER 4, 2019

The malware encrypts all the files whose extension is not present in the list. Figure 4: Content of “key” file contained in “C:ProgramData”. During the encryption phase, JSWorm writes a suspicious file named “key.Infection_ID.JSWRM” in “C:ProgramData”.It It contains the AES key used to encrypt the files.

Ransomware 86

Ransomware Encryption File names Libraries 86

Security Affairs

MARCH 2, 2019

File name: patent-2019-02-20T093A283A05-1.xls However, as already mentioned at the beginning of the technical analysis, SI-LAB team obtained two types of files, namely xls and doc archives. File name : 68131_46_20190219.doc Analyzing the MSI file – The installer/dropper of infamous FlawedAmmyy.

File names 92

File names Phishing Libraries IT 92

Security Affairs

JUNE 5, 2020

The macro contained inside the document is quite minimal and does not contain dead code or other anti-analysis technique, a part of the random looking variable naming. If the download is successful, the malware reads raw bytes from the downloaded file and transforms them into ready to execute powershell code. Figure 3: Extracted Macro.

Manufacturing 102

Manufacturing File names IT Libraries 102

Security Affairs

DECEMBER 29, 2019

As observed, the output shows us two AWS-hosted addresses that contain two malicious files, namely: hxxps[:]//fucktheworld.s3.us-east-2.amazonaws[.]com/0.zip zip file is a DLL with additional code loaded by PE File P-19-2.dll At the moment, the file 0.zip To get details about the library inside the 0.zip

Passwords 98

Passwords e-Discovery IT Cleanup 98

Security Affairs

MARCH 28, 2019

The flaw is an “Absolute Path Traversal” issue in the library that could be exploited to execute arbitrary code by using a specially-crafted file archive. The issue affects a third-party library, called UNACEV2.DLL DLL that is used by WINRAR, it resides in the way an old third-party library, called UNACEV2.DLL,

Archiving 89

Archiving File names Education Libraries 89

Security Affairs

JULY 7, 2020

However, in this new release, two DLL files are distributed. VBS file leverages the Windows rundll32 library to inject the first DLL into memory (P-14-7.dll), Figure 6: Deofuscated VBS file – Lampion trojan July 2020. LNK files from the Windows startup folder. VBS files from the Windows startup folder.

Communications 110

Communications Cloud Phishing Encryption 110