CyberMasterV

A technical analysis of the BackMyData ransomware used to attack hospitals in Romania

Summary According to BleepingComputer, a ransomware attack that occurred starting 0n February 11 forced 100 hospitals across Romania to take their systems offline. BackMyData ransomware, which took credit for it, belongs to the Phobos family. The malware embedded an AES key that is used to decrypt its configuration containing whitelisted extensions, files, and directories, a

A technical analysis of the BackMyData ransomware used to attack hospitals in Romania Read More »

Attackers target Romania using AI-generated videos

This blog post is a continuation of a previous one. We’ve recently seen a YouTube ad that presented a “unique” opportunity to invest in stocks. The attackers used a legitimate Podcast that was modified using AI. We believe that the account promoting the unlisted video was compromised https[:]//www.youtube[.]com/watch?v=rFk6gcrUuIE: The targeted users are advised to contact

Attackers target Romania using AI-generated videos Read More »

Attackers impersonate Romanian Gas Companies – OSINT Investigation

In this blog post, we’re going to look at a campaign that reveals recently created domains impersonating known Romanian gas companies. It all started with an ad on YouTube that featured a suspicious domain related to the legitimate RoEnergy Trade Fair. The ad was voiced in Romanian using an automatic translator. The website hosted on

Attackers impersonate Romanian Gas Companies – OSINT Investigation Read More »

A Deep Dive into Brute Ratel C4 payloads – Part 2

Summary Brute Ratel C4 is a Red Team & Adversary Simulation software that can be considered an alternative to Cobalt Strike. In this blog post, we’re presenting a technical analysis of a Brute Ratel badger/agent that doesn’t implement all the recent features of the framework. There aren’t a lot of Brute Ratel samples available in

A Deep Dive into Brute Ratel C4 payloads – Part 2 Read More »

A technical analysis of the SALTWATER backdoor used in Barracuda 0-day vulnerability (CVE-2023-2868) exploitation

Summary SALTWATER is a backdoor that has been used in the exploitation of the Barracuda 0-day vulnerability CVE-2023-2868. It is a module for the Barracuda SMTP daemon called bsmtpd. The malware hooked the recv, send, and close functions using an open-source hooking library called funchook. The following functionalities are implemented: execute arbitrary commands, download and

A technical analysis of the SALTWATER backdoor used in Barracuda 0-day vulnerability (CVE-2023-2868) exploitation Read More »

A step-by-step introduction to the use of ROP gadgets to bypass DEP

Summary DEP (Data Execution Prevention) is a memory protection feature that allows the system to mark memory pages as non-executable. ROP (Return-oriented programming) is an exploit technique that allows an attacker to execute shellcode with protections such as DEP enabled. In this blog post, we will present the reverse engineering process of an application in

A step-by-step introduction to the use of ROP gadgets to bypass DEP Read More »

A technical analysis of Pegasus for Android – Part 3

Summary Pegasus is a spyware developed by the NSO group that was repeatedly analyzed by Amnesty International and CitizenLab. In this article, we dissect the Android version that was initially analyzed by Lookout in this paper, and we recommend reading it along with this post. During our research about Pegasus for Android, we’ve found out that vendors wrongly attributed

A technical analysis of Pegasus for Android – Part 3 Read More »

A technical analysis of Pegasus for Android – Part 2

Summary Pegasus is a spyware developed by the NSO group that was repeatedly analyzed by Amnesty International and CitizenLab. In this article, we dissect the Android version that was initially analyzed by Lookout in this paper, and we recommend reading it along with this post. During our research about Pegasus for Android, we’ve found out

A technical analysis of Pegasus for Android – Part 2 Read More »