Feed aggregator

QxSearch hijacker fakes failed installs

Malwarebytes - Fri, 08/16/2019 - 21:06

Recently, one of the more dominant search hijacker families on our radar has started to display some curious behavior. The family in question is delivered by various Chrome extensions and classified as PUP.Optional.QxSearch because of its description in listings of installed extensions, which tells us that “QxSearch configures your default search settings.”


This branch of the search hijacker family is a clear descendant of SearchPrivacyPlus, which is referenced in our removal guide for a Chrome extension called SD App. The Chrome Web Store entries and websites that promote both QxSearch and SearchPrivacyPlus are almost identical. What’s different is that QxSearch tells users that the installation failed or that an extra step is required.

However, despite the message asking users to try again, the extension has already been installed. Curious.

How can we recognize QxSearch extensions?

QxSearch can be found in more than one Chrome extension in the Web Store. We can recognize them by spotting the QxSearch description, which also shows up in the overview section of the store.

QxSearch configures your default search settings

At the moment, these extensions are installed from the Web Store after a redirect from sites that are served up by ad-rotators. The sites all look similar, showing a prompt that tells users, “Flash SD App required to proceed” and a button marked “Browse Safely” that leads to the extension in the Web Store.

In the Web Store, another common denominator so far has been the “Offered by: AP” subhead.

During the installation, the “Permissions prompt” will show that the extension reads and changes your data on a number of websites:

Using the “Show Details” link will show users that the sites they want to read and change belong to some of the most commonly-used search engines, including Google, Bing, and Yahoo.

Bing.com, booking.com, google.com, yahoo.com, and appsearch.xyz are the domains targeted by this search hijacker.

The hijacker intercepts searches performed on these domains and redirects the user to a domain of their own, showing the search results while adding some sponsored results at the top.

We are not sure whether the behavior of showing a failed install notification is by design or just sloppy programming, but given the fact that the “error” hasn’t been corrected after a few weeks, this leads us to believe it might be on purpose.

Looking at the installation process, it looks as if the fail occurs when the extension is due to add an icon to the browser’s menu bar. As a result, these hijackers do not display an icon—a handy way to make them more difficult to remove.

Protection against QxSearch

Malwarebytes removes these extensions and blocks the known sites that promote these extensions.

It is useless to blacklist the extensions, because a new one is pushed out at least once every day. So instead, we’ll show you some typical trademarks that they have in common so you can recognize them—and avoid them.

IOCs of QxSearch

Search result domains:

  • qxsearch.com
  • bigsrch.xyz

Landing pages:

  • chissk.icu
  • wajm.icu
  • xv11.xyz
  • … /chrome/new/2/?v=500#sdapp93
Similar but not the same

Another family of hijackers displays slightly similar behavior by showing an installation failed notification.

Only in this case the “interrupted installation” refers to the installation of a second extension that the first one tried to trigger. In this family, the first extension is a search hijacker and the second one is a “newtab” hijacker. The search hijackers in this family are detected as PUP.Optional.Safely and the Newtab hijacker is called Media New Tab.

Why would search hijackers do this?

Search hijackers don’t generate large amounts of cash for threat actors, like ransomware or banking Trojans. So, the publishers are always looking for ways to get installed on large numbers of systems and stay installed for as long as possible.

This “installation failed” tactic could have been invented to make users think nothing was installed, so there is no reason to check for or suspect suspicious behavior. This does not explain why they opted to redirect to their own domain rather than simply adding the sponsored results as we have seen in the past.

So, it remains a bit of a mystery and reason enough to keep an eye on this family.

Search hijackers in general

Search hijackers come in different flavors. Basically, they can be divided into three main categories if you look at their methodology:

  • The hijacker redirects victims to the best paying search engine.
  • The hijacker redirects victims to their own site and show additional sponsored ads.
  • The hijacker redirects victims to a popular search engine after inserting or replacing sponsored ads.

By far the most common vehicle are browser extensions, whether they are called extensions, add-ons, or browser helper objects. But you will see different approaches here as well:

  • The extension lets the hijacker take over as the default search engine.
  • The extension takes over as “newtab” and shows a search field in that tab.
  • The extension takes permission to read and change your data on websites. It uses these permissions to alter the outcome of the victim’s searches.

Especially in the case of both lists, it helps the hijacker to be hidden from plain sight as the user might not notice that his search results are “off.” Which seems to be exactly what this branch of the QxSearch family is doing.

A short lesson

The lesson we can take away from these search hijackers is that the sheer notification that an install has failed is not enough reason to assume that nothing was installed. Stay vigilant so that, even if the culprit isn’t readily visible, you’ll know what to do.

Stay safe everyone!

The post QxSearch hijacker fakes failed installs appeared first on Malwarebytes Labs.

Categories: Techie Feeds

DIY Baby Shower Cake Topper: Quick Cricut Craft

Moogly - Fri, 08/16/2019 - 15:00

While putting together a baby shower for my sister, we just couldn’t find the right cake topper. So we made one using my Cricut Maker! Here’s how to create your own DIY Baby Shower Cake Topper! Disclaimer: This post includes affiliate links; materials provided by Cricut and Rust-Oleum. Step One – Cut First things first,...

Read More

The post DIY Baby Shower Cake Topper: Quick Cricut Craft appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

0
Categories: Crochet Life

Swords & Monsters

Sorcerer's Skull - Fri, 08/16/2019 - 11:00

It occurs to me that you could throw out the atmosphere and, well, pretty much everything else about Ravenloft except for the vague notion of adventure fantasy characters fighting creatures of horror. If the world was more of a sword and sorcery setting, and the monsters leaned even heavier in the Universal Monsters direction, I think that would be pretty cool in its own right. The jeweled thrones of the Earth might be sat upon by wolfmen, vampires, man-made monsters, and perhaps even an invisible person or two.

There is some inspiration for this sort of thing in Sword & Sorcery/pulp fiction. Howard wrote "Wolfshead" (which isn't S&S, but hey). Karl Edward Wagner has Kane take on a vampire ("Mirage") and a werewolf ("Reflections on the Winter of My Soul"). In the DC Comics' Warlord there is at least one vampire and two werewolves over its run. I'm sure there are others, but that's off the top of my head.

