Some hunting opportunities for:
https://www.virustotal.com/gui/file/13846a9778f224ae692edddcc90746d0e619f872733c2c880188c36797b2c4e7
@k3dg3 and pointed out by @gossithedog #ZippyReads
PDF LNK file uses cerutil -decode and .hta. fetches .zip file payload and connects to C2.
michaelpagerecruitment-ukoffers(d)com
r3(d)o(d)lencr(d)org
Great #malware sample caught by @k3dg3 #threatintel
Exploits #ZippyReads (read only file for bypass of Mark-of-the-Web) and #DefenderExplode, a large file zero day in Microsoft Defender AV which breaks their telemetry and detection.
Targets Italy. Calls michaelpagerecruitment-ukoffers.]com
https://www.virustotal.com/gui/file/13846a9778f224ae692edddcc90746d0e619f872733c2c880188c36797b2c4e7
Some itw hashes and a Yara rule for #ZippyReads.
I appreciate it may not be perfect, but it helped me find some interesting itw samples!
Thanks also to @gossithedog @wdormann and Florian Roth for testing and feedback, and props to Will for originally finding it.
Hashes #οΈβ£
d599c99968765eddfed0f9c8a3e6d1f4531eb2bbaadfbab6d0cf3bdbad0c8b3c
29facd8248b5e0acd89e6835adb9c239f2d998deb1846a0cf2efc708eff4a535
f9deaed4ae870eb29a5ded42c8175596e5ce0e8b04ef1fc076af9d72d8c47648
Rule β
https://gist.github.com/rxwx/8b512ce1cb71d82415817b5b0b1243e9#file-zip_motw_bypass-yar
Will miss this bug as it was very useful for our Red Team ops π₯²
It's time to reveal the #ZippyReads CVE-2022-41091 3-word description:
read-only files
When you zip a read-only file, Windows will upon extraction:
1) Write file
2) Mark as read-only
3) Attempt to set the MotW on the read-only file (and fail)
That's it. That's the bug.
π¦π: https://twitter.com/wdormann/status/1590044005395357697
βIt's time to reveal the #ZippyReads CVE-2022-41091 3-word description: read-only files When you zip a read-only file, Windows will upon extraction: 1) Write file 2) Mark as read-only 3) Attempt to set the MotW on the read-only file (and fail) That's it. That's the bug.β
Acquiredsec
Kevin Beaumont
Kevin Beaumont
LauriRantasalo
Rich Warren
buherator