je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.


Read the 200,000 Russian Troll tweets Twitter deleted

Sophos Naked Security - 1 min 35 sek zpět
NBC News asked three sources to retrieve the evidence of foreign election meddling that Twitter deleted

Google zveřejnil detaily k díře v prohlížeči Edge. Varoval Microsoft předem, ale ten chybu včas neopravil - bezpečnost - 1 hodina 47 min zpět
Google zveřejnil detaily bezpečnostní chyby v prohlížeči Edge. Microsoft přitom o chybě věděl dopředu, ale ve stanovené lhůtě nedostatky neodstranil, informoval web Tým Googlu prostřednictvím Projektu Zero odhalil v listopadu minulého roku zranitelnost prohlížeče Microsoft Edge a ...
Kategorie: Hacking & Security

Novinky v projektu PROKI - 2 hodiny 24 min zpět
Kategorie: Hacking & Security

Na klienty ČSOB míří další phishingový útok - bezpečnost - 6 hodin 5 min zpět
Internetové bankovnictví je nepřekvapivě místem s nejčastějšími pokusy o phishing, nyní útočníci míří na klienty ČSOB. Jde o tradiční formulář, který má vylákat co možná nejvíc osobních údajů. Takto vypadá podvodný formulář pro klienty ČSOB ( Formulář je mutací některého ze ...
Kategorie: Hacking & Security

Flight Sim Labs’ ‘Heavy Handed’ Anti-Piracy Tactics Raise Hackles

Threatpost - 20 Únor, 2018 - 23:13
Developer Flight Sim Labs is in hot water after acknowledging that it has installed malware in its flight simulator product that it said targets pirate users of its software.
Kategorie: Hacking & Security

Top 5 Security Apps for Android Users

InfoSec Institute Resources - 20 Únor, 2018 - 23:07

Your smartphone is even more valuable than your wallet. If stolen or compromised, its contents can be used against you; if there is work-related information on there, it can also damage your job. That’s why it’s crucial you keep it safe from thieves and spies (as well as malware). To help, here are the top […]

The post Top 5 Security Apps for Android Users appeared first on InfoSec Resources.

Top 5 Security Apps for Android Users was first posted on February 20, 2018 at 4:07 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at
Kategorie: Hacking & Security

Threat Hunting – Malspam –Japan Office Infected

InfoSec Institute Resources - 20 Únor, 2018 - 18:02

This is a lab that is conducted in a test bed. The resources were downloaded from The samples provided came from a case study of a Japanese field office that was a victim of a major Cyber-attack. Scenario You work as a security analyst for a company with locations worldwide, and recently, corporate headquarters […]

The post Threat Hunting – Malspam –Japan Office Infected appeared first on InfoSec Resources.

Threat Hunting – Malspam –Japan Office Infected was first posted on February 20, 2018 at 11:02 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at
Kategorie: Hacking & Security

SecurityIQ Update Adds New Gamification Tools, Content & Integrated Assessments

InfoSec Institute Resources - 20 Únor, 2018 - 15:50

SecurityIQ’s new learner completion certificates and microlearning video series make it easier than ever to boost program engagement. Now fully integrated, learner assessments go one step further to simplify program automation and track training impact overtime. Read on for complete release details. Gamify Learning With Training Completion Certificates Reward your security awareness champions with SecurityIQ’s […]

The post SecurityIQ Update Adds New Gamification Tools, Content & Integrated Assessments appeared first on InfoSec Resources.

SecurityIQ Update Adds New Gamification Tools, Content & Integrated Assessments was first posted on February 20, 2018 at 8:50 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at
Kategorie: Hacking & Security

A Slice of 2017 Sofacy Activity

Kaspersky Securelist - 20 Únor, 2018 - 15:00

Sofacy, also known as APT28, Fancy Bear, and Tsar Team, is a highly active and prolific APT. From their high volume 0day deployment to their innovative and broad malware set, Sofacy is one of the top groups that we monitor, report, and protect against. 2017 was not any different in this regard. Our private reports subscription customers receive a steady stream of YARA, IOC, and reports on Sofacy, our most reported APT for the year.

