iMyFone LockWiper

iMyFone LockWiper

Helps you bypass the iPhone passcode in case you forgot it and the device became unusable or you have to wait for a long time before attempting to unlock it again

FULL VERSION + CRACK
Flvto Youtube Downloader

Flvto Youtube Downloader

With this simple and intuitive application, you can swiftly download all your favorite online videos to your computer, in just a couple of moves

FULL VERSION + CRACK
Voicemod

Voicemod

Real-time voice changer that works with any application and comes equipped with an extensive collection of voices and ambient effects

FULL VERSION + CRACK
Dolby Access

Dolby Access

Take advantage of stunning sound quality and realism in your multimedia experiences, with sound that surrounds you with the help of this app that gives you a free trial of Dolby Atmos.

FULL VERSION + CRACK
Logic Pro X

Logic Pro X

A fully-featured recoding studio that provides a complete set of tools for musicians who need to write, record, edit and mix music

FULL VERSION + CRACK

IT News

Jan 24
The function has proved popular with users since last year's big overhaul of Jira.
Jan 24
The six high-risk vulnerabilities result from hard-coded or no credentials in remote access software and the use of outdated applications.
Jan 24
The warning about Cisco Firepower management software is rated critical among 26 other less urgent security advisories it issued.
Jan 24
VMware said the Nyansa technology will be targeted at boosting monitoring and troubleshooting for LAN/WAN deployments within its SD-WAN package -- VMware SD-WAN by VeloCloud.
Jan 23
When enterprises embraced digital transformation, some found their existing networks had a limited ability to address cloud connectivity or access for mobile users.
Jan 23
The Firefox browser maker had more trouble creating revenue-generating products in 2019 than it expected, leading to the job cuts. Mozilla has set aside $43 million to pay for building new products.
Jan 22
Continued Russian interference, insecure paperless voting processes will sow doubt about the next election despite some security improvements.

Categories

Cryptominers and fileless PowerShell techniques make for a dangerous combo

Along with ransomware, cryptocurrency mining malware is one of the most common threats to enterprise systems. Just like with ransomware, the sophistication of cryptominers has grown over the years, incorporating attack vectors and techniques such as fileless execution, run-time compilation and reflective code injection that were once associated with advanced persistent threats (APTs).

Researchers from security firm Deep Instinct have recently come across a cryptominer infection on the systems of a large Asia-based company in the aviation industry. The attack, which deployed a new Monero cryptocurrency miner, used PowerShell, reflective PE injection, run-time code compilation and Tor for anonymity.

The malware arrived as an encoded PowerShell script that, when executed, set up a scheduled task to run at system setup and launch a second encoded PowerShell command. This secondary payload used a module called Invoke-ReflectivePEInjection from the PowerSploit and PowerShell Empire, two PowerShell-based exploitation frameworks, to extract code stored in the registry and inject it into its own running process.

"While run-time compilation is not new, it is becoming more and more prevalent with the rising popularity of file-less attacks, and can bear certain advantages for an attacker such as the avoidance of some of PowerShell's protection mechanisms," the Deep Instinct researchers said in a new report.

In particular, this malware is designed to patch the PowerShell process to disable the Antimalware Scan Interface (AMSI), a Windows 10 feature that blocks known malware from executing inside various components and applications, including inside PowerShell. Storing malicious code inside the registry instead of a file on disk, and then injecting it directly into the memory of legitimate processes is a technique that was first used in APT attacks to evade antivirus detection. Such fileless execution tactics are now common for a variety of malware threats, including ransomware.

In this case, the code stored inside the system registry consisted of two .DLL files -- one for 32-bit systems and one for 64-bit ones -- that implemented a Monero mining program. Once loaded, the cryptominer initiates communications with a series of Tor nodes, which likely serve as anonymizing proxies in order to hide the real location of their mining pools.

"During the past two years, cryptomining malware has been on a constant rise, featuring ever increasing levels of sophistication, utilizing advanced fileless techniques to attack targets in enterprise environments," the Deep Instinct researchers said. "While analysis and research of this malware are still ongoing, in light of the above-mentioned findings, we are reasonably convinced that this a new, sophisticated cryptominer variant, fairly distinguishable from other previously documented malware of this type."

Defending against PowerShell attacks

PowerShell is a powerful and useful system administration tool, but it has become a widely used attack vector in recent years, so it's imperative for enterprises to limit its use on systems where it's not needed or at the very least add logging and detection capabilities to it.

Microsoft recommends using PowerShell version 5, which has the most advanced logging features of all PowerShell versions. Unfortunately, even after installing version 5, PowerShell version 2 will still remain on the system and allow for downgrade attacks, so system administrators should make sure to remove this older version from their systems.

PowerShell can also be configured in what is called Constrained Language mode if the system's users don't need its full power. For administering remote servers, a limited shell mode known as Just Enough Administration (JEA) can be used.

Other effective mitigations involve configuring PowerShell to only allow the execution of digitally signed scripts and the use of the Windows 10's AppLocker feature in order to validate scripts before they're allowed to run.

Finally, if PowerShell is not needed on a system, it can be removed entirely. This will offer the best protection but is rarely practical because the tool is often needed to automate system administration tasks.

This story, "Cryptominers and fileless PowerShell techniques make for a dangerous combo" was originally published by CSO.