The Higher Struggle

The Viridian Scroll - Thu, 08/15/2019 - 16:23
TLDR: a cool, free game that could be used as a campaign sub-system to model the struggle between factions and powers.

One of the things that always impresses me when I read The Lord of the Rings is the time Tolkien spends setting up the higher struggle between powers. Sometimes we see it in the form of councils and plans, other times we see it in the form of a conflict of wills. Galadriel or Aragorn contesting with the Eye of Sauron, for instance. This battle above and beyond the literal battlefield is fascinating. It informs the latter as well, allowing us to see in every clash of arms the larger forces at work.

What am I rambling on about?

Well, it's the desire for that layer in our RPG games. Often GMs achieve it with recurring villains and reveal it through rumors and one-on-one interactions with NPCs. But is there a better way to model it?

I have seen political struggle represented in sub-systems before, or at least models that approach it. There is a nice social combat model in Diaspora, for instance. But I'm not sure I've ever seen anything as useful or simple as this little design by Mark Hunt.


Get the game here!

Scandalous Goons is a hack of Tunnel Goons, which I mentioned in a previous post. The rules of the game are basically the same, but instead of classes Mark supplies the stats of Reputation, Rumor, and Connections. And in place of inventory items we have assets like Military Honors, Spy, Blackmail Information, and Married Well. The third change is really about trading out health for a bank of Influence points.

Two things make this little game an ideal "bolt on" to about any campaign.
  1. It's very easy to adapt to your particular scenario. Change or add stats. Come up with new/different assets. Allow different factions to start with more or less Influence. An hour's work would probably be more than enough to totally customize Scandalous Goons to be completely in step with your group's campaign.
  2. It's easy to implement without interacting or interfering with the mechanics of whatever RPG you are playing.
Oh, did I mention it's also free?! 
I can't wait to take this game and use it to model the politicians, gang lords, and guild masters of a fantasy town. Or to play out some huge space opera game where star lords and planetary tyrants develop assets like warp drive levels, planetary defenses, cloaking devices, trade goods, super soldiers, etc. 
Thanks, Mark!
Categories: Tabletop Gaming Blogs

The Hidden Bee infection chain, part 1: the stegano pack

Malwarebytes - Thu, 08/15/2019 - 15:26

About a year ago, we described the Hidden Bee miner delivered by the Underminer Exploit Kit.

Hidden Bee has a complex and multi-layered internal structure that is unusual among cybercrime toolkits, making it an interesting phenomenon on the threat landscape. That’s why we’re dedicating a series of posts to exploring particular elements and updates made during one year of its evolution.

Recently, we decided to revisit this interesting miner, describing its loader that starts the infection from a single malicious executable. This post will present an alternative loader that is deployed when the infection starts from the Underminer Exploit Kit. It is analogous to the loader we described in the following posts from 2018: [1] and [2].

The dropped payloads: an overview

The first time we spotted Hidden Bee, it started the infection from a flash exploit. It downloaded and injected two elements with WASM extensions that in reality were executable modules in a custom format. We described them in detail here.

The files with WASM extensions, observed a year ago

Those elements were the initial loaders, responsible for initiating the infection chain that at the end installed the miner.

Nowadays, those elements have changed. If we take a look at the elements dropped by the same EK today, we will no longer find those WASM extensions. Instead, we encounter various multimedia files: a WAV (alternatively two WAVs), a JPEG, and a PNG.

The elements downloaded nowadays: WAV, JPG, PNG

The WAV files are downloaded by iexplore.exe, the browser where the exploit is run. In contrast, the images are downloaded at later stages of infection. For example, the JPG is always downloaded from the dllhost.exe process. The PNG is often downloaded from yet another process.

In some runs, we observed the PNG to be downloaded instead of the JPG:

Alternative: PNG being downloaded after WAV

We will start our journey of Hidden Bee analysis by looking at these files. Then, we will move to see the code responsible for processing them in order to reveal their hidden purpose.

The roadmap of the full described package:

Diagram showing the transitions between the elements The downloaded WAV

The WAV file sounds like grey noise, and we suspect that it is meant to hide some binary belonging to the malware.

An oscillogram of the WAV file

The data is unreadable, probably encrypted or obfuscated:

We also found a repeating pattern inside, which looks like an encrypted padding. The size of the chunk is 8 bytes.

The repeating pattern inside the file: 8 bytes long

This time, using the repeating pattern as an XOR key didn’t help in getting a readable result, so probably some more complex block cipher was used.

The JPG

Below is a sample JPG, downloaded from the URL in the format: /views/[unique_string].jpg

In contrast to the WAV content, the JPG always looks like a valid image. (Interestingly, all the JPGs we observed have a consistent theme of manga-styled girls.) However, if we take a closer look at the image, we can see that some data is appended at the end.

Let’s analyze the JPG and try to extract the payload.

First, I opened the image in a hexeditor (i.e. HxD). The size of the full image is 156,005 bytes. The last 118,762 bytes belong to the malware. So, we need remove the first 37,243 bytes (156,005-118,762=37,243) in order to get the payload.

The appended part of the JPG

The payload does not look like a valid code, so it is probably obfuscated. Let’s try the easiest option first and see if there are any candidates for the XOR key. We can see that the payload has padding at the end:

Let’s try to apply the repeating character (in the given example it is 0xE5) as an XOR key. This is the result (1953032199142ea8c5872107da8f2297):

Repeating the experiment on various payloads, we can see that the result always start from the keyword !rcx. As we know from analyzing other elements of Hidden Bee, the authors of this malware decided to use various custom formats named after 64-bit Intel registers. We also encountered packages starting from !rbx and !rsi at different layers. So, this is the first element in the chain that uses this convention.

When we load the !rcx module into IDA, we can confirm that it contains valid code. More detailed explanation about the !rcx format will be given later on in this article.

The PNG

Let’s have a look at a sample PNG, download from the “captcha.png” (URL format: /images/captcha.png?mod=attachment&u=[unique_id]):

Although it is a PNG in a valid format, it looks like noise. It probably represents bytes of some encrypted data. An attempt of converting PNG to raw bytes didn’t give any readable results. We need to analyze the code in order to discover what it hides.

