L0RDIX: Multipurpose Attack Tool

enSilo Breaking Malware

L0rdix, currently available for purchase in underground forums, is aimed at infecting Windows-based machines, combines stealing and cryptocurrency mining methods, can avoid malware analysis tools and is designed to be a universal "go-to" tool for attackers. Indicators suggest the tool is still under development and we expect to encounter more
Read More

Enter The DarkGate: New Cryptocurrency Mining and Ransomware Campaign

enSilo Breaking Malware

An active and stealthy cryptocurrency mining and ransomware campaign infecting targets in Spain and France which leverages multiple bypass techniques to evade detection by traditional AV.

Read More

Melting Down PatchGuard: Leveraging KPTI to Bypass Kernel Patch Protection

cybersecurity, Windows, enSilo Breaking Malware, meltdown, KPTI, PatchGuard

The mitigation for Meltdown created a new part in the kernel which PatchGuard left unprotected, making hooking of system calls and interrupts possible, even with HVCI enabled.

Read More

Turning (Page) Tables: Bypassing Kernel Mitigations to Successfully Escalate Privileges

cybersecurity, enSilo Breaking Malware, enSilo Corporate and Product

On August 8th, at the BSides Conference in Las Vegas, we unveiled a new exploitation technique against the Microsoft Windows operating system. It's a general technique to leverage with kernel vulnerabilities and make privilege escalation easier.

Read More

GlobeImposter Ransomware

enSilo Breaking Malware, enSilo Corporate and Product, Ransomware, GlobeImposter

GlobeImposter Ransomware

Read More

Windows’ PsSetLoadImageNotifyRoutine Callbacks: the Good, the Bad and the Unclear (Part 2)

Windows, documentation, enSilo Breaking Malware, enSilo Corporate and Product

TL;DR: Security vendors and kernel developers beware – a programming error in the Windows kernel could prevent you from identifying which modules have been loaded at runtime. And the fix for it isn’t as foolproof as you would’ve hoped. 

Read More

Windows’ PsSetLoadImageNotifyRoutine Callbacks: the Good, the Bad and the Unclear (Part 1)

Windows, documentation, enSilo Breaking Malware, enSilo Corporate and Product

TL;DR: Security vendors and kernel developers beware – a programming error in the Windows kernel could prevent you from identifying which modules have been loaded at runtime.

Read More

Command Injection/Elevation – Environment Variables Revisited

Vulnerabilities, Windows, code injection, elevation, command injection, UAC, variables, enSilo Breaking Malware, enSilo Corporate and Product

Windows environment variables can be used to run commands and can also be used to bypass UAC, allowing an attacker with limited privileges to take complete control of the system. This code leverages a rather unusual scenario within Windows OS.

This is a continuation of our research as described in a previous post: Elastic Boundaries – Elevating

Read More

AtomBombing CFG-Protected Processes

Windows, Injection Techniques, code injection, AtomBombing, CFG, Control Flow Guard, enSilo Breaking Malware, enSilo Corporate and Product

TL;DR: We show AtomBombing modifications to enable us to inject code into CFG-protected processes.

Read More

AtomBombing: Brand New Code Injection for Windows

Research, Windows, Injection Techniques, Malware, code injection, AtomBombing, APC, enSilo Breaking Malware, enSilo Corporate and Product

TL;DR Here’s a new code injection technique, dubbed AtomBombing, which exploits Windows atom tables and Async Procedure Calls (APC). Currently, this technique goes undetected by common security solutions that focus on preventing infiltration.

Read More

Tags