Multiple Vulnerabilities in EDRs and Anti-Virus Software Exploited To Turn Them into Data Wipers
  • Advisory
  • December 19, 2022

Since anti-virus software scans a device or, in the case of EDR solutions, continuously scans a device for suspect or malicious files with the intent of quarantining or deleting them, this exploit deceives the vulnerable solutions into deleting non-malicious files by using customized paths via what is known as a junction point.

A junction point is a type of re-parse point that contains a link to a directory that serves as an alias for that directory. So, during the brief period in which an EDR or anti-virus detects a malicious file and attempts to delete it, the threat actor can use a junction point to redirect the solution to a path (directory) of their choice.

So to completely wipe a directory, the threat actor can use a software such as the Aikido wiper to trigger privileged delete by planting a malicious file at the trick directory and not granting it any permission, thereby making the EDRs or anti-virus to postpone deletion until the next restart. The actor can then delete the directory containing the planted malicious file and use the junction point to target the directory they wish to delete and then restart the system to effect the wipe out the target directory.

The affected solutions are:

  1. Microsoft Defender
  2. Microsoft Defender for Endpoint
  3. SentinelOne EDR
  4. TrendMicro Apex One
  5. Avast Antivirus
  6. AVG Antivirus

Legacy Windows Operating Systems to No Longer Get Support from January 2023
  • Advisory
  • January 9, 2023

Windows 7 was released back in 2009 and reached its end date in January 2015. Its end date was extended to January 2020 and for those customers that needed particular important applications past this end date, the ESU programme was initiated which gives them critical security updates for a maximum of three years after the end of the extended end date.

Windows 8.1, however, was released in November 2013 and reached its end date in January 2018. Its extended end date will elapse on January 10, 2023.

Increasing Cases of Wiperware Infection
  • Advisory
  • January 19, 2023

Wiperware is a Trojan similar to ransomware, therefore mode of delivery is typically via established social engineering or phishing techniques. Once infected, there may even be a ransom note in a README.txt file. The aim is to fool the victim into thinking it is ransomware and pay the ransom. Nevertheless, any file affected by wiperware can never be recovered.

In other instances, the aim is to bring down critical infrastructure, thus there is no pretence to being ransomware. Once persistence is achieved, the malware will infect critical files one-by-one in order to inhibit particular infrastructure from functioning as intended.

Phishing Emails with OneNote Attachments Used to Disseminate RATs
  • Advisory
  • January 24, 2023

These are delivered via phishing emails disguised as DHL shipping mails, invoices, ACH remittance forms, and so on. When the intended victim downloads the OneNote attachment, a malicious attachment in the form of a "notebook" is included. Threat actors place a "Double Click To View" banner over the notebook in order to load the attachment. When you click, the system will warn you about the dangers of opening attachments that could harm your system or data. Users usually ignore these, and if they click 'OK,' a RAT is downloaded from a C2 and installed. The Quasar RAT, AsyncRAT, and XWorm RAT are among the RATs being downloaded. 

New Phishing Apps Discovered on Google Play Store
  • Advisory
  • January 30, 2023

While some of the malicious apps have been removed, others are still active on the store. Below are the affected apps:

  1. Golden Hunt
  2. Reflector
  3. Seven Golden Wolf Blackjack
  4. Unlimited Score
  5. Big Decisions
  6. Jewel Sea
  7. Lux Fruits Game
  8. Lucky Clover
  9. King Blitz
  10. Lucky Hammer


After installing and opening the app, it will contact a remote server which will reply with instructions on what to do. These instructions typically include phishing pages that will be displayed to unsuspecting users in an attempt to collect their sensitive information.

Malicious Advertising Campaign Distributing FormBook Info-Stealer Malware
  • Advisory
  • February 13, 2023

Malvertising can appear on any advertisement on any website, including those you visit on a regular basis. Malvertising typically installs a small piece of code that connects your computer to criminal command and control (C&C) servers. The server searches your computer for its location and what software is installed on it before deciding which malware to send you. In this campaign, malvertising is the most common method of distribution, which involves inserting malicious advertisements into popular search engines when unsuspecting users conduct searches. By clicking on such a link, a device will be infected with the MalVirt loader, which uses a KoiVM virtualizing protector to avoid detection and analysis by anti-malware software. The loader will then install the FormBook malware and a signed Microsoft Process Explorer driver, allowing it to perform actions with elevated privileges. FormBook can also hide its C2 (command and control) traffic behind bogus HTTP requests to various dummy domains.

Latest Articles