Code analysis: the initial SWF file

The initial SWF file is embedded on the website and responsible for serving the exploit. If we look inside it, we will not find anything malicious at first. However, among the binary data we can find another suspicious WAV as an audio asset:

The beginning of the file:

This SWF file also contains a decoder for it:

The function “decode” takes four parameters. The first of them is the byte array containing the WAV asset: That is the content to be decoded. The second argument is an MD5 (the “setup” function is an MD5 implementation) made of concatenation of the AppId and the AppToken: That is probably the encryption key. The third parameter is a salt (probably the initialization vector of the crypto).

The salt is fetched from the HTML page, where the Flash component is embedded:

Alternative case: two WAV files

Sometimes, rather than embedding the WAV containing the Flash exploit, authors use another model of delivering it. They store the URL to the WAV, and then they retrieve the file.

In the below example, we can see how this model is applied to Hidden Bee. The salt, along with the WAV URL, are both stored in the Javascript embedded in the HTML:

The Flash file first loads it and then decodes as the next step:

Looking at the traffic capture, we can see that in this case, not one, but two WAV files are downloaded:

A case when two WAV files were downloaded (and none embedded in the Flash)

The algorithms used to encrypt the content of the first WAV may vary and sometimes the algorithm is supplied as one of the parameters. After the content is fetched, the data from the WAV files is decoded using one of the available algorithms:

We can see that the expected content is a Flash file that is then loaded:

The “decode” function

The function “decode” is imported from the package “com.google”:

The full decompiled code is available here.

When we look inside, we see that the code is slightly obfuscated:

Looking at the decompiled code, we see some interesting constants. For example, –889275714 in hex is 0xCAFEBABE. As we found during analysis of other Hidden Bee elements, this DWORD was used by the same authors before as a magic number identifying one of the custom formats.

Internally, there are references to a function from another module: E_ENCRYPT_process_bytes(). Inside this function, we see calls suggesting that the Rabbit Cipher has been used:

Rabbit uses a 128-bit key (the same length as the MD5 hash that was mentioned before) and a 64-bit initialization vector. (In different runs, a different encryption algorithm may be selected.)

After the decoding process is complete, the revealed content is loaded:

The first WAV: a Flash exploit

The decoded WAV contains a package with two elements embedded: a Flash file (movies.swf) and the configuration file (config.cfg). The decrypted data starts from the magic DWORD 0xCAFEBABE, which we noticed in the code of the previous SWF.

The Flash file (movies.swf) contains an embedded exploit. In the analyzed case, the exploit used is CVE-2015-5122, however, a different exploit may be used on a different machine:

The payload (shellcode) is stored in form of an array (binary version available here: 9aec11ff93b9df14f060f78fbb1b47a2):

The configuration file (config.cfg) contains the URL to another WAV file.

The payload is padded with NOP (0x90) bytes, and the parameters, including the configuration, are filled there before the payload runs.

The fragment of the code feeding the configuration into the payload The shellcode: downloading the second WAV

The second WAV, in contrast to the first one, is always downloaded and never embedded. It is retrieved by the “PayloadWin32” shellcode (9aec11ff93b9df14f060f78fbb1b47a2), deployed after the successful exploitation.

Looking inside this shellcode, we find the function that is responsible for downloading and decrypting another WAV. The shellcode uses parameters that were filled by the previous layer. This buffer contains the URL that will be queried and the key that will be used for decryption of the payload. It loads functions from wininet.dll using their checksums. After the initialization steps, it queries the supplied URL. The expected result is a buffer with a header typical for WAV files.

As we already suspected, the data of the WAV (starting from the offset 0x2C) contains the encrypted content. Indeed, blocks that are 8 bytes long are decrypted in a loop:

After the decryption is complete, the next module will be revealed. It is interesting to take a look at the expected header of the payload to learn which format is used for the output element. This time, the decoded data is supposed to start with the following magic numbers: 0x01, 0x04, …, 0x10.

The second WAV: an executable in proprietary format

On the illustration below, we can see how the data of the WAV looks after being decrypted (9b37c9ec19a53007d450b9b9c8febbe2):

This is an executable component that is loaded into Internet Explorer. After it decodes the imports, it starts to look much more familiar:

We can see that it follows an analogical structure to the one described in last year’s article.

This module is first executed within Internet Explorer. Then, it creates another process (dllhost.exe) in a suspended state:

It injects its original copy there (769a05f0eddd6ef2ebdd13618b244758):

Then it redirects execution to its loading function. Below, we can see the Entry Point of the implanted module within dllhost.exe.

A detailed analysis of the execution flow of this module and its format will be given later in the article.

At this point, it is important to note that the dllhost.exe is the module that further downloads the aforementioned images.

The modules with the custom format

The module with the custom format is analogous to the one described before. However, we can see that it has significantly evolved.

There are changes in the header, as well as improvements in the implementation.

Changes in the custom format

The new header is similar to the previous one. The few details that have changed are: the magic number at the beginning (from 0x10000301 to 0x10000401), and the format in which the DLLs are stored (the length of a DLL name has been added). That’s why we will refer to this format as “0x10000401 format.”

Another change is that now the names of the DLLs are obfuscated by a simple XOR with 1 byte character. They are deobfuscated just before being loaded.

Summing up, we can visualize the new format in the following way:

Obfuscation used

This time, authors decide to obfuscate all the strings used inside the module. Now all the strings are decoded just before use.

Example: decoding the string before the use

The decoding algorithm is simple, based on XOR:

The string-decoding algorithm Inside the images downloader

Let’s look inside the first module in the 0x10000401 format that we encountered. This module is an initial stage, and its role is to download and unpack the other components. One such component is in a CAB format (that’s why we can see the Cabinet.dll among the imported DLLs).

The role of this module is similar to the first “WASM” mentioned in our post a year ago. However, the current version is not only better protected, but also comes with some improvements. This time the downloaded content is hidden in the images. So, analyzing this element can help us to understand how the used stenography works.

