😱 Siete al sicuro? Un nuovo malware sfrutta l'automazione di Windows per rubare i tuoi dati sensibili. Aggiorna il tuo antivirus e fai attenzione! #CyberSecurity #WindowsMalware
🔗 https://www.tomshw.it/hardware/coyote-primo-malware-che-sfrutta-windows-ui-2025-07-25
Dissecting Windows Malware Series – Beginner To Advanced:
- Part 1: https://8ksec.io/dissecting-windows-malware-series-beginner-to-advanced-part-1/
- Part 2: https://8ksec.io/dissecting-windows-malware-series-process-injections-part-2/
In Part-1 of Dissecting Windows Malware blog series, we’ll lay down the foundations of analysing and reverse engineering Windows malicious files.
Elastic Security Labs analyzed a Windows dataset of over 100,000 malicious files: https://www.elastic.co/security-labs/unveiling-malware-behavior-trends
This article describes our analysis of the top malware stealer families, unveiling their operation methodologies, recent updates, and configurations. By understanding the modus operandi of each family, we better comprehend the magnitude of their impact and can fortify our defences accordingly.
Interesting #windowsmalware tactic: redirecting malicious* code in from standard input rather than using a file or via args.
This means I can not (as easily) see what is being executed.
This is not new (I have played around with this tactic in the past, albit with bash rather than PowerShell). However, I have not seen this used before in the wild
i.e.
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
* as I can not see the code, I can not say for sure what it does or if it is malware
🔍 Technical Analysis: Smoke Loader Malware Leveraging Wi-Fi Access Points for Geolocation
📅 Date: August 28, 2023
🖋️ Author: Eswar
📌 Tags: #Malware #SmokeLoader #Geolocation #Wi-FiScanning #Cybersecurity
🛠️ The Smoke Loader malware, recently discovered, employs a novel technique to locate infected systems through Wi-Fi access points and Google's Geolocation API. This technical analysis sheds light on the key mechanisms used by this malware.
🔗 System Location Identification:
The malware, also known as "Whiffy Recon," utilizes a custom Wi-Fi scanning tool to identify an infected system's precise coordinates using nearby Wi-Fi access points. This is achieved by leveraging the Windows WLANSVC service and Google's Geolocation API.
🔒 Infection Process:
The malware checks the existence of the WLANSVC service, regardless of its operational status. If the service exists, the malware creates a wlan.lnk shortcut in the Startup folder pointing to the malware's original location. On the other hand, if the service is absent, the malware terminates execution.
🔄 Malware Loops:
There are two loops in the malware's execution flow:
📥 Registration and Communication:
Upon successful registration, the server responds with a secret UUID, replacing the initial bot ID for future requests. Both UUIDs are stored in the str-12.bin file. The malware then scans for Wi-Fi access points using the Windows WLAN API, sending results to Google's Geolocation API via HTTPS POST requests.
🌐 Google Geolocation API:
The Geolocation API provides system coordinates based on Wi-Fi access points and mobile network data. The obtained coordinates are integrated into a JSON structure along with encryption methods of access points. This data is sent to the C2 server through HTTP POST requests with Authorization UUID and specific URLs.
🔎 Indicators of Compromise:
Whiffy Recon sample dropped by Smoke Loader
Whiffy Recon sample dropped by Smoke Loader
Whiffy Recon C2 server
Whiffy Recon payload URL
🛡️ Recommendations:
Cybersecurity professionals are advised to be vigilant against Smoke Loader malware and Whiffy Recon malware. Monitoring for these indicators of compromise can aid in identifying and mitigating potential threats.
Source: https://cybersecuritynews.com/smoke-loader-malware-locates-using-wi-fi/
#Cybersecurity #ThreatAnalysis #MalwareDetection #GeolocationTracking #WindowsMalware
Tarnkappe.info
Tom's Hardware Italia
Tedi Heriyanto
iam-py-test
🛡 