SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store

Authors: Alberto Segura, Malware analystRolf Govers, Malware analyst & Forensic IT Expert NCC Group, as well as many other researchers noticed a rise in Android malware last year, especillay Android banking malware. Within the Treat Intelligence team of NCC Group we’re looking closely to several of these malware families to provide valuable information to our … Continue reading SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store

log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228

tl;dr Run our new tool by adding -javaagent:log4j-jndi-be-gone-1.0.0-standalone.jar to all of your JVM Java stuff to stop log4j from loading classes remotely over LDAP. This will prevent malicious inputs from triggering the “Log4Shell” vulnerability and gaining remote code execution on your systems. In this post, we first offer some context on the vulnerability, the released fixes (and their shortcomings), and … Continue reading log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228

Log4Shell: Reconnaissance and post exploitation network detection

Note: This blogpost will be live-updated with new information. NCC Group’s RIFT is intending to publish PCAPs of different exploitation methods in the near future – last updated December 14th at 13:00 UTC About the Research and Intelligence Fusion Team (RIFT): RIFT leverages our strategic analysis, data science, and threat hunting capabilities to create actionable threat … Continue reading Log4Shell: Reconnaissance and post exploitation network detection

Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm

Author: Margit Hazenbroek tl;dr An approach to detecting suspicious TLS certificates using an incremental anomaly detection model is discussed. This model utilizes the Half-Space-Trees algorithm and provides our security operations teams (SOC) with the opportunity to detect suspicious behavior, in real-time, even when network traffic is encrypted.  The prevalence of encrypted traffic As a company that … Continue reading Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm

Machine learning from idea to reality: a PowerShell case study

Detecting both ‘offensive’ and obfuscated PowerShell scripts in Splunk using Windows Event Log 4104 Author: Joost Jansen This blog provides a ‘look behind the scenes’ at the RIFT Data Science team and describes the process of moving from the need or an idea for research towards models that can be used in practice. More specifically, … Continue reading Machine learning from idea to reality: a PowerShell case study