Deobfuscating VBA & PowerShell Scripts of an Emotet Trojan Downloader

We analyzed a recent wave of phishing mails trying to spread the Emotet banking trojan via malicious Word documents. This post provides details of the obfuscation methods used in the VBA macro and the PowerShell script contained within the Word documents.

Read More


Practical Tips for OWASP Top 10 2017 #7: Insufficient Attack Protection

The preliminary release of the OWASP Top 10 - 2017 rc1 in April 2017 has stirred up quite a bit of controversy over the inclusion of a new entry titled "A7 - Insufficient Attack Protection". Aside from taxonomical problems (a lack of protection is not a vulnerability in itself), the description for the entry explicitly recommends solutions such as Web Application Firewalls (WAFs) and Runtime Application Self-Protection (RASP) products. The likely result is that many decision makers will take the shortcut of buying a WAF and putting a checkmark next to A7 on the Top 10 list.

Read More


How we found a tcpdump vulnerability using cloud fuzzing

Fuzzing is a method to identify software bugs and vulnerabilities. The current development shows a trend to move fuzzing into the cloud, as cloud fuzzing offers a fuzzing speed increase and lots of extra flexibility compared to classic fuzzing. In this tutorial, we go through the full process of cloud (Amazon Cloud) fuzzing. This means deployment, fuzzing and retrieving the results using the softScheck Cloud Fuzzing Framework (sCFF). We identify a vulnerability present in tcpdump version 4.9 running on Ubuntu 16.04. We analyze the bug and write a patch which closes that vulnerability. Readers can download sCFF and follow the tutorial step by step.

Read More


Privacy Analysis of Windows 10 Enterprise at Telemetry Level 0

The focus of this research is to analyze the amount of privacy provided in Windows 10 when using the most restrictive privacy settings available. Windows 10 has been observed to establish encrypted connections to Microsoft servers without a direct related user interaction. softScheck already identified this traffic in an earlier analysis. Now our goal is to analyze the communication by monitoring the data being sent.

Read More


Reverse Engineering the TP-Link HS110

The TP-Link HS110 Wi-Fi is a cloud-enabled power plug that can be turned on and off remotely via app and offers energy monitoring and scheduling capabilities. As part of ongoing research into Internet of Things security, we performed a security analysis by reverse engineering the device firmware and Android app, sniffing app-to-device and device-to-app communications and fuzzing the proprietary protocols being used.

Read More


Security Testing Open Source Webinar

Open-Source und generell Quellcode von Drittanbietern wird stark zunehmend genutzt – dadurch wird die Produktivität maximiert und werden die Entwicklungskosten minimiert. Das Nutzungsverhalten von Open Source Suiten und Produkten hat sich allerdings im letzten Jahr durch die Entdeckung gravierender Sicherheitslücken und durch die gesteigerte Sensibilität im Umgang mit „Compliance“ stark geändert.

Read More