Jan Kopriva Diaries

Back to Handlers

• Self-contained HTML phishing attachment using Telegram to exfiltrate stolen credentials
• Phishing links with @ sign and the need for effective security awareness building
• Script obfuscation using multiple instances of the same function
• "Reply-chain phishing" with a twist
• Support of SSL 2.0 on web servers in 2024
• Files with TXZ extension used as malspam attachments
• It appears that the number of industrial devices accessible from the internet has risen by 30 thousand over the past three years
• The xz-utils backdoor in security advisories by national CSIRTs
• Increase in the number of phishing messages pointing to IPFS and to R2 buckets
• Phishing pages hosted on archive.org
• Computer viruses are celebrating their 40th birthday (well, 54th, really)
• Interesting large and small malspam attachments from 2023
• Whose packet is it anyway: a new RFC for attribution of internet probes
• Phishing page with trivial anti-analysis features
• Are typos still relevant as an indicator of phishing?
• A new spin on the ZeroFont phishing technique
• The low, low cost of (committing) cybercrime
• From small LNK to large malicious BAT file with zero VT score
• Kazakhstan - the world's last SSLv2 superpower... and a country with potentially vulnerable last-mile internet infrastructure
• After 28 years, SSLv2 is still not gone from the internet... but we're getting there
• Ongoing Facebook phishing campaign without a sender and (almost) without links
• "Passive" analysis of a phishing attachment
• The strange case of Great honeypot of China
• Use of X-Frame-Options and CSP frame-ancestors security headers on 1 million most popular domains
• IPFS phishing and the need for correctly set HTTP security headers
• HTML phishing attachment with browser-in-the-browser technique
• SPF and DMARC use on 100k most popular domains
• Passive detection of internet-connected systems affected by vulnerabilities from the CISA KEV catalog
• SPF and DMARC use on GOV domains in different ccTLDs
• TLP 2.0 is here
• EternalBlue 5 years after WannaCry and NotPetya
• HTML phishing attachments - now with anti-analysis features
• Do you want 30 BTC? Nothing is easier (or cheaper) in this phishing campaign...
• What is the simplest malware in the world?
• MITRE ATT&CK v11 - a small update that can help (not just) with detection engineering
• How is Ukrainian internet holding up during the Russian invasion?
• Over 20 thousand servers have their iLO interfaces exposed to the internet, many with outdated and vulnerable versions of FW
• Phishing e-mail with...an advertisement?
• Do you want your Agent Tesla in the 300 MB or 8 kB package?
• PowerPoint attachments, Agent Tesla and code reuse in malware
• Phishing page hiding itself using dynamically adjusted IP-based allow list
• TLS 1.3 and SSL - the current state of affairs
• Phishing 101: why depend on one suspicious message subject when you can use many?
• There may be (many) more SPF records than we might expect
• ProxyShell - how many Exchange servers are affected and where are they?
• A sextortion e-mail from...IT support?!
• One way to fail at malspam - give recipients the wrong password for an encrypted attachment
• Phishing asking recipients not to report abuse
• Architecture, compilers and black magic, or "what else affects the ability of AVs to detect malicious files"
• All your Base are...nearly equal when it comes to AV evasion, but 64-bit executables are not
• Number of industrial control systems on the internet is lower then in 2020...but still far from zero
• Hunting phishing websites with favicon hashes
• Malspam with Lokibot vs. Outlook and RFCs
• Old TLS versions - gone, but not forgotten... well, not really "gone" either
• 50 years of malware? Not really. 50 years of computer worms? That's a different story...
• Qakbot in a response to Full Disclosure post
• Agent Tesla hidden in a historical anti-malware tool
• TriOp - tool for gathering (not just) security-related data from Shodan.io (tool drop)
• From a small BAT file to Mass Logger infostealer
• TLS 1.3 is now supported by about 1 in every 5 HTTPS servers
• Want to know what's in a folder you don't have a permission to access? Try asking your AV solution...
• A slightly optimistic tale of how patching went for CVE-2019-19781
• Heartbleed, BlueKeep and other vulnerabilities that didn't disappear just because we don't talk about them anymore
• SMBGhost - the critical vulnerability many seem to have forgotten to patch
• BazarLoader phishing lures: plan a Halloween party, get a bonus and be fired in the same afternoon
• Phishing kits as far as the eye can see
• Slightly broken overlay phishing
• A blast from the past - XXEncoded VB6.0 Trojan
• Security.txt - one small file for an admin, one giant help to a security researcher
• Definition of 'overkill' - using 130 MB executable to hide 24 kB malware
• What pages do bad bots look for?
• Couple of interesting Covid-19 related stats
• Using Shell Links as zero-touch downloaders and to initiate network connections
• VMware security advisory VMSA-2020-0015
• Broken phishing accidentally exploiting Outlook zero-day
• Frankenstein's phishing using Google Cloud Storage
• Agent Tesla delivered by the same phishing campaign for over a year
• Look at the same phishing campaign 3 months apart
• Crashing explorer.exe with(out) a click
• Desktop.ini as a post-exploitation tool
• Secure vs. cleartext protocols - couple of interesting stats
• Quick look at a couple of current online scam campaigns
• Discovering contents of folders in Windows without permissions
• Current PayPal phishing campaign or "give me all your personal information"
• Analysis of a triple-encrypted AZORult downloader
• Picks of 2019 malware - the large, the small and the one full of null bytes
• Internet banking sites and their use of TLS... and SSLv3... and SSLv2?!
• Phishing with a self-contained credentials-stealing webpage
• E-mail from Agent Tesla
• Analysis of a strangely poetic malware
• Lessons learned from playing a willing phish
• Did the recent malicious BlueKeep campaign have any positive impact when it comes to patching?
• EML attachments in O365 - a recipe for phishing
• Phishing e-mail spoofing SPF-enabled domain