trusted applications Archives

Winsage

March 18, 2025

Bypassing Windows Defender Application Control with Loki C2

Microsoft's Windows Defender Application Control (WDAC) has become a target for cybersecurity researchers, with bug bounty payouts for successful bypasses. IBM's X-Force team reported various outcomes from WDAC bypass submissions, including successful bypasses that lead to potential bounties, those added to the WDAC recommended block list, and submissions without recognition. Notable contributors like Jimmy Bayne and Casey Smith have made significant discoveries, while the LOLBAS Project has documented additional bypasses, including the Microsoft Teams application. The X-Force team successfully bypassed WDAC during Red Team Operations using techniques such as utilizing known LOLBINs, DLL side-loading, exploiting custom exclusion rules, and identifying new execution chains in trusted applications. Electron applications, which can execute JavaScript and interact with the operating system, present unique vulnerabilities, as demonstrated by a supply-chain attack on the MiMi chat application. In preparation for a Red Team operation, Bobby Cooke's team explored the legacy Microsoft Teams application, discovering vulnerabilities in signed Node modules that allowed them to execute shellcode without triggering WDAC restrictions. They developed a JavaScript-based C2 framework called Loki C2, designed to operate within WDAC policies and facilitate reconnaissance and payload deployment. A demonstration of Loki C2 showcased its ability to bypass strict WDAC policies by modifying resources of the legitimate Teams application, allowing undetected code execution. The ongoing development of techniques and tools by the X-Force team reflects the evolving cybersecurity landscape and the continuous adaptation required to counter emerging threats.

Tech Optimizer

March 14, 2025

Webroot Total Protection

Webroot Total Protection includes antivirus capabilities, identity theft protection, file backup, parental controls, and a VPN application. The pricing starts at .99 annually for five devices and one identity, with a family plan extending coverage to ten devices and ten identities. The installation process requires users to create or log into an account, and the backup system can only be installed on one device. The user interface has been redesigned for improved readability. Some features, such as the Utilities page and Secure Erase, have been removed, and the firewall relies on Windows for external threat defense. Webroot employs a journal-and-rollback system for malware detection, achieving high scores in independent testing. The suite includes a simplified tune-up scan and a vulnerability scan. The Mac version mirrors the Windows interface but lacks certain features. Identity protection is provided in partnership with Allstate, but it is less comprehensive than competing services. The backup solution is limited to one device, and the integrated VPN service encrypts data during online activities. Parental controls have been introduced but are considered ineffective.

Tech Optimizer

February 8, 2025

New Attack Technique to Bypassing EDR as Low Privileged Standard User

A new cyberattack technique allows attackers to bypass Endpoint Detection and Response (EDR) systems while using low-privileged standard user accounts. This method utilizes masquerading and path obfuscation to disguise malicious payloads as legitimate processes, misleading detection systems and analysts. Process creation events are crucial for identifying threats, with tools like Sysmon logging detailed information about process execution. Attackers can manipulate file paths to evade restrictions on placing payloads in protected directories. They create folders that mimic legitimate antivirus software paths using Unicode characters to resemble spaces. For example, a folder may be named C:Program[U+2000]Files, allowing the attacker to introduce their payload (SuperJuicy.exe) without raising alarms. The execution of the payload results in logs that appear legitimate, complicating detection efforts. This technique poses challenges for EDR systems, including confusion in log analysis, deceptive attribution to legitimate software, and prolonged dwell time for malicious payloads. Defensive strategies include enhanced logging rules to flag Unicode characters, adjusting log viewers to display these characters, and restricting folder creation permissions for standard users.

AppWizard

December 5, 2024

New DroidBot Android malware targets 77 banking, crypto apps

A new Android banking malware called 'DroidBot' targets the credentials of over 77 cryptocurrency exchanges and banking applications in several European countries, including the UK, Italy, France, Spain, and Portugal. Discovered by Cleafy, it has been operational since June 2024 and functions as a malware-as-a-service (MaaS) platform with a subscription price of ,000 per month. At least 17 affiliate groups are using malware builders to customize their attacks. DroidBot has caused 776 unique infections across the UK, Italy, France, Turkey, and Germany. The developers, believed to be based in Turkey, provide affiliates with tools like a malware builder and command and control servers. DroidBot disguises itself as trusted applications to deceive users and includes features such as keylogging, overlaying fake login pages, SMS interception, and remote control via Virtual Network Computing. It exploits Android's Accessibility Services to monitor user actions. Targeted applications include Binance, KuCoin, BBVA, Unicredit, Santander, Metamask, BNP Paribas, Credit Agricole, Kraken, and Garanti BBVA. Users are advised to download apps only from Google Play, scrutinize permission requests, and activate Play Protect.