First, we can see that the URLs are retrieved from their Base64 form:

This string decodes to a list containing URLs of the PNG and JPG files that are going to be downloaded. For each sample, this set is unique. None of the URLs can be reused: the server gives a response only once. An example of a URL set:

http://38.75.137.9:9088/pubs/wiki.php?id=937a4eadd6f5a94b3738a58dcc79ca13 http://38.75.137.9:9088/images/captcha.png?mod=attachment&u=357e27e8af72925144ec1db2421d0cc5&lt http://38.75.137.9:9088/views/q5ul78uv4b4q8bg8d95canrsns.jpg

So, we can confirm that this module is the one responsible for downloading and processing the observed images. Indeed, inside we can find the functions responsible for their decoding.

Decoding the JPG

After the payload is retrieved, the JPG header is validated.

Then, the payload is decoded by simply using an XOR with the last byte. The decoded content is expected to start from the !rcx magic ID.

After decoding the content, the hash of the !rcx module is validated with the help of SHA256 hash. The valid hash is stored in the module’s header and compared with the calculated hash of the file content.

If the validation passed, the shellcode stored in the !rcx module is loaded. More details about the execution flow will be given later.

The !rcx package has a simple header:

Decoding the PNG

Retrieving the content from the PNG is more complex.

“captcha.png” – the encrypted CAB file

First, after downloading, the PNG header is checked:

The function decoding the PNG has the following flow:

It converts the PNG into byte content and decrypts it with the help of ARIA cipher. The result should be a CAB format. The unpacked CAB is supposed to contain a module “bin/i386/core.sdb” that also occurred in our previous encounters with Hidden Bee.

The authors are careful not to reuse URLs as well as encryption keys. That’s why the Aria key is different for every unique payload. It is stored just after the end of the 0x10000401 module :

Key format: WORD key length; BYTE key_bytes[];

During the module’s loading, the key is rewritten into another memory area, from which it is used to decrypt the downloaded module.

The CAB file retrieved from the PNG is available here: 001bdc26b2845dcf839f67a8760c6839

It contains core.sdb (d1a2fdc79c154b120a0e52c46a73478d). That is a second module in Hidden Bee’s custom format.

Inside core.sdb

This module (retrieved from the PNG) is a second downloader component in the 0x10000401 format. This time, it uses a custom TCP-based protocol, referenced by the authors as SLTP. (This protocol was also used by the analogical component seen one year ago). The embedded links:

sltp://dns.howtocom.site:1108/minimal.bin?id=998 sltp://bbs.favcom.space:1108/setup.bin?id=999

Execution flow
  1. Checks for blacklisted processes. If any are detected, exits.
  2. Removes functions: DbgBreakPoint, DbgUserBreakPoint by overwriting their beginning with the RET instruction.
  3. Checks if the malware is already installed. If yes, exits.
  4. Creates an installation mutex {71BB7F1C-D700-4487-B9C6-6DD9863DFE91}-ins.
  5. If the module was run with the flag==1:
    1. Connects to the first address: sltp://dns.howtocom.site:1108/minimal.bin?id=998
    2. Sets an environment variable INSTALL_SOURCE to the value given as an argument.
    3. Runs the downloaded next stage module.
  6. If the module was run with the flag!=1:
    1. Performs checks against VM. If detected, exits.
    2. Connects to the second address: sltp://bbs.favcom.space:1108/setup.bin?id=999. This time, appends the victim’s fingerprint to the URL. Format: <URL>&sid=<INSTALL_SID>&sz=<unique machine ID: 16 bytes hex>&os=<Windows version number>&ar=<architecture>
    3. Runs the downloaded next stage module.
Defensive checks

At this stage, many anti-analysis checks are deployed. First, there are checks to detect if any of the blacklisted processes are running. The enumeration of the processes is implemented using a low-level function: NtQuerySystemInformation with a parameter 5 (SystemProcessInformation).

The blacklist contains popular debuggers and sniffers:

“devenv.exe” , “wireshark.exe”, “vmacthlp.exe”, “procmon.exe”, “ollydbg.exe”, “idag.exe”, “ImmunityDebugger.exe”, “windbg.exe”
“EHSniffer.exe”, “iris.exe”, “procexp.exe”, “filemon.exe”, “fiddler.exe”

The names of the processes are obfuscated, so they are not visible on the strings list. If any of those processes are detected, the execution of the module terminates.

Another function deploys a set of anti-VM checks. The anti-VM checks include:

CPUID with EAX=40000000 (a check for Hypervisor’s Brand):

The VMWAre I/O Port (more details [here]):

VPCEXT instruction (more details [here])

Checking the list of common VM vendors:

Checking the BIOS versions typical for virtual environments:

Detection of any of the features suggesting a VM results in termination of the component.

Downloading new modules

The next elements of HiddenBee are downloaded over the custom “STLP” protocol.

The raw TCP socket created to communicate using the SLTP protocol:

The communication is encrypted. We can see that the expected output is a shellcode that is loaded and executed:

The way in which it is loaded reminds me of the elements we described recently in “Hidden Bee: Let’s go down the rabbit hole“. The current module loads a list of functions that will be passed to the next module. It is a minimalistic, custom version of Import Table. It also passes the memory with the downloaded filesystem to be used for further loading of components.

The !rcx package

This element retrieves the custom filesystem used by this malware. As we know from previous analysis, Hidden Bee uses its own, custom filesystems that are mounted in the memory of the malware and passed to its components. This filesystem is important for the execution flow because it contains many other components that are supposed to be installed on the attacked system in order to continue the infection.

As mentioned before, unpacking the JPG gave us an !rcx package. After this package is downloaded, and its SHA256 checksum is validated, it is repackaged. First, at the end of the !rcx package, the list of URLs (JPG, PNG) from the previous module is copied. Then, the ARIA key is copied. The size of the module and its SHA256 hash are updated. Then, the execution is redirected to the first stage shellcode fetched from the !rcx.

This shellcode was the one that we saw at first, after decoding the !rcx package from the JPG. Yet, looking at this part, we do not see anything malicious. The elements that are more important are well protected and revealed at the next execution stages.

