Just a second! 🫷 If you are here, it means that you are a software developer.
So, you know that storage, networking, and domain management have a cost .
If you want to support this blog, please ensure that you have disabled the adblocker for this site. I configured Google AdSense to show as few ADS as possible – I don’t want to bother you with lots of ads, but I still need to add some to pay for the resources for my site.
Thank you for your understanding. – Davide
When you need to compose the path to a folder or file location, you can rely on the Path class. It provides several static methods to create, analyze and modify strings that represent a file system.
Path.Join and Path.Combine look similar, yet they have some important differences that you should know to get the result you are expecting.
Path.Combine: take from the last absolute path
Path.Combine concatenates several strings into a single string that represents a file path.
However, there’s a tricky behaviour: if any argument other than the first contains an absolute path, all the previous parts are discarded, and the returned string starts with the last absolute path:
As you can see, the behaviour is slightly different.
Let’s see a table where we call the two methods using the same input strings:
Path.Combine
Path.Join
["singlestring"]
singlestring
singlestring
["foo", "bar", "baz"]
foo\bar\baz
foo\bar\baz
["foo", " bar ", "baz"]
foo\ bar \baz
foo\ bar \baz
["C:", "users", "davide"]
C:\users\davide
C:\users\davide
["foo", " ", "baz"]
foo\ \baz
foo\ \baz
["foo", "C:bar", "baz"]
C:bar\baz
foo\C:bar\baz
["foo", "C:bar", "baz", "D:we", "ranl"]
D:we\ranl
foo\C:bar\baz\D:we\ranl
["C:", "/users", "/davide"]
/davide
C:/users/davide
["C:", "users/", "/davide"]
/davide
C:\users//davide
["C:", "\users", "\davide"]
\davide
C:\users\davide
Have a look at some specific cases:
neither methods handle white and empty spaces: ["foo", " ", "baz"] are transformed to foo\ \baz. Similarly, ["foo", " bar ", "baz"] are combined into foo\ bar \baz, without removing the head and trail whitespaces. So, always remove white spaces and empty values!
Path.Join handles in a not-so-obvious way the case of a path starting with / or \: if a part starts with \, it is included in the final path; if it starts with /, it is escaped as //. This behaviour depends on the path separator used by the OS: in my case, I’m running these methods using Windows 11.
Finally, always remember that the path separator depends on the Operating System that is running the code. Don’t assume that it will always be /: this assumption may be correct for one OS but wrong for another one.
A security researcher from Seqrite Labs has uncovered a malicious campaign targeting U.S. citizens as Tax Day approaches on April 15. Seqrite Labs has identified multiple phishing attacks leveraging tax-related themes as a vector for social engineering, aiming to exfiltrate user credentials and deploy malware. These campaigns predominantly utilize redirection techniques, such as phishing emails, and exploit malicious LNK files to further their objectives.
Each year, cybercriminals exploit the tax season as an opportunity to deploy various social engineering tactics to compromise sensitive personal and financial data. These adversaries craft highly deceptive campaigns designed to trick taxpayers into divulging confidential information, making fraudulent to counterfeit services, or inadvertently installing malicious payloads on their devices, thereby exposing them to identity theft and financial loss.
Infection Chain:
Fig 1: Infection chain
Initial analysis about campaign:
While tax-season phishing, attacks pose a risk to a broad spectrum of individuals, our analysis indicates that certain demographics are disproportionately vulnerable. Specifically, high-risk targets include individuals with limited knowledge of government tax processes, such as green card holders, small business owners, and new taxpayers.
Our findings reveal that threat actors are leveraging a sophisticated phishing technique in which they deliver files via email with deceptive extensions. One such example is a file named “104842599782-4.pdf.lnk,” which utilizes a malicious LNK extension. This tactic exploits user trust by masquerading as a legiti payments mate document, ultimately leading to the execution of malicious payloads upon interaction.
Decoy Document:
Threat actors are disseminating a transcript related to tax sessions, targeting individuals through email by sharing it as a malicious attachment. These cybercriminals are leveraging this document as a vector to deliver harmful payloads, thereby compromising the security of the recipients.
Fig 2: Decoy Document
Technical Analysis:
We have retrieved the LNK file, identified as “04842599782-4.pdf.lnk,” which was utilized in the attack. This LNK file embeds a Base64-encoded payload within its structure.
Fig 3: Inside LNK File
Upon decoding the string, we extracted a PowerShell command line that itself contains another Base64-encoded payload embedded within it.
Fig 4: Encoded PowerShell Command Line
Subsequently, upon decoding the nested Base64 string, we uncovered the final PowerShell command line embedded within the payload.
