Today, I published the following diary on isc.sans.edu: “Python Malware Using Postgresql for C2 Communications“: For modern malware, having access to its C2 (Command and control) is a crucial point. There are many ways to connect to a C2 server using tons of protocols, but today, HTTP remains very common
I published the following diary on isc.sans.edu: “A Backdoor with Smart Screenshot Capability“: Today, everything is “smart” or “intelligent”. We have smartphones, smart cars, smart doorbells, etc. Being “smart” means performing actions depending on the context, the environment, or user actions. For a while, backdoors and trojans have implemented screenshot
I published the following diary on isc.sans.edu: “Malicious Python Script Behaving Like a Rubber Ducky“: Last week, it was SANSFIRE in Washington where I presented a SANS@Night talk about malicious Python scripts in Windows environment. I’m still looking for more fresh meat and, yesterday, I found another interesting one. Do you
I published the following diary on isc.sans.edu: “Custom Python RAT Builder“: This week I already wrote a diary about “code reuse” in the malware landscape but attackers also have plenty of tools to generate new samples on the fly. When you received a malicious Word documents, it has not been
I published the following diary on isc.sans.edu: “Info-Stealer Using webhook.site to Exfiltrate Data“: We already reported multiple times that, when you offer an online (cloud) service, there are a lot of chances that it will be abused for malicious purposes. I spotted an info-stealer that exfiltrates data through webhook.site. Today, many
I published the following diary on isc.sans.edu: “Using Sudo with Python For More Security Controls“: I’m a big fan of the Sudo command. This tool, available on every UNIX flavor, allows system administrators to provide access to certain users/groups to certain commands as root or another user. This is performed with a
I published the following diary on isc.sans.edu: “Python DLL Injection Check“: They are many security tools that inject DLL into processes running on a Windows system. The classic examples are anti-virus products. They like to inject plenty of code that, combined with API hooking, implements security checks. If DLLs are
I published the following diary on isc.sans.edu: “Keeping an Eye on Dangerous Python Modules“: With Python getting more and more popular, especially on Microsoft Operating systems, it’s common to find malicious Python scripts today. I already covered some of them in previous diaries. I like this language because it is very
I published the following diary on isc.sans.edu: “From Python to .Net“: The Microsoft operating system provides the .Net framework to developers. It allows to fully interact with the OS and write powerful applications… but also malicious ones. In a previous diary, I talked about a malicious Python script that interacted with the
I published the following diary on isc.sans.edu: “No Python Interpreter? This Simple RAT Installs Its Own Copy“: For a while, I’m keeping an eye on malicious Python code targeting Windows environments. If Python looks more and more popular, attackers are facing a major issue: Python is not installed by default