This high level of cyber-espionage activity goes back years. In 2011-2012, the group used a relatively tiny implant (known as “Sofacy” or SOURFACE) as their first stage malware, which at the time had similarities with the old Miniduke implants. This made us believe the two groups were connected, although it looks they split ways at a certain point, with the original Miniduke group switching to the CosmicDuke implant in 2014. The division in malware was consistent and definitive at that point.

In 2013, the Sofacy group expanded their arsenal and added more backdoors and tools, including CORESHELL, SPLM (aka Xagent, aka CHOPSTICK), JHUHUGIT (which is built with code from the Carberp sources), AZZY (aka ADVSTORESHELL, NETUI, EVILTOSS, and spans across 4-5 generations) and a few others. We’ve seen quite a few versions of these implants, which were relatively widespread at some point or still are. In 2015 we noticed another wave of attacks which took advantage of a new release of the AZZY implant, largely undetected by antivirus products. The new wave of attacks included a new generation of USB stealers deployed by Sofacy, with initial versions dating to February 2015. It appeared to be geared exclusively towards high profile targets.

Sofacy’s reported presence in the DNC network alongside APT29 brought possibly the highest level of public attention to the group’s activities in 2016, especially when data from the compromise was leaked and “weaponized”. And later 2016, their focus turned towards the Olympics’ and the World Anti-Doping Agency (WADA) and Court of Arbitration for Sports (CAS), when individuals and servers in these organizations were phished and compromised. In a similar vein with past CyberBerkut activity, attackers hid behind anonymous activist groups like “anonpoland”, and data from victimized organizations were similarly leaked and “weaponized”.

This write-up will survey notables in the past year of 2017 Sofacy activity, including their targeting, technology, and notes on their infrastructure. No one research group has 100% global visibility, and our collected data is presented accordingly. Here, external APT28 reports on 2017 Darkhotel-style activity in Europe and Dealer’s Choice spearphishing are of interest. From where we sit, 2017 Sofacy activity starts with a heavy focus on NATO and Ukrainian partners, coinciding with lighter interest in Central Asian targets, and finishing the second half of the year with a heavy focus on Central Asian targets and some shift further East.

Dealer’s Choice

The beginning of 2017 began with a slow cleanup following the Dealer’s Choice campaign, with technical characteristics documented by our colleagues at Palo Alto in several stages at the end of 2016. The group spearphished targets in several waves with Flash exploits leading to their carberp based JHUHUGIT downloaders and further stages of malware. It seems that many folks did not log in and pull down their emails until Jan 2017 to retrieve the Dealer’s Choice spearphish. Throughout these waves, we observed that the targets provided connection, even tangential, to Ukraine and NATO military and diplomatic interests.

In multiple cases, Sofacy spoofs the identity of a target, and emails a spearphish to other targets of interest. Often these are military or military-technology and manufacturing related, and here, the DealersChoice spearphish is again NATO related:

The global reach that coincided with this focus on NATO and the Ukraine couldn’t be overstated. Our KSN data showed spearphishing targets geolocated across the globe into 2017.

DealersChoice emails, like the one above, that we were able to recover from third party sources provided additional targeting insight, and confirmed some of the targeting within our KSN data:

0day Deployment(s)

Sofacy kicked off the year deploying two 0day in a spearphish document, both a Microsoft Office encapsulated postscript type confusion exploit (abusing CVE-2017-0262) and an escalation of privilege use-after-free exploit (abusing CVE-2017-0263). The group attempted to deploy this spearphish attachment to push a small 30kb backdoor known as GAMEFISH to targets in Europe at the beginning of 2017. They took advantage of the Syrian military conflict for thematic content and file naming “Trump’s_Attack_on_Syria_English.docx”. Again, this deployment was likely a part of their focus on NATO targets.