Fig 5: Decoded Command Line
The extracted PowerShell command line initiated the download of rev_pf2_yas.txt, which itself is a PowerShell script (Payload.ps1) containing yet another Base64-encoded payload embedded within it.
Fig 6: 2nd PowerShell command with Base64 Encoded
We have decoded the above Base64 encoded command line and get below final executable.
Fig 7: Decoded PowerShell Command
According to the PowerShell command line, the script Payload.ps1 (or rev_pf2_yas.txt) initiated the download of an additional file, revolaomt.rar, from the Command and Control (C2) server. This archive contained a malicious executable, named either Setup.exe or revolaomt.exe.
Detail analysis of Setup.exe / revolaomt.exe:
Fig 8: Detect it Easy
Upon detailed examination of the Setup.exe binary, it was identified as a PyInstaller-packaged Python executable. Subsequent extraction and decompilation revealed embedded Python bytecode artifacts, including DCTYKS.pyc and additional Python module components.
Fig 9: PyInstaller-packaged Python executableFig 10: In side DCTYKS.pyc
Upon analysis of the DCTYKS.pyc sample, it was determined that the file contains obfuscated or encrypted payload data, which is programmatically decrypted at runtime and subsequently executed, as illustrated in the figure above.
Fig 11: Encoded DCTYKS.pyc with Base64
Upon successful decryption of the script, it was observed that the sample embeds a Base64-encoded executable payload. The decrypted payload leverages process injection techniques to target mstsc.exe for execution. Further analysis of the second-stage payload revealed it to be a .NET-compiled binary.
Analysis 2nd Payload (Stealerium malware):
Fig 12: .NET Base Malware sample
The second-stage payload is identified as a .NET-based malware sample. Upon inspection of its class structures, methods, and overall functionality, the sample exhibits strong behavioural and structural similarities to the Stealerium malware family, specifically aligning with version 1.0.35.
Stealerium is an open-source information-stealing malware designed to exfiltrate sensitive data from web browsers, cryptocurrency wallets, and popular applications such as Discord, Steam, and Telegram. It performs extensive system reconnaissance by harvesting details including active processes, desktop screenshots, and available Wi-Fi network configurations. Additionally, the malware incorporates sophisticated anti-analysis mechanisms to identify execution within virtualized environments and detect the presence of debugging tools.
This AntiAnalysis class is part of malware designed to detect sandbox, virtual machines, emulators, suspicious processes, services, usernames, and more. It checks system attributes against blacklists fetched from online sources (github). If any suspicious environment is detected, it logs the finding and may trigger self-destruction. This helps the malware avoid analysis in controlled or security research setups.
Mutex Creation
Fig 16: Mutex Creation
This MutexControl class prevents multiple instances of the malware from running at the same time. It tries to create a system-wide mutex using a name from Config.Mutex (QT1bm11ocWPx). If the mutex already exists, it means another instance is running, so it exits the process. If an error occurs during this check, it logs the error and exits too.
Fig 17: Configuration of StringsCrypt.DecryptConfig
It configures necessary values by decrypting them with StringsCrypt.DecryptConfig. It handles the decryption of the server base URL and WebSocket address. If enabled, it also decodes cryptocurrency wallet addresses from Base64 and decrypts them using AES-256 encryption.
“hxxp://91.211.249.142:7816”
Radom Directory Creation
Fig 18: Random Directory Creation
The InitWorkDir() method generates a random subdirectory under %LOCALAPPDATA%, creates it if it doesn’t exist, and hides it for stealth purposes. This is likely used for storing data or maintaining persistence without detection.
\AppData\Local\e9d3e2dd2788c322ffd2c9defddf7728 random directory is created in hidden attribute.
BoT Registration
Fig 19: BOT Registration
The RegisterBot method initiates an HTTP POST request to register a bot instance, utilizing a unique hash identifier and an authorization token for authentication. It serializes the registration payload, appends the necessary HTTP headers, and logs the server response or any encountered exceptions. The method returns a boolean value—true upon successful execution, and false if an exception is raised during the process.
It extracts browser-related data (passwords, cookies, credit cards, history, bookmarks, autofill) from a given user data profile path.
FileZilla Credentials stealer activity
Fig 21: FileZilla Credential Stealer activity
The above code is part of a password-stealing component targeting FileZilla, an FTP client.
Gaming Platform Data Extraction Modules
Fig 22: Gaming platform data extraction
This component under bt.Stub.Target.Gaming is designed to collect data from the following platforms:
BattleNet
Minecraft
Steam
Uplay
Each class likely implements routines to extract user data, game configurations, or sensitive files for exfiltration.
Fig 23: Checks for a Minecraft installation
It checks for a Minecraft installation and creates a save directory to exfiltrate various data like mods, files, versions, logs, and screenshots. It conditionally captures logs and screenshots based on the Config.GrabberModule setting.