The shellcode from the !rcx package is executed in two stages. The first one unpacks and prepares the second. First, it loads its own imports using hardcoded names of libraries.

The checksums of the functions that are going to be used are stored in the module and compared with the names calculated by the function:

The checksum calculation algorithm

It uses the functions from kernel32.dll: GetProcessHeap, VirtualAlloc, VirtualFree, and from ntdll.dll: RtlAllocateHeap, RtlFreeHeap, NtQueryInformationProcess.

The repackaged !rcx module is supposed to be supplied as one of the arguments at the Entry Point of the first shellcode. It is most important because the second stage shellcode will be unpacked from the supplied !rcx package.

Checking the !rcx magic (first stage shellcode)

A new memory area is allocated, and the second stage shellcode is unpacked there.

Decoding and calling next module

Inside the second shellcode, we see strings referencing further components of the Hidden Bee malware:

/bin/i386/preload
/bin/i386/coredll.bin

The role of the second stage is unpacking another part from the !rcx: an !rdx package.

Checking the !rdx magic (second stage shellcode)

From our previous experience, we know that the !rdx package is a custom filesystem containing modules. Indeed, after the decryption is complete, the custom filesystem is revealed:

So the part that was hidden in the JPG is, in reality, a package that decrypts the custom filesystem and deploys the next stage modules: /bin/i386/preload and /bin/i386/coredll.bin. This filesystem has even more elements that are loaded at later stages of the infection. Their full functionality will be described in the next article in our series.

Even more hidden

From the beginning, Hidden Bee malware has been well designed and innovative. Looking at one year of its evolution, we can be sure that the authors are serious about making it even more stealthy—and they don’t stop improving it.

Although the initial dropper uses components analogous to ones observed in the past, revealing their encrypted content now takes many more steps and much more patience. The additional difficulty in the analysis is introduced by the fact that the URLs and encryption keys are never reused, and work only for a single session.

The team behind this malware is skilled and determined. We expect that the Hidden Bee malware won’t be going extinct anytime soon.

The post The Hidden Bee infection chain, part 1: the stegano pack appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Crafting Activities for Seniors: Crochet, Knit, Sew, or Quilt for a Healthier Life &#8211; Guest Post by Helen Spencer

Moogly - Thu, 08/15/2019 - 15:00

Crafting is a passion of mine – and it’s one I love to share with people of all ages! Today I’ve got a guest post by Helen Spencer, all about crafting activities for seniors – and how it can help them live a healthier life! Disclaimer: The post was written by Helen Spencer, 2019, used...

Read More

The post Crafting Activities for Seniors: Crochet, Knit, Sew, or Quilt for a Healthier Life – Guest Post by Helen Spencer appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

2
Categories: Crochet Life

Gen Con 2019 Video Blitz 13: Aliens RPG from Free League Publishing

Gamer Goggles - Thu, 08/15/2019 - 14:31

I swung by the Free League Publishing Booth @Gen_Con to meet Tomas, he’s the Designer behind their latest project Alien the rpg. We chatted about how the Alien RPG is unique.

I have always love the Alien franchise I hope to play this so much in the near future.

Copyright secured by Digiprove © 2019
Categories: Tabletop Gaming Blogs

Have You Heard the One About…

Torchbearer RPG - Thu, 08/15/2019 - 13:00
You All Meet at an Inn… by Rebekah Bennington

Hello friends!

The Rumor Events Table in the Town chapter is perfectly fine, but if you’ve been running Torchbearer for a while, you might be a bit bored with it. Fortunately for you, Luke has worked up a brand new table to add a little spice to your trip to the tavern. It’s actually a combination of rumors and events.

Check it out, use it in your game and let us know how it goes!

Tavern

Travelers meet at the tavern for a drink, a meal and to share news. You can slake your thirst here, hire help and listen to the rumor mill.

Drink

✤ Drinking at the tavern satisfies your hunger and thirst. You may also make recovery tests (as per the normal rules) for angry and afraid, if you order more drinks.
Drinking Lifestyle Cost: +1 per drink
✤ Each drink you buy at the tavern earns you a rumor. Roll on the Tavern Rumors table.

Tavern Rumors and Events

After you buy a drink at the tavern, roll 3d6 for a rumor!

3 The strange elder. A kindly old woman approaches your table and…(GM chooses one)

  • Drapes an elven amulet around your neck.
  • Drapes a cursed amulet around your neck.
  • Gives you a basket of baked goods.
  • Implores you to avenge her son’s death.

4 A cloaked figure sits huddled in the corner, coughing blood. Beckoning you closer, you see something valuable clutched in his moribund hand.

5 Enemy expedition. Your enemy, well-equipped but secretive, enters the tavern with a motley group.

6 Rival crew. You meet unlikely and unreliable would-be adventurers looking to add to their crew. Will you join forces?

7 Sudden appearance. Your friend, bedraggled and disheveled from the road, bursts into the tavern with an incredible tale to tell…

8 Beware. As you leave, the hosteler warns you to look out for…

  • 1-2 Bandits, raiders from a nearby hostile holding
  • 3 Goblins, orcs or gnolls raiding near the settlement
  • 4 A troll who lurks under a bridge
  • 5 Ghosts who haunt the road
  • 6 A giant who straddles the river

9 The traveler. You meet an injured/terrified traveler arriving with a tale of…

  1. Abduction
  2. Robbery
  3. A terrifying detour
  4. A bizarre place
  5. A miraculous happening
  6. A frightening monster

10 An omen of things to come…

  1. An unkindness of ravens mocks you from the trees outside
  2. The moon is red/the sky is red.
  3. As you leave the tavern, the road is utterly silent—no bird, no insect, no animal makes a sound
  4. Thunder rolls and lightning crashes in the distance
  5. A stone carved with strange runes sits concealed in the brush just outside the tavern
  6. The wind seems to howl your name

11 Watch rumors. An old man who was on watch last night tells you that ghouls were seen digging in the grave pits last night. Roll for who was actually digging in the grave pits:

  1. Ghouls
  2. Grave robbers
  3. A desperate necromancer
  4. Foolish children
  5. A group of deranged wastrels
  6. A barrow wight

12 Job offer. You meet people (farmers, guildsmen, priests, nobility) looking for short-term muscle to:

  • Bolster a holding
  • Drive off some troublesome monsters (kobolds, bridge troll, restless dead)
  • Investigate a mysterious happening
  • Recover something from a recently overrun holding (a hostage, valuables, a keepsake, lore)
  • Safeguard travelers. Roll d6: 1 pilgrims, 2 merchants, 3 nobles, 4 priests, 5 regular folk, 6 a messenger
  • Settle a score
  • Re-establish contact with someplace lost

13 Dismaying news. You hear a rumor that strangely fits the details of your parents, their livelihood and an entirely credible calamity which has befallen them.