Light SPLM deployment in Central Asia and Consistent Infrastructure

Meanwhile in early-to-mid 2017, SPLM/CHOPSTICK/XAgent detections in Central Asia provided a glimpse into ongoing focus on ex-Soviet republics in Central Asia. These particular detections are interesting because they indicate an attempted selective 2nd stage deployment of a backdoor maintaining filestealer, keylogger, and remoteshell functionality to a system of interest. As the latest revision of the backdoor, portions of SPLM didn’t match previous reports on SPLM/XAgent while other similarities were maintained. SPLM 64-bit modules already appeared to be at version 4 of the software by May of the year. Targeting profiles included defense related commercial and military organizations, and telecommunications.

Targeting included TR, KZ, AM, KG, JO, UK, UZ

Heavy Zebrocy deployments

Since mid-November 2015, the threat actor referred to as “Sofacy” or “APT28” has been utilizing a unique payload and delivery mechanism written in Delphi and AutoIT. We collectively refer to this package and related activity as “Zebrocy” and had written a few reports on its usage and development by June 2017 – Sofacy developers modified and redeployed incremented versions of the malware. The Zebrocy chain follows a pattern: spearphish attachment -> compiled Autoit script (downloader) -> Zebrocy payload. In some deployments, we observed Sofacy actively developing and deploying a new package to a much smaller, specific subset of targets within the broader set.

Targeting profiles, spearphish filenames, and lures carry thematic content related to visa applications and scanned images, border control administration, and various administrative notes. Targeting appears to be widely spread across the Middle East, Europe, and Asia:</p style=”margin-bottom:0!important”>

  • Business accounting practices and standards
  • Science and engineering centers
  • Industrial and hydrochemical engineering and standards/certification
  • Ministry of foreign affairs
  • Embassies and consulates
  • National security and intelligence agencies
  • Press services
  • Translation services
  • NGO – family and social service
  • Ministry of energy and industry

We identified new MSIL components deployed by Zebrocy. While recent Zebrocy versioning was 7.1, some of the related Zebrocy modules that drop file-stealing MSIL modules we call Covfacy were v7.0. The components were an unexpected inclusion in this particular toolset. For example, one sent out to a handful of countries identifies network drives when they are added to target systems, and then RC4-like-encrypts and writes certain file metadata and contents to a local path for later exfiltration. The stealer searches for files 60mb and less with these extensions:</p style=”margin-bottom:0!important”>

  • .doc
  • .docx
  • .xls
  • .xlsx
  • .ppt
  • .pptx
  • .exe
  • .zip
  • .rar

At execution, it installs an application-defined Windows hook. The hook gets windows messages indicating when a network drive has been attached. Upon adding a network drive, the hook calls its “RecordToFile” file stealer method.

Zebrocy spearphishing targets:

SPLM deployment in Central Asia

SPLM/CHOPSTICK components deployed throughout 2017 were native 64-bit modular C++ Windows COM backdoors supporting http over fully encrypted TLSv1 and TLSv1.2 communications, mostly deployed in the second half of 2017 by Sofacy. Earlier SPLM activity deployed 32-bit modules over unencrypted http (and sometimes smtp) sessions. In 2016 we saw fully functional, very large SPLM/X-Agent modules supporting OS X.

The executable module continues to be part of a framework supporting various internal and external components communicating over internal and external channels, maintaining slightly morphed encryption and functionality per deployment. Sofacy selectively used SPLM/CHOPSTICK modules as second stage implants to high interest targets for years now. In a change from previous compilations, the module was structured and used to inject remote shell, keylogger, and filesystem add-ons into processes running on victim systems and maintaining functionality that was originally present within the main module.

The newer SPLM modules are deployed mostly to Central Asian based targets that may have a tie to NATO in some form. These targets include foreign affairs government organizations both localized and abroad, and defense organizations’ presence localized, located in Europe and also located in Afghanistan. One outlier SPLM target profile within our visibility includes an audit and consulting firm in Bosnia and Herzegovina.

