Our Top 6 Security Research Stories of 2017

Goodbye, 2017...and hello 2018! This year was a landmark year for cybersecurity. 2017 brought with it calamity like the biggest security breach ever affecting almost half of all Americans, but it also gave our researchers inspiration (and time) to publish some amazing work. 

From a free DLL hijacking vulnerability scanner to Mac malware analysis to multiple cease and desist letters, we're highlighting our top six research reports of 2017:

  1. OSX.Pirrit Mac Adware Part III: The Davinci Code
  2. Siofra: DLL Hijacking Vulnerability Scanner and PE Infection Tool
  3. ShadowWali: New variant of the xxmm family of backdoors
  4. Proton.B: What this Mac malware actually does
  5. Operation Cobalt Kitty
  6. NotPetya and Bad Rabbit vaccines/solutions

OSX.Pirrit Mac Adware Part III: The Davinci Code

Amit Serper, Principal Security Researcher, discovered that OSX.Pirrit, a nasty piece of adware is still alive and spreading. He originally published research on OSX.Pirrit back in April 2016, but has since researched the adware again, finding that it is still quite active. Unlike older versions of OSX.Pirrit that used rogue browser plug-ins or installed a proxy server on the victim’s machine to hijack the browser, the latest incarnation abuses AppleScript. Amit's research didn't gone unnoticed by the creators of OSX.Pirrit. The company tried to prevent him from publishing his research by sending a few cease and desist letters. Obviously, that didn't stop him. Read Amit's findings here.

Siofra: DLL Hijacking Vulnerability Scanner and PE Infection Tool

Siofra is a research tool that can identify DLL hijacking vulnerabilities in Windows programs and has an automated way to craft DLLs to exploit these vulnerabilities. Other scanners have been written to find this type of vulnerability, but the scanner in Siofra is the most current. There is a huge number of vulnerabilities that this tool exposes like several high-sensitivity vulnerabilities in Windows Defender, Internet Explorer and WMI (all were unknown). These vulnerabilities are usually fixed by Microsoft when identified, but in this case, Microsoft has chosen not to fix them telling us that "loading binaries from the application directory is by design." To help researchers understand the technical details of this project, some of this tool is open source and available on GitHub. Read more about Siofra here

Shadowwali: New variant of the xxmm family of backdoors

Assaf Dahan, Director Security Services Japan discovered another member in the xxmm family of backdoors, ShadowWali. Like the Wali backdoor, ShadowWali targets Japanese businesses and was built by the xxmm malware toolkit. In fact, the same author can be attributed to both backdoors. ShadowWali is likely an earlier version of Wali, making it Wali's "older brother." In his research, Assaf reviews the xxmm backdoor family and shows the similarities between Wali and ShadowWali. He also provides new insights regarding the backdoor's post-infection phases.

PROTON.B: WHAT THIS MAC MALWARE ACTUALLY DOES

Remember when hackers added a new variant of the Proton remote access tool to the very popular video encoding app Handbrake? Well, Amit Serper, Principal Security Researcher, downloaded a sample of the trojaned HandBrake and detailed his findings. He looks at what the new variant, Proton.B, actually does after it’s executed. Amit's words of wisdom are that if you think you’ve been hit by Proton, change all of your passwords and assume that all of your creds have been compromised. 

OPERATION COBALT KITTY

Earlier this year, Assaf Dahan, Director Security Services Japan, investigated a targeted attack that he named Operation Cobalt Kitty. The threat actor targeted the victim company’s top-level management, ultimately compromising the computers of VPs, senior directors and other key management in operations. During the attack (before the victim company deployed Cybereason), over 40 PCs and servers, including the domain controller, file servers, web application server and database server were compromised. Assaf's report offers a glimpse into what a cyberattack looks like under the hood.

vaccinEs for notpetya and bad rabbit

Principal Security Researcher Amit Serper developed two work-arounds that stopped the spread of the global cyberattacks NotPetya and Bad Rabbit. These attacks impacted hundreds of organizations around the world and caused damage that is estimated to be in the millions of dollars

Thank you to all our readers and subscribers for an amazingly enlightening year. 

Sarah Maloney
About the Author

Sarah Maloney

Sarah Maloney is a writer for the Cybereason Blog, covering all things cybersecurity.