The report, by Bitdefender, mentions: “Users in a position to validate a link in an email client before clicking on it, will be susceptible to clicking on it because it has not yet been translated into a real domain name in their browser. The actual domain name would only be seen after the page has started to open.”

The term IDN refers to domain names that, in whole or in part use characters from a non-Latin script or alphabet, which are encoded by the Unicode standard. In order for the Domain Name System (DNS) to interpret them correctly, IDNs are stored in the DNS as ASCII strings using Punycode transcription.

Counterfeit IDN homograph domains can be created by combining letters from different alphabets, which to the user look so similar to each other that it is impossible to distinguish them, although Unicode treats them as separate entities. This is not a new concept, although it is still a problem for many users.

Most browsers, for example, display in the address bar the real name of an internationalized domain name (https://xn--n1aag8f.com, for example) instead of the name to display the real name (https://žugec.com) if the site is suspicious. However, Office applications, including Outlook, display the name in another method:

Since domain registration verification greatly limits which counterfeit domains can be registered and most browsers display the real name of the spoofed IDN domain, IDN homograph attacks have ceased to be a constant cybersecurity threat, although threat actors may find ways to deploy these attacks on a large scale.

Microsoft acknowledged the problem when it received the Bitdefender report, though it’s unclear if the issue will be fixed. While the issue is resolved, endpoint security solutions and IP and URL reputation services could collaborate by blocking most suspicious domains.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post How to hide spoofed malicious domain when users hover above a link in a phishing email in Microsoft Outlook, Word or Excel document? appeared first on Information Security Newspaper | Hacking News.

The tool is called “Cooper”, in reference to the technique known as “Cooperative Mutation” it employees. Xu Peng, a software development specialist and co-author of the tool, explains that tools like the ones mentioned accept information from scripting languages; for example, Acrobat allows JavaScript to manipulate PDF files.

This requires the PDF to define native PDF objects and parse the JavaScript code. Native objects are processed by Acrobat modules and a built-in JavaScript engine handles the scripts, while a “binding layer” does the translation.

Xu and his collaborators claim that binding code can be vulnerable to inconsistent semantics and various security gaps, which could lead to severe vulnerabilities. Using Cooper, the researchers were able to identify CVE-2021-21035 and CVE-2021-21028, two severe vulnerabilities in Adobe Acrobat.

Cooper’s developers were able to find these errors because the cooperative mutation technique simultaneously modifies the script code and the related document objects to explore various binding code paths. This is an innovative approach and contrasts with other security techniques based on finding flaws in scripts.

Cooper has three main components:

• Object clustering: To begin, Cooper analyzes the given sample documents to extract native objects. to reduce the object search space the tool classifies objects according to their attributes
• Relationship inference: Subsequently, the tool produces a large number of documents by combining different object classes and API groups, recording the execution results of the built-in scripts. based on the success rate of script execution and the distribution of object classes cooper infers the relationships between api groups and object classes
• Relationship-guided mutation: Finally, Cooper leverages the inferred relationship to guide object selection, script generation, and object mutation

Cooper can be described as a fuzzing tool, capable of inferring relationships to guide the process of finding conditions under which scripts and applications engage in unwanted behavior.

The tool is available on the official platforms of the developers.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post New tool to find vulnerabilities in the way applications like Microsoft Word and Adobe Acrobat process JavaScript: Cooperative mutation attack appeared first on Information Security Newspaper | Hacking News.

This time, digital forensics experts from the International Institute of Cyber Security (IICS) will show you a simple method to manually verify any suspicious documents and check if it is loaded with malware.

Broadly speaking, all file analysis techniques include the following elements:

• Check the document for dangerous tags and scripts
• Detect online code like shellcode, VBA macro, Javascript, Powershell and more
• Extract the suspicious code or object from the file
• If possible, delete the extracted code (although, with a very high degree of probability, the obfuscated code is harmful)

 Tools for analyzing Microsoft Office files

Oletools: This is a powerful Python toolkit for analyzing Microsoft OLE2 files, primarily Microsoft Office documents such as Word or Power Point files, mentioned by digital forensics experts.

For installation on Linux, simply run the following command:

sudo -H pip install -U oletools

On the other hand, if you want to install the tool on Windows systems, you must use the following command:

pip install -U oletools

In this package you can find many other tools, including:

• mraptor
• olebrowse
• oledir
• oleid
• olemap
• olemeta
• oleobj
• oletimes
• olevba
• pyxswf
• rtfobj

PCODEDMP: This is a document Pi code disassembler (essentially a shell code). Digital forensic experts mention that this tool requires oletooles to function properly.  

PDF analysis tools

PDF Stream Dumper: This is a Windows GUI utility for PDF analysis very popular among the cybersecurity specialists community.

PDF-parser: Using this tool allows digital forensic experts to extract individual elements from a PDF file, such as headers, links, and more, for detailed analysis.

PDFID: PDFID lists all objects in the scanned PDF file.

PEEPDF: This is a pretty powerful analysis framework that includes shellcode search, Javascript and more. PEEPDF is enabled by default in Kali Linux.

PDFxray: This tool has most of the necessary utilities in the form of separate Python scripts, but requires many dependencies, mentioned by digital forensic experts.

What should we look for when analyzing a PDF document?

First, digital forensic specialists recommend looking for the following parameters:

• /OpenAction and /AA, as they can run scripts automatically
• /JavaScript and /JS respectively run js
• /GoTo, since this action changes the visible page of the file, can automatically open and redirect to other PDF files
• /Launch is able to start a program or open a document
• /SubmitForm and /GoToR can send data by URL
• /RichMedia can be used to embed flash
• /ObjStm can hide objects

It is rare to find clean and non-merged code into malicious PDF files. The simplest types of obfuscation are HEX encoding such as /J s 61vaScript instead of /Javascript and line breaks:

/Ja\[/SIZE][/SIZE][/SIZE][/SIZE]
[SIZE=6][SIZE=4][SIZE=6][SIZE=4] vascr\
 Ipt

Security test

In this step, we will use a document loaded with malware to exploit the flaw tracked as CVE-2017-11882.

Let’s review the VBA scripts:

olevba exploit.doc

Immediately we will find tons of VBA script lines, and in the end they also show what it does. The next test is to analyze a PDF file using PDFID to view all the objects in the file.

As shown below, the PDF file contains /ObjStm objects. To ensure that they do not negatively impact our systems, we can extract these objects from the file and consider them separately using PDF-parser.

To learn more about information security risks, malware, vulnerabilities and information technologies, feel free to access the International Cyber Security Institute (IICS) website.

The post How to easily check if DOC, RTF, XLS, PPT, PPTX or PDF file has a malware without antivirus like a digital forensics expert appeared first on Information Security Newspaper | Hacking News.