Security Research

SentinelOne Detects and Blocks New Variant of Powershell CryptoWorm

Introduction Late last year, Marco Ramilli posted an article on in-memory Powershell-WMI CryptoWorm. Here at SentinelOne, we found a new active variant of this spreading CryptoWorm. In this post we will review what’s new in this variant and suggest how to remove it from an infected network. What’s new in this version? Communication This CryptoWorm […]

READ MORE

Deep Hooks: Monitoring native execution in WoW64 applications – Part 3

Introduction Last time (part 1, part 2) we demonstrated several different methods for injecting 64-bit modules into WoW64 processes. This post will pick up where we left off and describe how the ability to execute 64-bit code in such processes can be leveraged to hook native x64 APIs. To accomplish this task, the injected DLL […]

READ MORE

Deep Hooks: Monitoring native execution in WoW64 applications – Part 2

Where we left off In the first part of this series we presented several injection methods capable of injecting 64-bit DLLs into WoW64 processes, with the intention to eventually use this DLL to hook 64-bit API functions in the process. We finished the post by presenting injection via APC, and saw that, when tested to […]

READ MORE

Deep Hooks: Monitoring native execution in WoW64 applications – Part 1

Introduction This blog post is the first in a three-part series describing the challenges one has to overcome when trying to hook the native NTDLL in WoW64 applications (32-bit processes running on top of a 64-bit Windows platform). As documented by numerous other sources, WoW64 processes contain two versions of NTDLL. The first is a […]

READ MORE

What Really Matters with Machine Learning

What Really Matters with Machine Learning History will look back on our time as the beginning of the artificial intelligence revolution. In 2017, artificial intelligences are beating us at Go, translating  and inventing their own languages, helping us decide what to buy, writing for us, and composing music. Neural networks can even be used for image compression! As you might expect, the endpoint security […]

READ MORE

OSX.CpuMeaner: New Cryptocurrency Mining Trojan Targets macOS

(Image source: Beware of traps, by Carmen) In this post, we analyze a new cryptocurrency mining trojan targeting macOS. The malware hides in the pledge to download pirated applications and secretly mines Monero crypto-currency with the user’s hardware. While the idea is similar to OSX.Pwnet, the means and method of implementation are closer to that […]

READ MORE

New Bad Rabbit Ransomware Attack

It’s been almost exactly four months since the last Petya ransomware outbreak. On October 24th, a new variant of Petya called Bad Rabbit was discovered attacking consumers and organizations, mostly in Russia. Below is a copy of the ransom note, which is similar to Petya’s ransom note: SentinelOne customers are protected from this threat. Below […]

READ MORE

RTF zero day in the wild

FireEye recently published an RTF zero day that has been used in the wild since July. This zero day was used to spread FinSpy/FinFisher malware, a “lawful intercept” product with RAT-like capabilities. The disclosed vulnerability is a logical vulnerability, which means most EMET style anti-exploitation techniques (ASLR, DEP, CFG) are irrelevant. As are any other pre-execution security mechanisms […]

READ MORE

OSX.Pwnet.A – CS: GO Hack and Sneaky Miner

(Photo source: Pony Strike: Global Offense by FilipinoNinja95) We recently found a hack for Counter-Strike: Global Offensive on macOS that is also a trojan that could mine CryptoCurrencies without user consent. According to VirusTotal Retrohunt, the threat is in the wild since the beginning of July 2017. Warning: At the time of this writing, all […]

READ MORE