ITSEC Newsletter 2024-12-05

Author

Henrik Falk
December 05, 2024

Gaming Engines: An Undetected Playground for Malware Loaders

Since at least June 29, 2024, cybercriminals have been taking advantage of Godot Engine to execute crafted GDScript code which triggers malicious commands and delivers malware. This technique has remained undetected by most Antivirus tools on VirusTotal, possibly infecting more than 17,000 machines in just a few months. The loader using this novel technique, GodLoader, has been distributed throughout September and October via the Stargazers Ghost Network. This network operates as a Distribution as a Service (DaaS), enabling the “legitimate” distribution of malware through GitHub repositories.

research.checkpoint.com/2024/gaming-engines-an-undetected-playground-for-malware-loaders

Bypassing WAFs with the phantom $Version cookie

HTTP cookies often control critical website features, but their long and convoluted history exposes them to parser discrepancy vulnerabilities. In this post, I'll explore some dangerous, lesser-known features of modern cookie parsers and show how they can be abused to bypass web application firewalls. This is the first part of a series of blog posts on cookie parsing.

portswigger.net/research/bypassing-wafs-with-the-phantom-version-cookie

(QR) Coding My Way Out of Here: C2 in Browser Isolation Environments

Mandiant’s Red Team developed a novel solution to this problem. Instead of returning the C2 data in the HTTP request headers or body, the C2 server returns a valid web page that visually shows a QR code. The implant then uses a local headless browser (e.g., using Selenium) to render the page, grabs a screenshot, and reads the QR code to retrieve the embedded data. By taking advantage of machine-readable QR codes, an attacker can send data from the attacker-controlled server to a malicious implant even when the web page is rendered in a remote browser.

cloud.google.com/blog/topics/threat-intelligence/c2-browser-isolation-environments