PC Security Channel

Recently hospitals in London cancelled surgeries due to a ransomware attack affecting service providers they depended on. I made a video investigating the malware behind this and the role 3rd party security plays in critical infrastructure on The PC Security Channel, a must watch for those in the industry. https://lnkd.in/eNW9G9zD

Last month I went to #botconf for the first time, surprised by the high volume of malware related papers, also, easily the most interesting venue I've seen for a security conference. Very different feel to #rsa and definitely worth checking out especially for those in Europe. I was having a lot of fun, until I was destroyed by Carole Boijaud in Mario Kart on the big screen. I hope they have proper PC games next time.

Facebook or "malware delivery as a service" for cybercriminals. Recently, Abderraouf Dandani and I investigated a suspicious ad on Facebook, it contained a link to download a .rar file from Google Drive plus a password for the file. The advertised post originated from "Gemini[dot]AI" (www.facebook[dot]com/AI.ultra[dot]new). Please report this page. Our analysis revealed the following: - The compressed .rar file contained a .msi file named "Google AI Gemini Ultra For PC V1.0.1.msi," purportedly for installing "Gemini." - The installer also contained other files related to a malicious browser extension and some DLLs. - Also a PowerShell script was present, designed to terminate Chromium-based browsers, specifically Chrome, Edge, and Brave, then reopen them, load the malicious extension in developer mode, and finally redirect the user to bing[dot]com/images/create (Microsoft Copilot). - After deobfuscating the JS code of the extension, we discovered that it steals the victim's Facebook cookies, access_token, and other Facebook account information, as well as the victim's IP address and location. This malware targets specific users, particularly those with prominent Facebook pages, advertisement accounts, and business accounts. - All stolen data is sent to the attacker's server at https://managedkv[dot]com The ad is being shared by compromised accounts and pages to spread the malware further. Please report the Facebook page and the domain used by the attacker. We hope that social companies make an effort to stop spreading malware and scams with their ads. Stay safe. Some links: - Someone did a nice video for a static analysis of the malware, check it for more technical details: https://lnkd.in/enNu3ScQ - Our ANY.RUN - Interactive Malware Analysis Service task: https://lnkd.in/egvd-YGy - Virus total: https://lnkd.in/eEc-KfiK #facebook #facebookads #google #gemini #cyberawareness #cybersecurity #malware #malwareanalysis #reverseengineering #threathunting #anyrun