Messenger Data Stealer Modules
Itargets various communication platforms to extract user data or credentials from:
Discord
Element
ICQ
Outlook
Pidgin
Signal
Skype
Telegram
Tox
Below is one example of Outlook Credentials Harvesting
It targets specific registry keys associated with Outlook profiles to extract sensitive information like email addresses, server names, usernames, and passwords. It gathers data for multiple mail clients (SMTP, POP3, IMAP) and writes the collected information to a file (Outlook.txt).
Fig 24: Messenger Data Extraction
Webcam Screenshot Capture
Attempts to take a screenshot using a connected webcam, saving the image as a JPEG file. If only one camera is connected, it triggers a series of messages to capture the webcam image, which is then saved to the specified path (camera.jpg or a timestamped filename). The method is controlled by a configuration setting (Config.WebcamScreenshot).
Fig 25: Webcam Screen shot captures
Wi-Fi Password Retrieval
It retrieves the Wi-Fi password for a given network profile by running the command netsh wlan show profile and extracting the password from the output. The command uses findstr Key to filter the password, which is then split and trimmed to get the value
Fig 26: WI-FI Password Retrieval
VPN Data Extraction
It targets various VPN applications to exfiltrate sensitive information such as login credentials:
NordVpn
OpenVpn
ProtonVpn
For example, it extracts and saves NordVPN credentials from the user.config file found in NordVPN installation directories. It looks for “Username” and “Password” settings, decodes them, and writes them to a file (accounts.txt) in the specified savePath.
Fig 27: VPN Data Extraction
Porn Detection & Screenshot Capture
Fig 28: Porn Detection & Snapshot Captures.
It detects adult content by checking if the active window’s title contains specific keywords related to NSFW content (configured in Config.PornServices). If such content is detected, it triggers a screenshot capture.
Conclusion:
Based on our recent proactive threat analysis, we’ve identified that cybercriminals are actively targeting U.S. citizens around the tax filing period scheduled for April 15. These threat actors are leveraging the occasion to deploy Stealerium malware, using deceptive tactics to trick users.
Stealerium malware is designed to steal Personally Identifiable Information (PII) from infected devices and transmit it to attacker-controlled bots for further exploitation.
To safeguard your data and devices, we strongly recommend using Seqrite Endpoint Security, which provides advanced protection against such evolving threats.
Stay secure. Stay protected with Seqrite.
TTPS
Tactic
Technique ID
Name
Initial Access
T1566.001
Phishing: Spear phishing Attachment
Execution
T1059.001
Command and Scripting Interpreter: PowerShell
Evasion
T1140
Deobfuscate/Decode Files or Information
T1027
Obfuscated Files or Information
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
Credential Access
T1555.003
Credentials from Password Stores: Credentials from Web Browsers
T1539
Steal Web Session Cookie
Discovery
T1217
Browser Information Discovery
T1016
System Network Configuration Discovery: Wi-Fi Discovery
Collection
T1113
Screen Capture
Exfiltration
T1567.004
Exfiltration Over Web Service: Exfiltration Over Webhook
Just a second! 🫷 If you are here, it means that you are a software developer.
So, you know that storage, networking, and domain management have a cost .
If you want to support this blog, please ensure that you have disabled the adblocker for this site. I configured Google AdSense to show as few ADS as possible – I don’t want to bother you with lots of ads, but I still need to add some to pay for the resources for my site.
Thank you for your understanding. – Davide
In C#, attributes are used to describe the meaning of some elements, such as classes, methods, and interfaces.
I’m sure you’ve already used them before. Examples are:
the [Required] attribute when you define the properties of a model to be validated;
the [Test] attribute when creating Unit Tests using NUnit;
the [Get] and the [FromBody] attributes used to define API endpoints.
As you can see, all the attributes do not specify the behaviour, but rather, they express the meaning of a specific element.
In this article, we will learn how to create custom attributes in C# and some possible interesting usages of such custom attributes.
Create a custom attribute by inheriting from System.Attribute
Creating a custom attribute is pretty straightforward: you just need to create a class that inherits from System.Attribute.
Ideally, the class name should end with the suffix -Attribute: in this way, you can use the attribute using the short form [ApplicationModule] rather than using the whole class name, like [ApplicationModuleAttribute]. In fact, C# attributes can be resolved by convention.
Depending on the expected usage, a custom attribute can have one or more constructors and can expose one or more properties. In this example, I created a constructor that accepts an enum.
I can then use this attribute by calling [ApplicationModule(Module.Cart)].
