delivr.to
@delivrto.bsky.social
Updates from the https://delivr.to team, including new payloads, features and announcements.
In-the-wild samples are leveraging "foreignObject" elements to embed interactive HTML elements that take user input and exfiltrate it to attacker controlled servers.
🔍 Detect with our YARA rule: github.com/delivr-to/de...
🛡️ Test weaponised SVG delivery: delivr.to/?search=.svg
🔍 Detect with our YARA rule: github.com/delivr-to/de...
🛡️ Test weaponised SVG delivery: delivr.to/?search=.svg
December 3, 2024 at 2:14 PM
In-the-wild samples are leveraging "foreignObject" elements to embed interactive HTML elements that take user input and exfiltrate it to attacker controlled servers.
🔍 Detect with our YARA rule: github.com/delivr-to/de...
🛡️ Test weaponised SVG delivery: delivr.to/?search=.svg
🔍 Detect with our YARA rule: github.com/delivr-to/de...
🛡️ Test weaponised SVG delivery: delivr.to/?search=.svg
Viewing a zip concat. sample, we can see the populated zip file header (0x04034b50-blue) and the end of central directory record (EOCD) signature (0x06054b50-red) repeated for each zip
In our testing, multiple instances of these byte sigs reliably detected this technique
🧵3/3
In our testing, multiple instances of these byte sigs reliably detected this technique
🧵3/3
November 15, 2024 at 10:03 AM
Viewing a zip concat. sample, we can see the populated zip file header (0x04034b50-blue) and the end of central directory record (EOCD) signature (0x06054b50-red) repeated for each zip
In our testing, multiple instances of these byte sigs reliably detected this technique
🧵3/3
In our testing, multiple instances of these byte sigs reliably detected this technique
🧵3/3
This technique results in different files being displayed to an end user (either from the leading or trailing zip file) depending on zip client used
This also has implications for mail filters that ‘open’ the zip to analyse its contents
🧵2/3
This also has implications for mail filters that ‘open’ the zip to analyse its contents
🧵2/3
November 15, 2024 at 10:00 AM
This technique results in different files being displayed to an end user (either from the leading or trailing zip file) depending on zip client used
This also has implications for mail filters that ‘open’ the zip to analyse its contents
🧵2/3
This also has implications for mail filters that ‘open’ the zip to analyse its contents
🧵2/3