BLOG

 

Encrypted exploit delivery - #IRONSQUIRREL

This research deals with the delivery of encrypted browser exploits to a victim’s browser. It is a follow-up post to some research I did 2 years ago. Even if you are already familiar with the content of that research, you may still find valuable information in this post. Introduction In this blog I will propose that attackers who legitimately need to launch encrypted attacks (such as law enforcement agencies tracking suspect activity online) can reduce the threat of their attacks being nullified via reverse engineering. They can do this by using both encrypted and one-time URLs to deliver the exploit …

read more
 

A Note on the War of Android AVs and Advanced Malware

Recently, we performed an in-depth analysis of multiple Android AV engines. We checked how they perform in scenarios where the users’ device has not yet been infected. As an afterthought, we performed testing in scenarios where the handheld has already been infected with a piece of malware – a rather realistic scenario assuming that a user realizes that there is something nasty going on and decides to install a free AV to sort things out. For testing, we installed a fresh sample of Trojan-Banker.AndroidOS.Svpeng.ae on several versions of Android (5.1.1 and 7.1.1) This piece of malware has been throughly analysed …

read more
 

Coordinated Disclosure of Vulnerabilities in McAfee Security Android 4.8.0.370

Researchers of MRG Effitas have tested McAfee’s popular Android AV application and found issues, which might undermine the verndor’s effort to improve the security posture of the user’s device. Details can be found in the following document. https://www.mrg-effitas.com/wp-content/uploads/2017/08/McAfee_v102.pdf

read more
 

Coordinated Disclosure of Vulnerabilities in AVG Antivirus Free Android AV

Researchers of MRG Effitas performed a security assessment on the AVG Antivirus Free Android AV software. We found issues, which might affect the overall security posture of the AV software and the device itself. Details can be found in our report. https://www.mrg-effitas.com/wp-content/uploads/2017/08/AVG_v103.pdf

read more
 

Coordinated Disclosure of Vulnerabilities in KASPERSKY INTERNET SECURITY Android Antivirus

Researchers of MRG Effitas performed an assessment of security posture within Kaspersky Internet Security Android antivirus software. We found implementation details, which might undermine the Vendor’s efforts to improve the overall security level of an Android device. Details can be found in the following document.  https://www.mrg-effitas.com/wp-content/uploads/2017/08/Kaspersky_v102.pdf

read more
 

Current state of malicious Powershell script blocking

tldr; The current state of malicious Powershell script blocking is bad, very bad. There is room for improvement … Only two products (among the tested ones) can protect against an obfuscated malicious Powershell stealing the passwords and hashes from memory: AVG/Avast Antivirus and Hitmanpro.Alert Beta/Sophos Intercept X. Update 2017-08-10: Latest KIS2017 blocks the attacks as well. Introduction When I watched this great presentation from Will Schroeder (@harmj0y) it made me thinking. How about doing a quick and dirty Powershell test. For this exercise, I choose Invoke-Mimikatz. Mimikatz (Benjamin Delpy – @gentilkiwi) is the gold standard when it comes to lateral …

read more
 

Webroot SecureAnywhere Android AV coordinated disclosure

Researchers of MRG Effitas tested the Webroot SecureAnywhere Android application. During use, we came across implementation details, which might undermine the Vendor’s efforts to provide a comprehensive mobile security solution with the potential to aid users in case of encounters with malware.   Testing covered the following application version. Application name       Webroot SecureAnywhere Store URL                    https://play.google.com/store/apps/details?id=com.webroot.security Version                        4.1.0.8032   We considered the situation and opted for a coordinated disclosure approach to aid the Vendor in their efforts. In accordance with industry standards, we disclose the issues based on Google’s 90-day policy. As a result, after a 90-day plus a …

read more
 

Limitations of Android AntiVirus Scanners

Recently, MRG Effitas have been involved in a test of Android based AV products. Having completed the test process, we realised that the general approach of malware on Windows cannot be applied to mobile based samples, as the general considerations fundamentally differ. Furthermore, most Android based AV vendors started their work offering desktop AV solutions to customers, and many times the same approach is applied on both fields – which, we’ll see, often leads to controversial consequences. AV is “just another app” Most of the issues we found fundamentally originate from the fact that the AV is usually just another …

read more
 

EternalRomance vs Internet Security Suites and nextgen protections

This blog post is an auxiliary post to our Eternalblue test. If you have not read that, please read it, and go back when it is done. So here we are again, with #NotPetya. According to Microsoft, #NotPetya spreads via 4 ways. MeDoc auto update (initial infection) EternalBlue exploit EternalRomance exploit Credential stealing (multiple methods) This post will only focus on EternalRomance. To refer to the EternalBlue infection vector, check our previous post. To protect against credential stealing, you should either use latest Windows where lsass runs as a protected process. Or use different local admin passwords on different machines. …

read more
 

Our partners