Define where a Custom Attribute can be applied
Have a look at the attribute applied to the class definition:
Have you noticed it? It’s actually a Flagged enum, whose values are powers of 2: this trick allows us to join two or more values using the OR operator.
There’s another property to notice: AllowMultiple. When set to true, this property tells us that it’s possible to use apply more than one attribute of the same type to the same element, like this:
Notice that I also explicitly enriched the two inner methods with the related attribute – even if it’s not necessary.
Further readings
As you noticed, the AttributeTargets is a Flagged Enum. Don’t you know what they are and how to define them? I’ve got you covered! I wrote two articles about Enums, and you can find info about Flagged Enums in both articles:
IntenalsVisibleTo can be used to give access to internal classes to external projects:;for example, you can use that attribute when writing unit tests.
In this article, I showed you how to create custom attributes in C# to specify which modules a class or a method belongs to. This trick can be useful if you want to speed up the analysis of your repository: if you need to retrieve all the classes that are used for the Cart module (for example, because you want to move them to an external library), you can just search for Module.Cart across the repository and have a full list of elements.
In particular, this approach can be useful for the exposed components, such as API controllers. Knowing that two or more modules use the same Controller can help you understand if a change in the API structure is necessary.
Another good usage of this attribute is automatic documentation: you could create a tool that automatically enlists all the interfaces, API endpoints, and classes grouped by the belonging module. The possibilities are infinite!
I hope you enjoyed this article! Let’s keep in touch on LinkedIn, Twitter or BlueSky! 🤜🤛
In today’s world of technology, the importance of digital spaces is continuing to rise. With advancements in technology and the widespread use of the internet, various aspects of our lives have transformed within the digital realm. This shift in the way we think has led to the realization that digital spaces hold a ton of value.
What Exactly is Digital Transformation?
The acceptable definition of digital transformation is the use of new, fast, and frequently changing digital technology to be able to solve problems. It involves the application of the latest technology but companies also have to adopt other new technologies to be able to fully reap the benefits of digital transformation while keeping in line with their actual company or organization.
Digital transformation is more about the changing practices of a company or organization and its culture over time due to the changing world of technology. Digital transformation will be different for every company and organization, depending on the way they do things and what their needs are.
What are Digital Platforms?
There are many different types of digital platforms. When it comes to social media platforms, there are several to choose from, including Facebook, Instagram, TikTok, Twitter, Pinterest, LinkedIn, and many more. When it comes to platforms that provide users with knowledge about different topics, there are also several to choose from, such as Yahoo! Answers and Quora.
There are also media-sharing platforms that people use often, which include Spotify, Vimeo, and YouTube. Service-oriented platforms include sites like Airbnb and Grubhub.
3 Facts Proving That Digital Spaces Are Increasingly More Valuable
1. Environmental Impact is Less
According to The World Counts, almost 50% of paper used in the workplace ends up in the trash. This staggering statistic demonstrates the enormous toll that can happen to the environment due to the excessive use of paper. Digital platforms offer new space for individuals and companies to store their access information without having to use actual paper.
This also allows users to easily share it with other users or to store it for long periods. Also, more companies are allowing workers to work remotely, which means there are fewer cars on the road, which helps decrease carbon emissions. This happens due to virtual meetings being the latest craze so that, once again, people do not drive as much.
2. Professional Networking and Connectivity is Increasing
Professional networking and connecting with others has never been easier, thanks to the digital age. For example, LinkedIn is considered to be the world’s largest professional networking platform. It has over 500 million members around the world and serves as a vital hub for business and career professionals. The platform allows individuals to connect, collaborate, and explore opportunities on a scale that was unimaginable in the pre-digital era.
By utilizing LinkedIn’s features such as profile building, job searching, and content sharing, professionals can expand their networks, showcase their expertise, and establish their personal brand. The ability to connect with like-minded individuals and industry leaders worldwide enhances career prospects, facilitates knowledge sharing, and fosters professional growth. As digital spaces like LinkedIn continue to evolve, their value in promoting professional networking and connectivity only becomes more apparent.
3. Web Design and First Impressions Matter
In today’s digital landscape, the importance of a visually appealing and user-friendly website cannot be overstated. Research suggests 94% of first impressions are related to a site’s web design. A well-designed website instills confidence, credibility, and trust in visitors, positively influencing their perception of a brand or organization.
Digital spaces allow businesses and individuals to create an impactful online presence through aesthetically pleasing designs, intuitive navigation, and engaging content. A thoughtfully crafted website enhances the user experience, increases conversion rates, and drives customer engagement. As more interactions and transactions occur in digital spaces, the significance of effective web design in leaving a positive impression becomes increasingly evident. The digital age is here to stay and is proving to be more valuable than ever for organizations and companies throughout the world.
