Recently, FortiGuard Labs found a phishing campaign targeting French Nationals. In this campaign, a PDF file with an embedded javascript is used to download the payload from a Google Drive shared link. As it turns out, the downloaded file is an HTA (HTML Application) file, a format that is becoming more and more common as a malware launch point. It is usually used as a downloader for the actual binary payload. However in this campaign,... [Read More]
by RSS Joie Salvio and Rommel Joven  |  Oct 12, 2017  |  Filed in: Security Research
Fortinet researchers recently discovered two critical zero-day vulnerabilities in Adobe Acrobat and Reader. They are identified as CVE-2016-6939 and CVE-2016-6948. Adobe released a patch to fix these vulnerabilities on October 6, 2016. CVE-2016-6939 This vulnerability was discovered by Kai Lu. CVE-2016-6939 is a heap overflow vulnerability. The vulnerability is caused by a crafted PDF file which causes an out of bounds memory access due to an improper bounds check when manipulating an array pointer. The specific vulnerability exists... [Read More]
by RSS Kai Lu and Kushal Shah  |  Oct 21, 2016  |  Filed in: Security Research
Recently, we found a simple malicious downloader that downloads a fake PDF file.  Unlike a normal malicious loader that integrates the PE Loader code into its binary, this loader has stripped this part and has turned to fetching it online. Our FortiGuard Labs Threat Intelligence system can detect the traffic of this downloader, which we are detecting as W32/Upatre.FT!tr, efficiently aiding in the analysis of this malware. Registering Online Once executed, the loader grabs the local victim’s system information, generates them... [Read More]
by RSS He Xu  |  Feb 23, 2015  |  Filed in: Security Research
A few days ago, I was happy to go to Insomni'Hack. I presented some updates on how to detect hidden methods in Dalvik Executable files. But it's not my talk I want to discuss in this post, but Ange Albertini's "Angecryption". With Angecryption, you can basically encrypt anything into whatever you want (there are a few restrictions on input and output formats, but it's the general idea). Basically, Ange Albertini wrote a (Python) script to which you provide the input you wish, the output you wish and the key you wish. The script manipulates the... [Read More]
by RSS Axelle Apvrille  |  Mar 31, 2014  |  Filed in: Security Research
Cybercrime was thwarted a bit during the last full week of May, with arrests that ranged from an alleged high profile cybercriminal to a small time hacker. And researchers possibly found a way to combat a major SSL spoof that plagued several CAs last year. Here's a look at May 21-25 in security. Facebook Malware On The Loose: Perhaps not surprising in light of the social networking giant’s recent IPO, malware is circulating on Facebook, reeling in victims by asking them innocuously if they want to terminate their accounts. As typical of phishing... [Read More]
by RSS Stefanie Hoffman  |  May 29, 2012  |  Filed in: Industry Trends
Unless you're on a trek in the Himalayas, by now you've probably heard one way or another that the infamous "Jailbreakme" website is back to free iPhones (including iPhones 4 running iOS 4.0.1) and iPads : it's just everywhere on the web, even with videos and tutorials. However, fewer resources address the technical aspect of jailbreaking. You might have found out that the online jailbreaking tool is resorting to a drive-by-script exploiting a 0-day vulnerability. We'll try and provide a few other technical findings below. First, let's connect... [Read More]
by RSS Axelle Apvrille  |  Aug 05, 2010  |  Filed in: Security Research
Although it is not a new idea to run an executable from within a PDF, the researcher Didier Stevens present a trick technique to make it more practical, "in the real world". In this post I will dissect a PDF document using this trick (MD5: 1dcd4a3f5d05433fcebf88d9138a1966), indeed found in the wild. As one of vendors affected, Adobe was investigating this issue and give a temporary solution. But no patch is available yet. In fact there maybe no patch at all... and although CVE number CVE-2010-1240 is assigned for this issue, Some people think it... [Read More]
by RSS Bin Liu  |  May 04, 2010  |  Filed in: Security Research
With February's Threat Landscape Report out, it's time to highlight some of the most interesting movement happening from late January 2009 to now: New vulnerabilities (NVC) were up nearly three fold, with 117 posted in comparison to 43 from January's edition; 25.6% of these new vulnerabilities were detected to be actively exploited. Two new high-profile zero-day exploits (CVE-2009-0238 and CVE-2009-0658) affecting MS Excel (XLS) and Adobe Reader (PDF) have since been disclosed. Given these facts, and Conficker's success, there is no better time... [Read More]
by RSS Derek Manky  |  Feb 27, 2009  |  Filed in: Security Research