Winsage

December 4, 2024

Microsoft Announces Security Update with Windows Resiliency Initiative

Microsoft has launched the Windows Resiliency Initiative to enhance the security and reliability of its operating system in response to a significant CrowdStrike outage that affected over 8 million Windows PCs and servers, resulting in losses estimated at .4 billion. The initiative focuses on four key areas: learning from past incidents, reducing administrative privileges, implementing stronger controls for apps and drivers, and improving identity protection. Key components include: 1. Quick Machine Recovery: Allows IT administrators to remotely diagnose and repair devices, reducing downtime. 2. Administrative Protection: Users will operate under standard accounts by default to limit unauthorized access. 3. Smart App Control: Ensures only verified applications can run on Windows PCs. 4. Advanced Identity Protection: Enhancements include stronger password policies and multi-factor authentication. Additional improvements involve collaboration with security vendors, new encryption features, and transitioning components from C++ to Rust for better code security. The initiative aims to restore user confidence and prevent future cyber threats.

AppWizard

November 27, 2024

You Should Delete These 15 ‘SpyLoan’ Apps From Your Android Phone Today

Security firm McAfee has identified 15 versions of predatory loan applications, known as 'SpyLoan', infiltrating the Google Play Store since 2020, with over 8 million installations. These apps request extensive permissions to harvest sensitive personal information, which is encrypted and sent to a command-and-control server. They mimic reputable financial services and often prompt users for a one-time password (OTP). Users have reported harassment from recovery agents, including threats and modified images taken from their devices. India is the most affected country, followed by Mexico, the Philippines, and others. Regulatory actions have been taken, but the apps continue to proliferate. Users are advised to check for and uninstall any SpyLoan apps to protect their personal information.

Tech Optimizer

November 23, 2024

XProtect On MacOS: The Silent Defender Against Viruses

XProtect is the native antivirus technology for macOS that operates without additional installations, continuously scanning files and applications for malware. It alerts users upon detecting threats, offering options to quarantine or remove infected files. XProtect integrates with Gatekeeper and System Integrity Protection (SIP) to provide multiple layers of defense. It receives automatic updates from Apple, ensuring protection against evolving threats while maintaining resource efficiency and broad compatibility with modern macOS versions. XProtect's deep integration with macOS allows for seamless operation, although users seeking advanced protections may consider third-party solutions. Users are advised to keep macOS updated, download apps from trusted sources, enable Gatekeeper, and practice caution online. Despite macOS's inherent security, it is still vulnerable to malware, highlighting the need for XProtect. Future versions may incorporate AI-driven features for enhanced detection and cross-device compatibility.

Tech Optimizer

October 26, 2024

Avira Internet Security

Offering antivirus or security suite protection for free can enhance brand awareness and goodwill among consumers, but financial sustainability is at risk without a significant number of users upgrading to paid versions. Avira Internet Security's annual fee for a single installation is .99, with a three-license subscription costing .99, and a five-license option priced at .99, making it the highest rate for an entry-level security suite. The interface of Avira Internet Security is similar to Avira Free Security, and both versions provide basic features, including real-time protection and a file shredder. Avira achieved an aggregate score of 9.7 in antivirus testing but detected 97% of malware samples. Its Browser Safety extension blocked 98% of harmful URLs, while Web protection achieved 97% effectiveness. Avira's ransomware protection likely functions well, but its efficacy could not be definitively proven. The Software Updater Pro feature allows users to manage application updates, but it requires manual intervention. Avira Password Manager offers unlimited password syncing across devices in its free version, while the Pro edition provides a security status report. The simple firewall included in Avira Internet Security offers basic network protection and is easy to configure. Overall, most valuable features are available in the free edition, and Bitdefender Internet Security is recommended as a superior alternative.

Tech Optimizer

October 23, 2024

New Trojan.AutoIt.1443 Hits 28,000 Users via Game Cheats, Office Tool

Cybersecurity experts from Dr.Web have discovered a cyber attack involving Trojan.AutoIt.1443, targeting approximately 28,000 users primarily in Russia and neighboring countries. The malware disguises itself as legitimate applications and is spread through deceptive links on platforms like GitHub and YouTube, leading to password-protected downloads that evade antivirus detection. Key components of the malware include UnRar.exe and scripts named Iun.bat and Uun.bat, which facilitate its installation while erasing traces of activity. The malware scans for debugging tools, establishes network access via Ncat, and manipulates the system registry to maintain persistence. Its operations include cryptomining using SilentCryptoMiner and cryptostealing through a clipper tool that swaps cryptocurrency wallet addresses. The campaign has affected users drawn to pirated software, highlighting the risks of downloading from unverified sources.

AppWizard

October 22, 2024

Here’s how Android 15 protects your two-factor authentication codes from malicious apps

Android 15 introduces enhanced security for notifications containing two-factor authentication codes by classifying them as "sensitive." Only trusted applications, which must have the RECEIVESENSITIVENOTIFICATIONS permission, can access these notifications, preventing untrusted apps from reading them. The Android System Intelligence (ASI) processes notifications and marks those with sensitive content, ensuring untrusted apps receive a notification stating, “sensitive notification content hidden.” This change aims to improve security against hacking attempts but may disrupt automation tools that read notifications. Workarounds exist to restore previous functionality, but they pose potential security risks.