Minor changes and updates to the code were released with these deployments, including a new mutex format and the exclusive use of encrypted HTTP communications over TLS. The compiled code itself already is altered per deployment in multiple subtle ways, in order to stymie identification and automated analysis and accommodate targeted environments. Strings (c2 domains and functionality, error messages, etc) are custom encrypted per deployment.

Targets: TR, KZ, BA, TM, AF, DE, LT, NL

SPLM/CHOPSTICK/XAgent Modularity and Infrastructure

This subset of SPLM/CHOPSTICK activity leads into several small surprises that take us into 2018, to be discussed in further detail at SAS 2018. The group demonstrates malleability and innovation in maintaining and producing familiar SPLM functionality, but the pragmatic and systematic approach towards producing undetected or difficult-to-detect malware continues. Changes in the second stage SPLM backdoor are refined, making the code reliably modular.

Infrastructure Notes

Sofacy set up and maintained multiple servers and c2 for varying durations, registering fairly recognizable domains with privacy services, registrars that accept bitcoin, fake phone numbers, phony individual names, and 1 to 1 email address to domain registration relationships. Some of this activity and patterns were publicly disclosed, so we expect to see more change in their process in 2018. Also, throughout the year and in previous years, researchers began to comment publicly on Sofacy’s fairly consistent infrastructure setup.

As always, attackers make mistakes and give away hints about what providers and registrars they prefer. It’s interesting to note that this version of SPLM implements communications that are fully encrypted over HTTPS. As an example, we might see extraneous data in their SSL/TLS certificates that give away information about their provider or resources. Leading up to summer 2017, infrastructure mostly was created with PDR and Internet Domain Service BS Corp, and their resellers. Hosting mostly was provided at Fast Serv Inc and resellers, in all likelihood related to bitcoin payment processing.

Accordingly, the server side certificates appear to be generated locally on VPS hosts that exclusively are paid for at providers with bitcoin merchant processing. One certificate was generated locally on what appeared to be a HP-UX box, and another was generated on “8569985.securefastserver[.]com” with an email address “root@8569985.securefastserver[.]com”, as seen here for their nethostnet[.]com domain. This certificate configuration is ignored by the malware.

In addition to other ip data, this data point suggested that Qhoster at https://www.qhoster[.]com was a VPS hosting reseller of choice at the time. It should be noted that the reseller accepted Alfa Click, PayPal, Payza, Neteller, Skrill, WebMoney, Perfect Money, Bitcoin, Litecoin, SolidTrust Pay, CashU, Ukash, OKPAY, EgoPay, paysafecard, Alipay, MG, Western Union, SOFORT Banking, QIWI, Bank transfer for payment.


Sofacy, one of the most active APT we monitor, continues to spearphish their way into targets, reportedly widely phishes for credentials, and infrequently participates in server side activity (including host compromise with BeEF deployment, for example). KSN visibility and detections suggests a shift from their early 2017 high volume NATO spearphish targeting towards the middle east and Central Asia, and finally moving their focus further east into late 2017. Their operational security is good. Their campaigns appear to have broken out into subsets of activity and malware involving GAMEFISH, Zebrocy, and SPLM, to name a few. Their evolving and modified SPLM/CHOPSTICK/XAgent code is a long-standing part of Sofacy activity, however much of it is changing. We’ll cover more recent 2018 change in their targeting and the malware itself at SAS 2018.

With a group like Sofacy, once their attention is detected on a network, it is important to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two factor authentication for services like email and vpn access. In order to identify their presence, not only can you gain valuable insight into their targeting from intelligence reports and gain powerful means of detections with hunting tools like YARA, but out-of-band processing with a solution like KATA is important.

Technical Appendix Related md5


Related domains


Year-Old Coldroot RAT Targets MacOS, Still Evades Detection

Threatpost - 20 Únor, 2018 - 14:46
Researchers are warning users about the Coldroot remote access Trojan that is going undetected by AV engines and targets MacOS computers.
Kategorie: Hacking & Security

Facebook to verify election ad buyers by snail mail

Sophos Naked Security - 20 Únor, 2018 - 14:37
The plan came a day after a federal indictment describing a Russian conspiracy to interfere in the 2016 election.

