DLLs Archives

Winsage

May 7, 2025

Play ransomware affiliate leveraged zero-day to deploy malware

The Play ransomware gang exploited a critical vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, which has a CVSS score of 7.8 and is categorized as a "Use after free" vulnerability. This flaw allows an authorized attacker to elevate privileges locally and has been confirmed to be exploited in real-world attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities catalog in April. Microsoft addressed this vulnerability during its April Patch Tuesday security updates, acknowledging its exploitation in limited attacks targeting various sectors in the U.S. and Saudi Arabia. Researchers from Symantec reported that the Play ransomware gang used the CVE-2025-29824 exploit in an attack against a U.S. organization before the public disclosure and patching of the vulnerability. The attackers utilized the Grixba infostealer tool and initially exploited a public-facing Cisco ASA firewall to gain entry. They deployed tools to gather information, escalated privileges using the CVE-2025-29824 exploit, and executed malicious scripts to steal credentials. The exploit took advantage of race conditions in driver memory handling, allowing kernel access and manipulation of files. Before the patch was released, the exploit was reportedly used by multiple threat actors, and Microsoft linked it to other malware.

Winsage

April 30, 2025

5 alternatives to the Windows Task Manager that you should be using

Windows Task Manager has been enhanced in Windows 11, featuring a streamlined interface and improved functionality. Alternatives to Task Manager include: - System Informer: A free, open-source tool that monitors system resources with real-time performance graphs and detailed process information. It displays CPU, memory, and disk usage, tracks file access, and offers advanced features like call stack traces. - System Explorer: Integrates system monitoring with security features, providing a clean interface for exploring processes, modules, and network connections. It includes a built-in file database and VirusTotal integration for security assessments. - Process Lasso: Extends Task Manager capabilities by allowing users to adjust CPU priority and core affinities. Features include ProBalance for automatic CPU adjustments, performance mode for optimizing CPU usage, IdleSaver for power management, and SmartTrim for memory optimization. - Process Explorer: A Sysinternals tool that offers a detailed view of running processes in a hierarchical tree format, showing user, PID, and resource usage. It includes a search capability for identifying resource usage and integrates with VirusTotal for security checks. - Task Manager DeLuxe (TMX): A portable task management tool that consolidates system stats across multiple tabs, providing quick access to CPU and memory usage, along with graphical representations of network and disk activity. It allows filtering and searching for processes and can be run from a USB drive.

Tech Optimizer

April 16, 2025

Hackers find a way around built-in Windows protections

Windows Defender Application Control (WDAC) is a built-in security feature on Windows PCs that restricts the execution of unauthorized software by allowing only trusted applications. However, hackers have discovered multiple methods to bypass WDAC, exposing systems to malware and cyber threats. Techniques for bypassing WDAC include using Living-off-the-Land Binaries (LOLBins), DLL sideloading, and exploiting misconfigurations in WDAC policies. Attackers can execute unauthorized code without triggering alerts from traditional security solutions, enabling them to install ransomware or create backdoors. Microsoft operates a bug bounty program to address vulnerabilities in WDAC, but some bypass techniques remain unpatched for long periods. Users can mitigate risks by keeping Windows updated, being cautious with software downloads, and using strong antivirus software.

Winsage

March 8, 2025

Lumma Stealer Launch “Click Fix” Style Attack via Fake Google Meet & Windows Update Sites

