We already have SentinelOne (http://www.kernelmode.info/forum/viewto ... =16&t=3388), Cymmetria (http://www.kernelmode.info/forum/viewto ... =16&t=4420) and now brand new company again from Israel joins our elite club.
This time it is not relabeling Urasy/Carberp as NationState APT (SentinelOne) and not hyping on copy-paste from blogs as NationState APT (Cymmetria).
This time it is Cybellum (https://cybellum.com/) and their marketing target is CVEs database.
"Microsoft's 'Application Verifier' bug-finder is easily pwnable", https://www.theregister.co.uk/2017/03/2 ... _problems/
and original source hxxps://cybellum.com/doubleagent-taking-full-control-antivirus/ and hxxps://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/
TL;DR Cybellum discovered Application Verifier (http://www.kernelmode.info/forum/viewto ... =15&t=3418) and immediately labeled it as another unfixable Windows hole.
They even created few CVE entries
Avast (CVE-2017-5567)
AVG (CVE-2017-5566)
Avira (CVE-2017-6417)
Bitdefender (CVE-2017-6186)
Trend Micro (CVE-2017-5565)
"pwning" above with AppVerif dll.
How does their (https://github.com/Cybellum/DoubleAgent) code work? Aside from elite buffer overrun in PATH_Combine it just drop dll to system32 (their application running with full administrator rights) and then register it as Application Verifier dll writing to HKLM IFEO key.
As you can read from their article they think it is something not known and "undocumented". While this feature is not officially documented it is well-known maybe since 2004 year and even MS blogged details about it (see links above).
This is when one facepalm is not enough.
What is Cybellum?
It is a typical Israeli based fake shit.
hxxps://cybellum.com/about/
Just a copy-paste from site.
1) Self-proclaimed experts always unbelieveable advanced -> compare to "elite team" from Sentinel (http://www.kernelmode.info/forum/viewto ... =16&t=3388) and "elite unit, veteran" from Cymmetria (http://www.kernelmode.info/forum/viewto ... =16&t=4420)
2) "Elite", all known Israeli fake companies use this word often. Don't know why, must be sort of inferiority complex. Well you know, elite, 1337, 0days, apt, mom coommmon I want to play in cyber security analyst 10 more minutes.
3) Israel Defense Forces - all three companies especially highlight that they have ex-military staff, like if this make any big deal. Lol and what? Actually this doesn't give you any advantage in anything, only working as PR for imbeciles who are believing you.
4) All three companies offer ultra super-elite-expert prevention/detection product. Trust us, bro, we are elite.
Just to note on future Cybellum discoveries. Windows have plenty of widely not really known features that can be used to inject your code, especially when running as full admin. So I'm enjoying this new pet and awaiting more entertainment from Cybellum.
This time it is not relabeling Urasy/Carberp as NationState APT (SentinelOne) and not hyping on copy-paste from blogs as NationState APT (Cymmetria).
This time it is Cybellum (https://cybellum.com/) and their marketing target is CVEs database.
"Microsoft's 'Application Verifier' bug-finder is easily pwnable", https://www.theregister.co.uk/2017/03/2 ... _problems/
and original source hxxps://cybellum.com/doubleagent-taking-full-control-antivirus/ and hxxps://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/
TL;DR Cybellum discovered Application Verifier (http://www.kernelmode.info/forum/viewto ... =15&t=3418) and immediately labeled it as another unfixable Windows hole.
They even created few CVE entries
Avast (CVE-2017-5567)
AVG (CVE-2017-5566)
Avira (CVE-2017-6417)
Bitdefender (CVE-2017-6186)
Trend Micro (CVE-2017-5565)
"pwning" above with AppVerif dll.
How does their (https://github.com/Cybellum/DoubleAgent) code work? Aside from elite buffer overrun in PATH_Combine it just drop dll to system32 (their application running with full administrator rights) and then register it as Application Verifier dll writing to HKLM IFEO key.
As you can read from their article they think it is something not known and "undocumented". While this feature is not officially documented it is well-known maybe since 2004 year and even MS blogged details about it (see links above).
This is when one facepalm is not enough.
What is Cybellum?
It is a typical Israeli based fake shit.
hxxps://cybellum.com/about/
Just a copy-paste from site.
The Cybellum team is comprised of highly-advanced cyber security experts, with experience in the offensive side of the elite technology unit in the intelligence corps of the Israel Defense Forces. Together they set out to solve one of the most problematic issues in Cybersecurity today from the cybercriminals perspective, The Zero-Day problem.All four common Israeli fake companies triggers in place.
1) Self-proclaimed experts always unbelieveable advanced -> compare to "elite team" from Sentinel (http://www.kernelmode.info/forum/viewto ... =16&t=3388) and "elite unit, veteran" from Cymmetria (http://www.kernelmode.info/forum/viewto ... =16&t=4420)
2) "Elite", all known Israeli fake companies use this word often. Don't know why, must be sort of inferiority complex. Well you know, elite, 1337, 0days, apt, mom coommmon I want to play in cyber security analyst 10 more minutes.
3) Israel Defense Forces - all three companies especially highlight that they have ex-military staff, like if this make any big deal. Lol and what? Actually this doesn't give you any advantage in anything, only working as PR for imbeciles who are believing you.
4) All three companies offer ultra super-elite-expert prevention/detection product. Trust us, bro, we are elite.
Just to note on future Cybellum discoveries. Windows have plenty of widely not really known features that can be used to inject your code, especially when running as full admin. So I'm enjoying this new pet and awaiting more entertainment from Cybellum.
Ring0 - the source of inspiration
