Reverse engineering Emotet – Our approach to protect GRNET against the trojan

By | Blog | 15 Comments

Preamble In October 2020 we observed an outbreak of malicious e-mails reaching GRNET employees’ inboxes. Meanwhile, similar campaigns were also targeting several public and private sector organizations in Greece. After acquiring dozens of such e-mails, we started planning our defensive strategy. To do so, we started analyzing the malware that was attached to the emails and realized that were dealing with the infamous Emotet trojan. In this document, we describe the steps of our analysis including the reverse engineering process of the malware executables, how we overcame the binary obfuscation techniques it employed, and how we determined the malware’s internals….

Read More

Phishing attacks

By | Terminology and Guidelines | No Comments

Phishing attacks are an example of social engineering, a technique which utilizes psychological manipulation to lure people into performing unwanted actions or disclosing confidential information. Most of the times, phishing attacks trick users into entering their private information in fake websites that impersonate legitimate ones, copying their look and feel. Usually, such an attack is performed through a link to a phishing website that can be found in a phishing email, that is an email which tries to lure the potential victim into accessing a phishing website. Also, a link to a phishing website can be found in the results…

Read More

Content Security Policy

By | Terminology and Guidelines | No Comments

Content Security Policy (CSP) is a security layer that all modern browsers support with minor differences in regards to how it is being handled [1]. CSP was designed to application attacks such as Cross Site Scripting (XSS) [2] and clickjacking. Notably, such attacks have been popular for more than ten years. A developer can employ CSP to restrict (in a whitelist / blacklist manner) the sources from which the application can receive content. Such content involves several elements: frame-src: which specifies valid sources for nested browsing contexts using elements such as <frame> and <iframe>. img-src: Valid sources for images and favicons. script-src:…

Read More

Useful links

By | Terminology and Guidelines | No Comments

CERTCOOP : http://certcoop.eu/ OWASP Top 10 Most Critical Web Application Security Risks (2017): OWASP top 10 – 2017 CWE/SANS TOP 25 Most Dangerous Software Errors: CWE/SANS TOP 25 Securing PHP web applications: https://php.earth/docs/security/intro Network forensics: Infosec – Network forensics , ENISA training for network forensics

Read More

Password policies

By | Terminology and Guidelines | No Comments

Responsibilities of systems processing passwords – Passwords must be prohibited from being displayed when entered. – Passwords must never be stored in clear, readable format (encryption must always be used). – Encrypted password hashes must never be accessible to unauthorized individuals. – Where possible, salted hashes should be used for password encryption. Password requirements – At least eight (8) characters; using a combination of at least one character from each of the following four listed character types: — uppercase letters (A-Z) — lowercase letters (a-z) — base 10 digits (0-9) — non-alphanumeric (such as ` ~ ! @ # $…

Read More

HTTP Strict Transport Security (HSTS)

By | Terminology and Guidelines | No Comments

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. Read more: OWASP – HSTS Cheatsheet,

Read More

Cross-Site Request Forgery (CSRF)

By | Terminology and Guidelines | No Comments

CSRF is an attack that tricks the victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf. For most sites, browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, Windows domain credentials, and so forth. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim. Read more: OWASP – CSRF, CSRF CWE

Read More

Same origin policy

By | Terminology and Guidelines | No Comments

An origin is defined as a combination of URI scheme, host name, and port number. Same Origin Policy prevents a web site’s scripts from accessing and interacting with scripts used on other sites. In other words, this policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page’s Document Object Model. Cross-Origin Resource Sharing The second technique for relaxing the same-origin policy is standardized under the name Cross-Origin Resource Sharing. This standard extends HTTP with a new Origin request header and a new Access-Control-Allow-Origin response header. It allows servers to…

Read More

Cross-site Scripting (XSS)

By | Terminology and Guidelines | No Comments

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. Non-persistent XSS: These are usually the most common types. Typically these are within HTTP query parameters and are used by…

Read More