Exploiting Calculator.exe For Hacking
ฝัง
- เผยแพร่เมื่อ 30 ก.ค. 2024
- Try out OctoPart 👉 octopart.com/
Altium 👉 www.altium.com/yt/seytonic
Timestamps:
0:00 Exploiting Calculator.exe To Hack PCs
2:52 Nuclear Sabotage Hackers Arrested
5:46 A New Cyber Crime Business Model
7:46 Octopart
8:23 Outro
Sources:
www.hackread.com/qbot-malware...
www.bleepingcomputer.com/news...
/ 1546607135089430532
blog.cyble.com/2022/07/21/qak...
itm4n.github.io/windows-dll-h...
securityaffairs.co/wordpress/...
www.fortinet.com/blog/threat-...
www.microsoft.com/security/bl...
www.hackread.com/malware-fami...
www.bleepingcomputer.com/news...
www.bleepingcomputer.com/news...
www.policia.es/_es/comunicaci...
securityaffairs.co/wordpress/...
thehackernews.com/2022/07/spa...
www.theregister.com/2022/07/2...
westobserver.com/news/europe/...
www.theregister.com/2022/07/2...
cyberint.com/blog/research/at...
threatpost.com/hackers-cyber-...
===============================================
My Website: www.seytonic.com/
Follow me on TWTR: / seytonic
Follow me on INSTA: / jhonti
=============================================== - บันเทิง
This is why file extensions and hidden files should be visible by default
Hiding them by default is just one of the MANY stupid things Microsoft does.
Microsoft does not show the extension for shortcut files, even if "hide extensions for known file types" is not checked.
@@N1IT3 That's true, too. Only way to know is the tiny shortcut icon, which is easy to miss on small file icons, when you aren't tech-savvy, or when you're in a hurry.
@@FoxBlocksHere you can move a file to startup without admin, you can delete all fonts without admin, you can literally corrupt the system without admin and windows is doing nothing about it.
File extensions should always be visible. However, there’s an argument for hidden files to not be visible by default.
1. How are they “hidden files” if they’re visible by default?
2. The general population would be overwhelmed by seeing more files and/or screw up critical files (ie delete them b/c they don’t know what they are)
3. It’s less aesthetically pleasing to see a ton more files.
I agree that hidden files should have never existed, but we’re committed at this point.
"It all starts with downloading a file sent from an email." Aaah some things never change.
ik
not everyone is pro enough to write an exploit using advanced buffer overflow and attack directly into the device
@@xnxxxnxx5918 well downloading a file from an email deserves to get you hacked
Hiding the file extensions is one of the most stupid default settings Microsoft ever did. Still i see why they do it since the average computer user is stupid and would most likely mess it up when renaming files . Better would be to have a new default setting where extensions are always visible but locked so they cant be changed by mistake. Making them visible by default would salve quite a few attack attempts.
Or you know, actually read the file to determine what software would be best to open it.
@ringman 💯💯💯💯 incase if someone looking for the Reg change to enable this setting in bulk
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced \v HideFileExt \t REG DWORD \d 0 \f
Less is more. I hate the dumbing down of UI/UX to the point you can't readily do what you need to.
You misspelled "the vast majority of"
@@alan5506 im pretty sure linux does this
Man, you really have to go out of your way to get hacked with this one.
You know these methods are still around because people will still fall for it lol
@@TheOneAndOnly_skiF if they do, they kinda deserve it on this one. "Step 1, open sketchy email. Step 2 install sketchy program. Step 3 launch sketchy link step 4 provide all bank info. "
People sometimes move too fast, especially when stressed out and have a lot on their plate. Click click click click... oops now you're fucked
@@holabola9064 It's not really an excuse considering how many steps you have to go through to get hacked plus how poor the actual method is
@@holabola9064 Very true!
Scarier thought about the radiation sensor sabotage story… what if that alert system is the same or similar as another country uses and they were paid by a major threat actor to see if it could be done. Like a test.
Tbh I thought they wanted to force them to update the old system.
I was thinking about the same angle too. Old infrastructure might be similar to other countries or regions.
As much as I like hearing about these flaws and hacks. People must really not be thinking about the bigger picture when they accept jobs like this hack.
But I'm glad some hacker's have a bit of morals. Not many but I know some do
Yep, proof of concept.
