VVS stealer (or VVS $tealer) is a Python-based infostealer targeting Discord users. It employs Pyarmor for obfuscation, contributing to its efficacy.
The post VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion appeared first on Unit 42.
News outlets recently reported that a threat actor was spreading an infostealer through free 3D model files for the Blender software. This is troubling enough on its own, but it highlights an even more serious problem: the business threat posed by free open source programs, uncontrolled by corporate infosec teams. And the danger comes not from vulnerabilities in the software, but from its very own standard features.
Blender is a 3D graphics and animation suite used by visualization professionals across various industries. The software is free and open-source, and offers extensive functionality. Among Blenderβs capabilities is support for executing Python scripts, which are used to automate tasks and add new features.
The package allows users to import external files from specialized marketplaces like CGTrader or Sketchfab. These platforms host both paid and free 3D models by artists and studios. Any of these model files potentially contain Python scripts.
This creates a concerning scenario: marketplaces where files can be uploaded by any user and may not be scanned for malicious content, combined with software that has an Auto Run Python Scripts feature. It allows files to automatically execute embedded Python scripts immediately upon opening β essentially running arbitrary code on the userβs computer in unattended mode.
Β
The attackers posted free 3D models with the .blend file name extension on the popular CGTrader platform. These files contained a malicious Python script. If the user had the Auto Run Python Scripts feature enabled, downloading and opening the file in Blender triggered the script. It then established a connection to a remote server and downloaded a malware loader from the Cloudflare Workers domain.
The loader executed a PowerShell script, which in turn downloaded additional malicious payloads from the attackersβ servers. Ultimately, the victimβs computer was infected with the StealC infostealer, enabling the attackers to:
The problem isnβt Blender itself β threat actors will inevitably try to exploit automation features in any popular software. Most end-users donβt consider the risks of enabling common automation features, nor do they typically dive deep into how these features work or how they could be exploited.
The core issue is that security teams arenβt always familiar with the capabilities of specialized tools used by various departments. They simply donβt account for this vector in their threat models.
If your company uses Blender, the first step is to disable the automatic execution of Python scripts (Auto Run Python Scripts feature). Hereβs how to do it according to official documentation.
How to disable the automatic execution of Python scripts in Blender. Source
Furthermore, to prevent the sudden spread of threats via work tools, we recommend that corporate security teams:
by Austin Kaiser // Intern Hacking a satellite is not a new thing. Satellites have been around since 1957. The first satellite launched was called Sputnik 1 and was launched [β¦]
The post Satellite Hacking appeared first on Black Hills Information Security, Inc..
moth // Recently, BHIS penetration tester Dale Hobbs was on an Internal Network Penetration Test and came across an RPC-based arbitrary command execution vulnerability in his vulnerability scan results.Β I [β¦]
The post Exploit Development β A Sincere Form of Flattery appeared first on Black Hills Information Security, Inc..
Have you ever installed a Python tool / library only to then find out other Python based tools youβve installed previously are now completely broken? Running Kali? Ever try installing [β¦]
The post Webcast: Pretty Little Python Secrets β Episode 1 β Installing Python Tools and Libraries the Right Way appeared first on Black Hills Information Security, Inc..
Do your PowerShell scripts keep getting caught? Tired of dealing with EDRs & Windows Defender every time you need to pop a box?Β In this one-hour podcast, originally recorded as [β¦]
The post BHIS PODCAST: Endpoint Security Got You Down? No PowerShell? No Problem. appeared first on Black Hills Information Security, Inc..
Yes.. Ethical Hacker Kids. The holidays are coming up! Here John & Jordan cover the different games, tools and gifts we can give kids that help teach them the trade. [β¦]
The post PODCAST: Raising Hacker Kids appeared first on Black Hills Information Security, Inc..
John Strand & Jordan Drysdale// Yes.. Ethical Hacker Kids. The holidays are coming up! Here John & Jordan cover the different games, tools and gifts we can give kids that [β¦]
The post WEBCAST: Raising Hacker Kids appeared first on Black Hills Information Security, Inc..
Jordan Drysdale// With Wild West Hackinβ Fest 2018 coming up (!!!), hereβs a preview of some things you might see in the wireless labs. First, s0lst1c3βs eaphammer. @relkci and I [β¦]
The post Wireless Hack Packages Update appeared first on Black Hills Information Security, Inc..
Dakota Nelson// The modern internetβs got a lot of places to hide. In this webcast, join Dakota as he shows how you can establish C2 channels and issue commands to [β¦]
The post WEBCAST: Tweets, Beats, and Sheets: C2 over Social Media appeared first on Black Hills Information Security, Inc..
Joff Thyer // Information Security professionals often have reason to analyze logs. Whether Red Team or Blue Team, there are countless times that you find yourself using βgrepβ, βtailβ, βcutβ, [β¦]
The post WEBCAST: Log File Frequency Analysis with Python appeared first on Black Hills Information Security, Inc..
Carrie Roberts // OS Command Injection is fun. I recently found this vulnerability on a web application I was testing (thanks to Burp Suite scanner). I was excited because I [β¦]
The post OS Command Injection; The Pain, The Gain appeared first on Black Hills Information Security, Inc..
Login
