AtomBombing: Brand New Code Injection for Windows

Research, Windows, Injection Techniques, Malware, code injection, AtomBombing, APC, enSilo Breaking Malware

TL;DR Here’s a new code injection technique, dubbed AtomBombing, which exploits Windows atom tables and Async Procedure Calls (APC). Currently, this technique goes undetected by common security solutions that focus on preventing infiltration.

Read More

Elastic Boundaries – Elevating privileges by environment variables expansion

Vulnerabilities, Windows, code injection, bypass UAC, elevation, environment variable, path redirect, UAC, variable expansion, enSilo Breaking Malware

Even though any process is provided with variables from its environment, they are often overlooked by users, developers and sometimes even the OS itself.

Read More

Captain Hook: Pirating AVs to Bypass Exploit Mitigations

av, Vulnerabilities, Windows, code injection, vulnerability, Detours, hooking, enSilo Breaking Malware

TL;DR: We found 6(!) different common security issues that stem from incorrect implementation of code hooking and injection techniques. These issues were found in more than 15 different products. The most impactful discovery was that three different hooking engines also suffer from these kind problems, including the most popular commercial

Read More

Documenting the Undocumented: Adding CFG Exceptions

Windows, documentation, CFG, Control Flow Guard, NtSetInformationVirtualMemory, enSilo Breaking Malware

TL;DR Microsoft’s Control Flow Guard (CFG) is a security feature that prevents the abuse of indirect calls from calling addresses that are not marked as safe. CFG can cause problems for anyone trying to execute malicious memory manipulations on Windows. In such cases, this can be bypassed by adding an exception to the CFG bitmap (a mapping of

Read More

Analyzing Furtim: Malware that Avoids Mass-Infection

Windows, Malware, Furtim, enSilo Breaking Malware


Recently we came across a new malware strain, first discovered by @hFireF0X, and at point of discovery, it was not detected by any of the 56 anti-virus programs tested by VirusTotal service. (We wrote more about Furtim malware here.)

Read More

ArdBot: A Malware Under Construction

Windows, Malware, ArdBot, enSilo Breaking Malware

Recently we came across a new sample of the ArdBot malware, appearing on kernelmode, credited to R136a1. We wrote more about ArdBot here.

A research of this sample showed a malware strain that is not yet ready for production use and provided an interesting peek inside a malware’s development process.

Read More

Sedating the Watchdog: Abusing Security Products to Bypass Mitigations

tools, av, Vulnerabilities, anti-virus, avulnerabilitychecker, Windows, enSilo Breaking Malware

TL;DR: Design issues in various security products, such as anti-virus, make it significantly easier for threat actors to bypass exploit mitigations. As part of our ongoing goal of complete endpoint security, we found a prevalent flaw where anti-virus products allocate memory with RWX permissions at a predictable address.

Read More

A Technical Breakdown of ModPOS

Windows XP, Windows, Web Malware, POS malware, Malware, ModPOS, enSilo Breaking Malware

ModPOS is the latest in the string of POS malware that’s making the news. As its family name implies, this malware is intent on one: stealing credit card information.

Read More

Moker, Part 2: Capabilities

Windows, Web Malware, Malware, APT, Moker, RAT, enSilo Breaking Malware

A few days ago, we published a blog entry on an advanced malware called Moker, and discussed the different challenges that Moker placed to avoid detection and anti-dissection, as part of enSilo’s continuing improvement of our endpoint security software.

Now that we have the stripped down malware sample, it’s time to analyze the actual malware.

Read More

Moker, Part 1: Dissecting a New APT Under the Microscope

Windows, Web Malware, Malware, APT, Moker, RAT, enSilo Breaking Malware

Recently, we came across Moker, an advanced malware residing in a sensitive network of a customer. Since the malware did not try to access an external server, but rather tamper with the system inner workings, we decided to give this malware a second look. (This kind of work is part of developing complete endpoint security software.)

Read More