Cat-Phishing Hackers for Fun and Profit

On June 14th, 2017, a new variant of ZXShell appears to have been uploaded from the Marmara region of Turkey. The Trojan itself is well known and contained x32 and x64 rootkits. This blog describes the functionality of ZXShell, as well as the associate rootkits. The Trojan source code is available here. Metadata File Name:…

GET TO THE CHOPPAH

A new variant of this tool, previously reported in 2013 by TrendLabs, was submitted to VirusTotal from the Philippines on March 27th, 2017. Its original filename, 2017.exe, was prescient since it has the ability to exploit CVE-2017-5638 and other previous Apache STRUTS vulnerabilities. File Details File Name: 2017.exe File Size: 107008 bytes MD5:        …

Beyond the Zero Day: Reverse Engineering Malicious Class Files

By Erik Heuser, RSA Advanced Cyber Defense Services Advisory Practice Consultant In part 1 of this blog, “Beyond the Zero Day” we focused on detecting malicious JVM [Java Virtual Machine] activity and identifying the ‘blob’ that was downloaded.  No subsequent network activity was detected after the download, but that doesn’t discount successful malware delivery and…

Beyond the Zero Day: Detecting JVM Drive-bys – Part 1 of 3

By Erik Heuser, RSA Advanced Cyber Defense Services Advisory Practice Consultant With all the recent Java Virtual Machine (JVM)exploits, a lot of attention is being focused on figuring out how best to mitigate the vulnerability.  Detection has been limited to signature-based attempts, mostly firing on class names or well-known strings within the JAR/Class.  While this…