As we mentioned in our earlier blog, Azorult is very popular in the underground hacking forum. Fairly easily, we were able to obtain and download the control panel and builder. We set up the control panel in our lab and redirected our sample bot command and control server to our web server. The control panel is written entirely in PHP and uses MySQL as its database.

In this blog series, we dive into an information stealing Trojan called Azorult that we analysed during a recent Digital Forensics and Incident Response (DFIR) investigation. During our analysis, we also take a look at the bot’s control panel and its vulnerability.

Microsoft’s security update for the month of October is one of the lightest patch Tuesdays of the year with the release of only 60 CVEs. However, it still packs a punch with 9 “Critical” CVEs and the remaining 51 CVEs are rated as “Important”. The good news is that none of these CVEs have publicly available exploits or been seen yet exploited in the wild.  Additionally, there are no rollup patch for Adobe Flash which is very uncommon. However, it shouldn’t be ruled out possibly an out-of-band roll-out for Adobe Flash later this month.

Early in my career, I got the fear put in me. The fear that a machine would take my job. The fear that I would be replaced by a piece of software. It’s been a serious source of motivation for me and one of the big reasons I was attracted to penetration testing: done well, it’s hard for a machine to replicate. One of the best examples of this is the chained-vulnerability

Documents attached to emails are commonly used as the initial vector to deliver malware into a system. To give an impression of security, attackers sometimes use document protection features and technology to hide their malicious code and behavior from email scanners.

A fundamental part of any network is the Domain Name Service (DNS). Adversaries will likely want to enumerate computers in Active Directory and connect to them, and at some point, they will likely interact with DNS doing so. A simple example is attempting to access a remote share and the resulting DNS query.

In this blog, we draw attention to a persistent high-volume spam campaign that has been very prominent in our spam traps recently. The various campaigns emanate from the same spam botnet system and often resemble phishing messages, although they are typically not. The messages have randomized headers, and the templates often change, hence the moniker ‘Chameleon.’

Microsoft released an out-of-band patch for a 0-day vulnerability in Internet Explorer yesterday. This memory corruption vulnerability in the Scripting Engine can lead to a Remote Code Execution (RCE) vulnerability, and, as implied by the fact that it’s a 0-day, is being exploited in-the-wild.

Recently, I set out to find a simple solution to manage the building of all my offensive C# tools in a central location. The main goal I had for this project was to find a solution that didn’t require a ton of infrastructure to set up. I quickly came across the Azure DevOps platform. It didn’t take long for me to build a pipeline from my GitHub repository and compile my first binary.

There are five new credential leaking vulnerabilities discovered and disclosed by Simon Kenin. Two are in a D-Link DSL modem typically installed to connect a home network to an ISP. The other three are in multiple Comba Telecom WiFi devices. All the vulnerabilities involve insecure storage of credentials including three where cleartext credentials available to any user with network access to the device.

For September 2019, Microsoft is releasing 78 CVEs. Of these CVEs, 17 are rated "Critical", 60 rated "Important", and one rated "Moderate". Additionally, this release includes the regular rollup patch for critical vulnerabilities in Adobe Flash, but you're no longer using Flash right?

After a bit of a lull in the world of exploit kits, a new exploit kit by the name of “Lord EK” has been discovered out in the wild. This blog post will give an overview of what’s already been talked about as well as add some insights that I believe have not yet been shared publicly and provide Trustwave customers with some additional information for relevant products.

Magecart is the name given to notorious groups of hackers that target online shopping carts, usually Magento. We provided an overview of the group's malware last year and earlier this year, we shared details of a specific Magecart malware case we encountered during the course of an investigation. In this second installment of “Digging Deep into Magecart Malware”, we highlight a couple more Magecart attacks that we encountered during investigations.

The August Patch Tuesday is here ringing in patches for a massive 97 CVEs. Across those CVEs 31 are rated as "Critical", 65 as "Important" and one as "Moderate".

Microsoft recognized industry collaboration among their partners last week during a ceremony at the Black Hat USA Conference in Las Vegas, Nevada. There, the Trustwave SpiderLabs team was honored as the top contributor of threat indicators.

AttackSurfaceMapper (ASM) aims to greatly simplify the reconnaissance process by taking a single target domain or a list of IPv4 addresses as input, then analysing it using passive OSINT techniques and active reconnaissance methods.

While recently upgrading my laptop with a new Solid State Drive (SSD), I installed a management utility that is used for SanDisk SSDs. A quick examination revealed a some potentially dangerous vulnerabilities in it. Now that these issues have gone through our responsible disclosure program and have been patched, we can discuss the details.

Over five years ago, we published a blog detailing how a webshell’s backdoor code was hidden in an image file. With this method, an attacker inserts PHP backdoor code in the meta-data headers of an image to circumvent detection. Though not entirely a new tactic at that time, fast forward five years and we continue to encounter this type of attack. This blog outlines another similar case we recently uncovered.

In Mexico, it’s possible to receive your monthly bank statement via email. Mexico's banking and securities regulator (CNBV) says that security mechanisms must be applied to the bank statement to avoid an unauthorized third party.

Are you familiar with an HQL injection exploitation? Chances are you’re not. While you may assume it’s intuitive since it’s related to SQL injection, you’re right, but it’s a little bit more complex.