Discover and read the best of Twitter Threads about #Magniber

Most recents (2)

#Qakbot once again had some surprises ๐ŸŽ for us this week. See below for a brief overview of what we found. ๐Ÿงต 1/6
First and foremost, #Qakbot seems to have departed from their usual use of LNK files to trigger execution. Instead they now present .vbs or .js files at the root folder of the disk image ๐Ÿ’ฟ. ๐Ÿงต 2/6 Image
This alone would not be significant, since we have observed ๐Ÿ” .js and .vbs files in Qakbots infection chain before. Now however these files also contain a signature that apparently bypasses Windows MotW / SmartScreen warnings. ๐Ÿงต 3/6 Image
Read 6 tweets
#MagnitudeEK is now stepping up its game by using CVE-2021-21224 and CVE-2021-31956 to exploit Chromium-based browsers. This is an interesting development since most exploit kits are currently targeting exclusively Internet Explorer, with Chromium staying out of their reach.
CVE-2021-21224, a type confusion in V8, is used to compromise a renderer process. CVE-2021-31956, a Windows EoP, is used to escape the Chromium sandbox. This is the same combination of vulnerabilities that was suspected to be chained in the #PuzzleMaker attack.
The attacks we have seen so far are targeting only Windows builds 18362, 18363, 19041, and 19042 (19H1โ€“20H2). Build 19043 (21H1) is not targeted. The exploit for CVE-2021-31956 contains hardcoded syscall numbers relevant just for these builds.
Read 5 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!