14 Messenger. As you depart the tavern, a messenger chases you down and delivers a sealed message from your mentor.

15 Bon chance. Your hosteler says she will foot your next bill if you would perchance help her with delivering a small package to her friend in a nearby town. If successful, you can stay at these accommodations for free for your next stay in this town.

16 Challenge. A drunk warrior holds the door and challenges all comers. If you dance with him, test your Fighter vs. the warrior’s Might 3, Fighter 6 and Level 3 Duelist trait or sit down.

17 Drunk priest. A drunken temple priest babbles about propitiatory rites to the Jotunn to be held beneath the temple this very night. She says they will sacrifice (roll d6):

  1. An orphan
  2. A captive
  3. A terrible beast
  4. A book of knowledge
  5. A spell book
  6. A powerful item

18 Spurned lover. The irate paramour of one of the leaders of this place is in the tavern spinning tales. Roll d6. They talk about:

  1. Their lover’s tainted nature
  2. An incoming shipment
  3. A strange visitor
  4. Their charlatan behavior
  5. A terrifying ritual
  6. The dark secret of their lover’s spouse

Categories: Tabletop Gaming Blogs

Gen Con 2019 Video Blitz 12: Jon Webb Modiphius Miniatures Dude

Gamer Goggles - Thu, 08/15/2019 - 12:53

@Gen_Con 2019 I met up with Jon Webb the Miniature dude @Modiphius We talked about the Raiders, production fixes, Skyrim and how the game will hold true to the Video game. Liberty Prime, Dragons!

Just when I said I wasn’t going to get into another miniatures game Skyrim knocks on my front door!

Copyright secured by Digiprove © 2019
Categories: Tabletop Gaming Blogs

Conqueror [ICONS]

Sorcerer's Skull - Thu, 08/15/2019 - 11:00
CONQUEROR

Abilities:
Prowess: 6
Coordination: 4
Strength: 8
Intellect: 4
Awareness: 4
Willpower: 5

Determination: 1
Stamina: 13

Specialties: Athletics

Qualities:
Man Out of Time
Powers Granted by Otherworld Magic
Forgotten Hero

Powers:
Damage Resistance 4
Leaping 4
Life Support 3

Background:
Alter Ego: Joseph Henry Danner
Occupation: Retired
Marital Status: Single
Known Relatives: Ben and Abigail Danner (adopted parents, deceased)
Group Affiliation: formerly the United States Army
Base of Operations: Middleville, Nebraska
First Appearance: CHAMPION FAMILY #138
Height: 6'1"  Weight: 222 lbs.
Eyes: Gray  Hair: White

History:
Sensing the threat to the world that would be posed by the Axis Powers, the Otherworldly wizard Zyrd had sent a fragment of the Champion emblem into the world to be found by a worthy bearer. Shortly before the United States entered World War II, Joe Danner, found the magical emblem while clearing an old tree stump from his farm. The shield belt buckle embued him with the powers of the Champion! Shortly thereafter, the U.S. entered the War, and Danner volunteered for the Army. He was sent to the European theater where he used his powers (in secret) to fight the Germans, while pretending to be a country bumpkin in his real identity.  He lost the shield near the end of the war, and was imprisoned by a Nazi-allied sorcerer, the Yellow Lama. The spell made the world forget him.

It likely would have stayed that way, had not Tommy Trent, the Boy Champion, freed him decades later. Danner helped the Boy Champion defeat the Yellow Lama, but soon began to age rapidly when the mystical field was no more. Zyrd slowed his aging, and gifted him with a portion of the might he had wielded when he had the emblem. He renamed himself, the Conqueror, and occasionally joins the current Champion in fighting evil.

1322

Looking For Group - Thu, 08/15/2019 - 04:00

The post 1322 appeared first on Looking For Group.

Categories: Web Comics

Gen Con 2019 Video Blitz 11: Sam Webb RPG Dude at Modiphius

Gamer Goggles - Thu, 08/15/2019 - 02:11

I ran into Sam Webb @Gen_Con and we talked about Fallout the Rpg – Wasteland Warfare, It is a stand alone game. The Infinity Kickstatarter RPG and how the rules are similar to the miniature game, Then we got sidetracked talking about Star Trek Adventures. The Dune RPG. John Carters’ Mars and more!

I can’t believe how fun that was. I can’t wait to see what they do with Fallout! Next up His not brother Jon Webb the Miniatures dude!

Copyright secured by Digiprove © 2019
Categories: Tabletop Gaming Blogs

Gen Con 2019 Video Blitz 10: Privateer Press with Oz

Gamer Goggles - Thu, 08/15/2019 - 01:30

I caught up with Oz From Privateer Press @Gen Con 2019. We spoke about the Infernals and how the new mechanics have an economy to them. They sound so cool. We also discussed Monsterpocalypse.

It looks like the Warmachine and Hoards world is about to change.

Copyright secured by Digiprove © 2019
Categories: Tabletop Gaming Blogs

1d20 Mysterious Sword & Sorcery Background Trait Table For Your Old School Games

Swords & Stitchery - Thu, 08/15/2019 - 00:32
I saw a city in a lonely land:Foursquare, it fronted upon gulfs of fire;Behind, the night of Erebus hung entire;And deserts gloomed or glimmered on each hand.The City of the Titans  (1915) by Clark Ashton SmithLo did the heavens shake & mysterious hellish forces were unleashed beyond the Boreas winds. The very gods themselves perished in battles beyond the ken of human knowledge. They're Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0
Categories: Tabletop Gaming Blogs

Simple Skills System (Revised)

The Viridian Scroll - Wed, 08/14/2019 - 23:00
TLDR: an idea for implementing simple skills in pre-2e D&D. 

