Spear-phishing campaign leveraging on MSXSL

Posted by admin on 02/Mar/2018

We have identified an ongoing spear-phishing campaign targeting a variety of entities with malicious RTF documents exploiting three different vulnerabilities: CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802 and taking advantage of a misplaced trust binary, Microsoft’s msxsl, to run a JScript backdoor. The whole attack chain leverages on system’s signed components to remain under the radar as much as possible and it shares many similarities with previous campaigns from the Cobalt Group.
Continue reading “Spear-phishing campaign leveraging on MSXSL” →

From False Positive to True Positive: the story of Mavinject.exe, the Microsoft Injector

Posted by admin on 16/Dec/2017

Mavinject is a legitimate Windows component that can be used, and abused, to perform arbitrary code injections inside any running process. As this is a common component on Windows, it can be leveraged to perform living-off-the-land attacks.
Continue reading “From False Positive to True Positive: the story of Mavinject.exe, the Microsoft Injector” →

A dive into MuddyWater APT targeting Middle-East

Posted by admin on 22/Nov/2017

MuddyWater is a threat actor that caught our attention for their extensive use of “Living off the Land” attacks in a targeted campaign aimed at the Middle East. During our investigation we reconstruct the evolution of the vectors used and how the group operates to target their victims, evade detections and move laterally inside the compromised infrastructures.
Continue reading “A dive into MuddyWater APT targeting Middle-East” →

Tag: living off the land