All news with #defense evasion tag

⚠️ A newly discovered campaign attributed to the Silver Fox APT abuses trusted Microsoft-signed drivers to bypass security protections and install a remote access tool. Check Point Research found attackers used the WatchDog driver (amsdk.sys) and an older Zemana-based driver to terminate antivirus and EDR processes, enabling deployment of ValleyRAT. Researchers observed loaders with anti-analysis, persistence, embedded drivers and hardcoded lists of security processes, and warn that timestamp edits can preserve valid signatures while evading hash-based detection.

🔍 In a recent Sophos report, unknown actors abused the open-source forensic tool Velociraptor to download and execute Visual Studio Code, enabling an encrypted tunnel to an attacker-controlled command-and-control server. The intruders used the Windows msiexec utility to fetch MSI installers hosted on Cloudflare Workers, staged additional tooling including a tunneling proxy and Radmin, and invoked an encoded PowerShell command to enable VS Code's tunnel option. Sophos warns that misuse of incident response tools can precede ransomware and recommends deploying EDR, monitoring for unauthorized Velociraptor activity, and hardening backup and monitoring processes.

🔒 Researchers demonstrated BadCam, a BadUSB-style attack presented at BlackHat that reflashes a webcam's firmware so a standard camera can act as a programmable HID device. The proof-of-concept targeted Lenovo 510 FHD and Lenovo Performance FHD models using a SigmaStar SoC, exploiting lack of cryptographic firmware verification and Linux USB Gadget support to present keyboard/network interfaces. Standard scans and OS reinstalls won't remove such implants, so organizations should apply firmware patches, USB control policies, and HID monitoring to mitigate the risk.

🔒 FortiGuard Labs has detailed a global phishing campaign that uses personalized HTML attachments and spoofed websites to deliver a custom loader, UpCrypter, which installs multiple remote access tools. The operation uses tailored lures—voicemail notices and purchase orders—embedding recipient emails and company logos to appear legitimate. The delivered ZIPs contain obfuscated JavaScript that runs PowerShell, fetches further payloads (sometimes hidden via steganography) and ultimately loads RATs such as PureHVNC, DCRat and Babylon, while UpCrypter checks for sandboxes, enforces persistence and can force reboots to hinder analysis.