Recent investigations from Palo Alto have revealed the use of "click fix" campaigns for distributing Lumma Stealer malware, which exploit user interaction by embedding malicious scripts into the copy-paste buffer. Victims are tricked into executing harmful commands through seemingly benign instructions on malicious web pages. Key tactics include: - Domain Impersonation: Registering domains that resemble legitimate services (e.g., windows-update[.]site). - Abuse of Trusted Platforms: Hosting malicious pages on reputable platforms like Google Sites. - PowerShell Script Delivery: Using data binaries that execute as PowerShell scripts. - DLL Side-Loading: Distributing zip archives with decoy files alongside legitimate executables for side-loading Lumma Stealer DLLs. Examples of malicious activity include: 1. Fake Google Meet Page: A fraudulent page instructs users to execute a PowerShell command that downloads a script from tlgrm-redirect[.]icu, leading to the download of Lumma Stealer files from plsverif[.]cfd/1.zip and executing a DLL file (DuiLib_u.dll) through side-loading. 2. Fake Windows Update Site: The site windows-update[.]site prompts users to run a PowerShell command that downloads a file from overcoatpassably[.]shop/Z8UZbPyVpGfdRS/maloy[.]mp4, which functions as a PowerShell script. Malicious traffic patterns include HTTP POST requests to tlgrmverif[.]cyou/log.php and downloads from plsverif[.]cfd and overcoatpassably[.]shop. Active command-and-control (C2) domains for Lumma Stealer are: - web-security3[.]com - techspherxe[.]top Inactive C2 domains include: - hardswarehub[.]today - earthsymphzony[.]today Key files associated with these campaigns are: - A PowerShell script from tlgrm-redirect[.]icu/1.txt (SHA256: 909ed8a135…). - A zip archive from plsverif[.]cfd/1.zip (SHA256: 0608775a345…). - A side-loaded DLL (DuiLib_u.dll, SHA256: b3e8b610ef…). Indicators of compromise include active domains like windows-update[.]site and sites[.]google[.]com/view/get-access-now-test/verify-your-account, and associated domains such as authentication-safeguard[.]com, plsverif[.]cfd, and tlgrmverif[.]cyou.

Winsage

February 17, 2025

Windows 7 gains support for modern apps, but not the way you’d expect

Microsoft has discontinued support for Windows 7, ending security updates and features, with the Extended Security Updates (ESU) program concluding in 2023. VxKex NEXT is an application that enables users to run Windows 8 and Windows 10 applications on Windows 7 by redirecting application calls to its own dynamically linked libraries (DLLs). The application is available for download on GitHub and does not alter system files, ensuring system stability. It can be uninstalled easily if users choose to upgrade to a newer version of Windows in the future.

Winsage

February 5, 2025

0-Day Vulnerabilities in Microsoft Sysinternals Tools Allow Attackers To Launch DLL Injection Attacks on Windows

A critical 0-Day vulnerability has been identified in Microsoft Sysinternals tools, allowing attackers to exploit DLL injection techniques to execute harmful code. This vulnerability has been verified and remains unresolved despite being disclosed to Microsoft over 90 days ago. The Sysinternals tools, including Process Explorer, Autoruns, and Bginfo, are widely used for system analysis and troubleshooting but lack integration with the Windows Update system, requiring manual management of security patches. The vulnerability stems from how Sysinternals tools load DLL files, prioritizing untrusted paths over secure system directories. Attackers can place a malicious DLL in the same directory as a legitimate Sysinternals executable, leading to the execution of arbitrary code under the user's privileges. A real-world example demonstrated that an attacker could deploy a Trojan via the Bginfo tool by loading a malicious DLL from a network directory. The vulnerability affects multiple Sysinternals applications, and a comprehensive list is available from the researcher. Microsoft has classified the issue as a "defense-in-depth" enhancement rather than a critical vulnerability, focusing on local execution rather than risks associated with network paths. As of December 2024, the vulnerability remains unpatched, prompting users to take precautionary steps such as avoiding running tools from network locations and verifying DLL integrity.

Winsage

December 16, 2024

Easily Run Windows Apps on Linux Using These Tools

Running Windows applications on Linux can be done using tools like Wine, which is a compatibility layer allowing Windows programs to run without a full Windows installation. Users can utilize Wine through command-line or GUI wrappers such as PlayOnLinux, Bottles, Heroic Launcher, and Lutris. To install Windows applications like Notepad++ using Bottles, users can install Bottles via Flatpak, create a new bottle for the application, and run the installer from within Bottles. For more control, users can install Wine via the command line and execute Windows executables directly. The winecfg command allows users to adjust settings, and Winetricks can be used to install necessary components for certain applications. Virtualization software, such as VirtualBox and VMware Player, can be used to create a virtual Windows environment on Linux, which is beneficial for resource-intensive applications. For gaming, tools like Proton and Lutris can facilitate running Windows games on Linux, with Proton being optimized for Steam. Users can also run a Windows virtual machine for gaming, though it may require more resources. Checking for native Linux versions of games is recommended before using compatibility layers or virtualization.