Apple fixes that “1 character to crash your Mac and iPhone” bug

Sophos Naked Security - 20 Únor, 2018 - 14:08
Given the ease of copying and pasting the treacherous "crash character" into a message, Apple needed to get a patch out quickly.

Stovky českých webů těžily virtuální mince - bezpečnost - 20 Únor, 2018 - 13:21
Hned několik stovek českých internetových serverů zatěžovalo nadměrně výkon počítačů a chytrých telefonů svých návštěvníků, ukrývaly se na nich totiž speciální skripty pro těžbu kybernetických mincí, jako jsou například bitcoiny. Upozornil na to serveru
Kategorie: Hacking & Security

Facebook told to stop tracking users that aren’t logged in

Sophos Naked Security - 20 Únor, 2018 - 12:58
If Facebook doesn't stop tracking users across the web, it could face a fine of €250,000 ($315,000) per day, says Belgian court.

Spojené státy obviňují Rusko, že do světa vypustilo zákeřný ransomware - bezpečnost - 20 Únor, 2018 - 11:22
Bílý dům vydal prohlášení, že podle zjištění amerických vyšetřovatelů stojí Rusko za vypuštěním ransomwaru NotPetya. Ten v červnu minulého roku ochromil množství počítačů zejména v Evropě. Stanovisko USA je tak přidalo k totožnému názoru britských vyšetřovatelů, upozornila agentura Reuters. „Šlo o ...
Kategorie: Hacking & Security

10 Steps Leaders Can Take to Improve Cybersecurity in their Organization

InfoSec Institute Resources - 19 Únor, 2018 - 21:08

As revealed by an executive opinion survey in the World Economic Forum’s (WEF) Global Risk Report, the top concern for business leaders moving into 2018 is the potential for a cyber attack that may result in system and service interruptions and infiltrations of critical infrastructure. Despite that, another survey by PwC, the 2018 Global State […]

The post 10 Steps Leaders Can Take to Improve Cybersecurity in their Organization appeared first on InfoSec Resources.

10 Steps Leaders Can Take to Improve Cybersecurity in their Organization was first posted on February 19, 2018 at 2:08 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at
Kategorie: Hacking & Security

Olympijské hry jsou rájem pro hackery. Denně se uskuteční milióny útoků - bezpečnost - 19 Únor, 2018 - 20:02
Zraky snad všech sportovních fanoušků se v posledních týdnech ubírají k Pchjongčchangu, kde se konají 23. zimní olympijské hry. Ty lákají – stejně jako v minulých letech – také počítačové piráty. Bezpečnostní experti varují, že počet útoků v době olympiády vzroste o milióny každý den.
Kategorie: Hacking & Security

Google drops new Edge zero-day as Microsoft misses 90-day deadline

Sophos Naked Security - 19 Únor, 2018 - 19:35
Microsoft wasn't able to come up with a patch within Google's non-negotiable "you have 90 days" period, so the flaw is now public.

Podvod poznají jen pozorní. ČSOB varovala před počítačovými piráty - bezpečnost - 19 Únor, 2018 - 18:54
Počítačoví piráti se v posledních dnech zaměřili na klienty ČSOB, internetem šíří odkaz na podvodné stránky imitující vzhled této banky. Z klientů se snaží vylákat přihlašovací údaje k jejich účtům. Podvodné stránky přitom pozorní uživatelé poznají na první pohled.
Kategorie: Hacking & Security

Amatérský dron natáčel záběry Apple Parku, zřítil se přímo na solární panely - bezpečnost - 19 Únor, 2018 - 15:27
Poměrně často si můžeme prohlédnout čerstvé přelety nad novým sídlem Applu pomocí dronu. Většinou jde o profesionální záběry, ale tentokrát se o stejný přelet pokusil amatérský pilot, kterému se přitom stala nehoda. Jeho dron se z neznámých příčin zřítil a jak je možné vidět na záběrech ...
Kategorie: Hacking & Security
Syndikovat obsah