Each character details their background in 50 words or less, using full sentences. This background can be revised between adventures to incorporate an extra sentence per level gained.

When a character attempts something that would require unusual skill, and the GM agrees that it is possible, even if it’s very unlikely, he sets a difficulty at 4, 5, or 6 and indicates the most-closely related ability.

The player then rolls dice as follows, trying to meet or beat the difficulty on at least one die.

  • 1d6 if unskilled
  • 2d6 if skilled (character background suggests a related skill) OR the related ability has a positive bonus
  • 3d6 if skilled AND the related ability has a positive bonus

The odds to work out to be:

  • 1d6 ≥ Dif. 4 = 50%, Dif. 5 = 33%, Dif. 6 = 17%
  • 2d6 ≥ Dif. 4 = 75%, Dif. 5 = 56%, Dif. 6 = 31%
  • 3d6 ≥ Dif. 4 = 88%, Dif. 5 = 70%, Dif. 6 = 42%

If all the dice show a 1, the failure is a “botch” and is worse than a normal failure, if that’s possible. “Extra” successes usually add minor positive benefits.

ExampleA player wants his character to run at full speed across a tightrope between high buildings to escape pursuers. . 
The GM says, "that will be a difficulty 5 DEX test." Note that the GM wouldn't necessarily have to call out the difficulty; that's probably a matter of style. The GM should not consider the character's skill at all when setting difficulty. Rather the difficulty should be solely based on the situation. Is there strong wind and rain? Is the character carrying a lot of stuff? How hard would it be for a normal person to do this given the situation?
The character has a positive DEX bonus and, according to his background, was once a circus performer, so he rolls 3d6. If the highest die in that pool is a 5 or 6, the character succeeds. If two or three successes show, perhaps he gets across at high speed and can get out of sight before the pursuers catch up. Or he has plenty of time to cut the rope and not get shot at by crossbows.  
If the highest die is less than 5, he fails. The GM might allow him to catch the rope or a ledge on the way down, but the character will be in dire straights.
If all three dice show a 1, the character plummets to the ground with no chance at grabbing the rope. If he survives, the pursuers probably had people tracking him on the ground as well. 
Categories: Tabletop Gaming Blogs

attack of the baby knits!

Autumn Geisha - Wed, 08/14/2019 - 22:55




More rare than UFO sightings in these parts but super fun to knit! I have a good friend who is expecting her first baby in September so I wanted to welcome the little tike with some special hand knits. For the sweater I chose the owlets pattern by Kate Davies mainly because I have always wanted to knit the owls pattern for myself. It turned out a little smaller than I had intended. It’s maybe a newborn size? Hopefully he’ll get to wear it a few times. I loved knitting those owl cables though so I might knit another one in the toddler size.

Next came the super quick baby bear hat which only took a few hours to make. I was debating whether to switch the rolled brim to a ribbed one but the rolled brim seemed like it would be more comfy for a baby.

My favorite knit of the three are the baby booties. Aren’t they so adorable? The pattern is the Baby Hausschuhe. The construction is very clever and best of all seamless. Kinda want to try knitting a pair for myself in super bulky yarn :)

The yarn that I used for all three patterns is knitpicks brava worsted in the dove heather colorway. It’s very soft and nice to knit with. Hopefully durable and easy to care for as well. I wasn’t quite sure how to block the finished knits since the yarn is 100 percent acrylic and I usually knit with natural fibers. I ended up washing and drying the knits, then hovering a steam iron over them to even out the stitches a little without killing the fabric. Please let me know if there’s a better way to block acrylic knits since I foresee more kidlet projects in the future :)
Categories: Knitting Feeds

1d6 Random Minor Treasures & Adventure Hooks Table For Your Old School Campaigns

Swords & Stitchery - Wed, 08/14/2019 - 18:44
O Life, thou harlot who beguilest all!Beautiful in thy house, the golden world.Abidest thou, where Powers pinion-furledAnd flying Splendors follow to thy call.Innumerous like the stars or like the dust,Nations and monarchs were thy thralls of yore:Unto the grave's old womb forevermoreHast thou betrayed the passion and the lust.Fair as the moon of summer is thy face,And mystical with cloudiness Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0
Categories: Tabletop Gaming Blogs

More Memories S1-4 Realms of Horror by Gary Gygax, & Lawrence Schick For Your Old School Campaigns

Swords & Stitchery - Wed, 08/14/2019 - 17:52
Why is the release of  S1-4 Realms of Horror by Gary Gygax, &  Lawrence Schick significant by Wizbros erm Wizards of the Coast?! Well, now the wilds of the RPG market place are flooded with all kinds of OSR product.But one of the only places to get such a collector's item was from Ebay at horrid prices. Now at least the PDF is available for a collection of some of the classic modules of AD&D Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0
Categories: Tabletop Gaming Blogs

Red Heart Dreamy: Yarn Love Video Yarn Review

Moogly - Wed, 08/14/2019 - 15:07

Red Heart Dreamy and Dreamy Stripes are gorgeous yarns full of soft, brushed color and texture! Get a closer look at Dreamy in the Yarn Love Video Review on Moogly! Disclaimer: This post was sponsored by Red Heart Yarn, but all opinions are my own. This post includes affiliate links. Just The Yarn Facts: Content:...

Read More

The post Red Heart Dreamy: Yarn Love Video Yarn Review appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

0
Categories: Crochet Life

Trojans, ransomware dominate 2018–2019 education threat landscape

Malwarebytes - Wed, 08/14/2019 - 13:00

Heading into the new school year, we know educational institutions have a lot to worry about. Teacher assignments. Syllabus development. Gathering supplies. Readying classrooms.

But one issue should be worrying school administrators and boards of education more than most: securing their networks against cybercrime.