Tech Optimizer

December 14, 2024

New HeartCrypt Packer-as-a-Service (PaaS) Protecting Malware From Antivirus

HeartCrypt is a packer-as-a-service (PaaS) developed in July 2023 and launched in February 2024, designed to help malware operators evade antivirus detection. It has facilitated the packing of over 2,000 malicious payloads across 45 malware families. HeartCrypt injects harmful code into legitimate executable files, complicating detection by antivirus software. It is promoted on underground forums and Telegram channels, charging a fee per file for packing Windows x86 and .NET payloads. Its clients include operators of malware families like LummaStealer, Remcos, and Rhadamanthys. The packing process involves several techniques: - Payload Execution: The payload is encrypted with a single-byte XOR operation and executed through process hollowing or .NET framework capabilities. - Stub Creation: Position-independent code (PIC) is integrated into the binary’s .text section. - Control Flow Hijacking: The entry point of the original binary is altered to redirect execution to the malicious PIC. - Resource Addition: Resources disguised as BMP files contain encoded malicious code. - Obfuscation Techniques: Multiple layers of encoding are used, including stack strings and dynamic API resolution. HeartCrypt employs anti-analysis techniques such as loading non-existent DLLs to detect sandbox environments and using virtual DLLs to evade Windows Defender’s emulator. The service lowers entry barriers for malware operators, potentially increasing malware infections. Security researchers have analyzed HeartCrypt payloads, revealing insights into its operations and associated malware campaigns.

Winsage

November 28, 2024

RomCom exploits Firefox and Windows zero days in the wild

ESET researchers discovered a critical vulnerability, CVE-2024-9680, in Mozilla products exploited by the Russia-aligned group RomCom. This vulnerability, with a CVSS score of 9.8, affects various versions of Firefox, Thunderbird, and the Tor Browser, allowing code execution within the browser's restricted context. When combined with another Windows vulnerability, CVE-2024-49039, attackers can execute arbitrary code in the context of the logged-in user. The exploit can be triggered simply by visiting a malicious web page, enabling the installation of RomCom's backdoor without user interaction. RomCom has been linked to the exploitation of significant zero-day vulnerabilities, including the earlier use of CVE-2023-36884 via Microsoft Word in June 2023. The newly identified vulnerability was reported to Mozilla on October 8th, 2024, and patched the following day. The vulnerability is a use-after-free bug in Firefox's animation timeline. Further investigation revealed CVE-2024-49039, a privilege escalation bug in Windows, which Microsoft patched on November 12th, 2024. RomCom has targeted various sectors in 2024, including governmental entities in Ukraine, the pharmaceutical sector in the US, and the legal sector in Germany, among others. The compromise chain begins with a fake website that redirects victims to a server hosting the exploit. ESET identified multiple command-and-control servers used by RomCom, employing deceptive naming schemes to obscure their intentions. The exploit utilizes shellcode that executes arbitrary code by manipulating animation objects in Firefox. The vulnerability was patched by Mozilla within a day of its discovery. The RomCom backdoor is capable of executing commands and downloading additional modules onto the victim's machine. Indicators of compromise include specific JavaScript files and DLLs associated with the exploit.

Winsage

October 28, 2024

Windows ‘Downdate’ Attack Makes Patched PCs Vulnerable

Recent findings have identified a vulnerability in fully patched Windows 11 systems that allows attackers to install custom rootkits, which can bypass endpoint security and maintain persistence on compromised systems. This vulnerability is linked to a downgrade attack technique demonstrated by SafeBreach researcher Alon Leviev at Black Hat USA 2024, using an exploit tool called Windows Downdate. This tool enables an attacker with administrative access to manipulate the Windows Update process, reverting patched components to vulnerable states. Leviev's demonstration showed that even systems using virtualization-based security (VBS) are at risk, as he could downgrade VBS features and expose previously fixed privilege escalation vulnerabilities. Microsoft has patched two vulnerabilities (CVE-2024-21302 and CVE-2024-38202) but has not addressed the core issue of the downgrade capability. Microsoft maintains that the ability for an admin-level user to gain kernel code execution does not cross a security boundary. Leviev released details of a new downgrade attack on October 26, using the Windows Downdate tool to revive a driver signature enforcement bypass attack. He categorized this flaw as False File Immutability (FFI), exploiting incorrect assumptions about file immutability. He noted that downgrading specific OS modules, like CI.dll, allows exploitation even with VBS enabled. Tim Peck from Securonix highlighted that the attacks exploit Windows' failure to validate DLL version numbers properly, enabling the use of outdated, vulnerable files. Microsoft is actively developing mitigations against these risks, including a security update to revoke outdated VBS system files, although specific measures and timelines are not yet disclosed.