STUBborn: Activate and call DCOM objects without proxy

In the last years, the Local RPC (LRPC) & ALPC have been the subject of scrutiny by some Windows internal enthusiasts and vulnerability researchers.

In this article, we will go a step further to explore what can be done about LocalServer DCOM objects, how to instantiate them and directly connect to their interfaces without using the COM proxy clients normally rely on!

This will give us an excuse to explore some COM internals, understand part of the combase DLL & write more fun python code !

Read more...

Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts

We recently discovered an novel undetected implant family targeting Linux servers, which we dubbed Mélofée.

We linked with high confidence this malware to chinese state sponsored APT groups, in particular the notorious Winnti group.

In this blogpost we will first analyze the capabilities offered by this malware family, which include a kernel mode rootkit, and then deep dive in an infrastructure pivot maze to discover related adversary toolsets.

Read more...

Tricephalic Hellkeeper: a tale of a passive backdoor

We recently found a new passive backdoor targeting Linux and Solaris servers, wich can use TCP, UDP or ICMP packets as it’s triggers.

In this article we will dive into BPF in order to assess it’s capabilities :D

Read more...