In the 2018–2019 school year, education was the top target for Trojan
malware, the number one most-detected (and therefore most pervasive) threat category for all businesses in 2018 and early 2019. Adware and ransomware were also particularly drawn to the education sector last year, finding it their first and second-most desired target among industries, respectively.

To better analyze these threats, we pulled telemetry on educational institutions from our business products, as well as from IP ranges connecting from .edu domains to our consumer products. What we found was that from January to June 2019, adware, Trojans, and backdoors were the three most common threats for schools. In fact, 43 percent of all education detections were adware, while 25 percent were Trojans. Another 3 percent were backdoors.

So what does this tell us to expect for the 2019–2020 school year? For one, educational institutions must brace themselves for a continuing onslaught of cyberattacks, as the elements that made them attractive to criminals have not changed. However, more importantly, by examining trends in cybercrime and considering solutions to weaknesses that made them susceptible to attack, schools may be able to expel troublesome threat actors from their networks for good.

Why education?

Surely there are more profitable targets for cybercriminals than education. Technology and finance have exponentially bigger budgets that could be tapped into via large ransom demands. Healthcare operations and data are critical to patient care—loss of either could result in lost lives.

But cybercriminals are opportunistic: If they see an easy target ripe with valuable data, they are going to take advantage. Why spend the money and time developing custom code for sophisticated attack vectors when they can practically walk through an open door onto school networks?

There are several key factors that combine to make schools easy targets. The first is that most institutions belonging to the education sector—especially those in public education—struggle with funding. Therefore, the majority of their budget is deferred to core curriculum and not so much security. Hiring IT and security staff, training on best practices, and purchasing robust security tools and programs are often an afterthought.

The second is that the technological infrastructure of educational institutions is typically outdated and easily penetrated by cybercriminals. Legacy hardware and operating systems that are no longer supported with patches. Custom school software and learning management systems (LMSes) that are long overdue for updates. Wi-Fi routers that are operating on default passwords. Each of these make schools even more vulnerable to attack.

Adding insult to injury, school networks are at risk because students and staff connect from personal devices (that they may have jailbroken) both on-premises and at home. With a rotating roster of new students and sometimes personnel each year, there’s a larger and more open attack surface for criminals to infiltrate. In fact, we found that devices plugging into the school network (vs. school-owned devices) represented 1 in 3 compromises detected in H1 2019.

To complicate matters, students themselves often hack school software out of sheer boredom or run DDoS attacks so they can shut down the Internet and disrupt the school day. Each infiltration only widens the defense perimeter, making it nearly impossible for those in education to protect their students and themselves from the cyberattacks that are sure to come.

And with such easy access, what, exactly, are criminals after? In a word: data. Schools collect and store valuable, sensitive data on their children and staff members, from allergies and learning disorders to grades and social security numbers. This information is highly sought-after by threat actors, who can use it to hold schools for ransom or to sell for high profit margins on the black market (data belonging to children typically garners a higher price).

School threats: a closer look

Adware represented the largest percentage of detections on school devices in H1 2019. Many of the families detected, such as SearchEncrypt, Spigot, and IronCore, advertise themselves as privacy-focused search engines, Minecraft plugins, or other legitimate teaching tools. Instead, they bombard users with pop-up ads, toolbars, and website redirects. While not as harmful as Trojans or ransomware, adware weakens an already feeble defense system.

Next up are Trojans, which took up one quarter of the threat detections on school endpoints in H1 2019. In 2018, Trojans were the talk of the town, and detections of this threat in organizations increased by 132 percent that year.

While still quite active in the first half of 2019, we saw Trojan detections decrease a bit over the summer, giving way to a landslide of ransomware attacks. In fact, ransomware attacks against organizations increased a shocking 365 percent from Q2 2018 to Q2 2019. Whether this is an indication of a switch in tactics as we head into the fall or a brief summer vacation from Trojans remains to be seen.

The top two families of Trojans in education are the same two who’ve been causing headaches for organizations worldwide: Emotet and TrickBot. Emotet leads Trojan detections in every industry, but has grown at an accelerated pace in education. In H1 2019, Emotet was the fifth-most predominant threat identified in schools, moving up from 11th position in 2018. Meanwhile TrickBot, Emotet’s bullying cousin, represents the single largest detection type in education among Trojans, pulling in nearly 6 percent of all identified compromises.

Emotet and TrickBot often work together in blended attacks on organizations, with Emotet functioning as a downloader and spam module, while TrickBot infiltrates the network and spreads laterally using stolen NSA exploits. Sometimes the buck stops there. Other times, TrickBot has one more trick up its sleeve: Ryuk ransomware.

Fortunately for schools but unfortunately for our studies, Malwarebytes stops these Emote-drops-TrickBot-drops-Ryuk attacks much earlier in the chain, typically blocking Emotet or TrickBot with its real-time protection engine or anti-exploit technology. The attack never progresses to the Ryuk stage, but our guess is that many more of these potential breaches would have been troublesome ransomware infections for schools if they hadn’t had the proper security solutions in place.

Class of 2020 threats

The class of 2020 may have a whole lot of threats to contend with, as some districts are already grappling with back-to-school attacks, according to The New York Times. Trojans such as Emotet and TrickBot had wildly successful runs last year—expect them, or other multi-purpose malware like them—to make a comeback.

In addition, ransomware has already made waves for one school district in Houston County, Alabama, which delayed its return to classes by 12 days because of an attack. Whether it’s delivered via Trojan/blended attack or on its own, ransomware and other sophisticated threats can bring lessons to a halt if not dealt with swiftly.

In 2019, Malwarebytes assisted the East Irondequoit Central School District in New York during a critical Emotet outbreak that a legacy endpoint security provider failed to stop. Emotet ran rampant across the district’s endpoint environment, infecting 1,400 devices and impacting network operations. Thankfully Malwarebytes was able to isolate, remediate, and recover all infected endpoints in 20 days without completely disrupting the network for students or staff.

If school IT teams do their research, pitch smart security solutions to their boards for funding, and help students and staff adopt best practices for online hygiene, they can help make sure our educational institutions remain functional, safe places for students to learn.

The post Trojans, ransomware dominate 2018–2019 education threat landscape appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages

Subscribe to Furiously Eclectic People aggregator