You can probably find the answer to this on wikipedia and I'd bet the answer is no. Nuclear powerplants aren't great targets in the first place because of the layers upon layers of security and failsafes. Gen III+ plants are more or less failureproof and their security isn't down to any digital technology that can be hacked but the mechanical design of the reactor itself. If you wanted to cause massive damage power grids would be a better target since they have more points of vulnerability.
first time in 15 years of being a youtube consumer actually finding a sponsored product that's actually useful :'D only because i work in a telecom T&M equipment resales company..lol
Even in the 90s, the controls network for the powerplant I worked for was a completely isolated from the outside world. Physical access to the network was required to access any control code and field devices/programmable logic controllers. Coming in though dial up networking would have made life easier, but unfortunately, easier for us is also easier for them.
We got one such mail in the company a few weeks ago and I was so confused at first why they did it this way, until it dawned on my what they're actually exploiting here...
Clever indeed.
you are everywhere
and on gbatemp i guess
@@Porygonal64 hi 👀
Now we cant even trust the calculator app :D
You can trust the calculator just fine, but don't make the mistake to trust windows.
@@Dario-sp5ll I don’t trust Windows. It’s why I trust only myself when I use it.
U have to trust the notes app it survives the strongest viruses bruh
Just dont't use the windows 7 version lol
gigs are great until you start wanting health insurance and workers comp from your cyber crime company
This is actually really cool! This is the type of thing you can mess around with yourself as long as you have knowledge of programming and compiling to .dll files. I might have to see what you can do with this.
The calc "hack" looks like made by a child. While it exploits the hidden extension, it actually exploit far more severe Windows security issue, that is older than me: executable/library search look into the current directory first. If you ever need an argument while you should linux, not windows for your daily driver - this is it (although linux is not perfect, see CDPATH). The problem is in Windows, this setting is by design, used by majority of software and thus cannot be mitigated, making it extremely easy to hack someone's computer if you have offline access to it (or online access to the filesystem).
This so called "windows security issue" is clearly older than you because you sound like a typical 13 year old tech enthusiast who thinks ricing his linux desktop makes him a computer wizard. If you are able to plant a dll in the application directory, then duh, obviously you can modify its content. The moment you gained write access to the application directory, you own it, dll injection at this point is redundant because it has already been compromised. This is why calculator is in system32 which requires admin access. And let's not forget calculator runs without privilege so the injected code runs unelevated. This "hack" prays on a user's carelessness, it is not a security vulnerability in the os. And by the way nt has a MUCH more solid and well designed security model than your favorite "everything is a file" toy os, your delusional fantasy is childishly laughable
I use macOS as my daily driver. Windows never works and is a security nightmare, and Linux also never works and is too complicated, especially for most people.
@@nulcow Windows and MacOS never work, Linux always does exactly what I tell it to do, *interesting*.
@@peacefulexistence_ MacOS does work. I use it.
@@blocksource4192 I have used it extensively in the past and couldn't stand it, my Mac is running Linux now.
TH-cam threw this video on my recommendations, and I must say I am thankful it did. Great content, subbed
What a remarkably succinct and approachable explanation of the exploit, even for a relative layman!
😲 so many layers to this! Amazing job with the breakdown
interesting trick with the embedded file that gets "downloaded" didn't know that was a thing. Guessing the real nasty is whatever is in that dll with the numbers that the other DLL registers into the system. Octopart sounds like a good resource, cheers for that tip!
Your videos are motivating me to start learnig cyber security and malwares as a whole.
man thank you so much for accepting this *part*icular sponsor :) will really help with projecta
Great work 🥳🥳🥳 Thank you 💜💜💜
The octopart ad is making be rethink sponsorblock, legitimately useful service I would have missed had it not been for the comments
Bro is hearted by seytonic after talking bad about the sponsor
read again lol
Aaaaa al fin encuentro alguna información sobre el malware en archivos .lnk y gracias por el contenido que subes bro
Apparently, Valencia is NOT inside the Valencian Community but is replacing the whole thing. Poor people of Castellón and Alicante (me)
CASTELLANO:
Al parecer, Valencia ha conquistado toda la Comunidad Valenciana. Pobres castellonenses y alicantinos (yo)
very informative. New Subscriber!
I still can't get past the British H.
"The (Haych)TML file"
how are you meant to say it
Ech t m l
@@railwaymedialondon ay-ch. You don't actually pronounce the "h" sound when saying the letter "H"
@@wrathofainz but there’s a H there, so H T M L
Houtoumoulou
3:20 they misspelled "materials" on the sign 😭
i noticed that straight away
Damn Atlas makes a lot of sense. Pioneering cyber crime ig lol.
to pull this off it's pretty unlikely. a random html in an e-mail suspecius enough. but after it downloads something if were to careless enough to open it is quite a redflag.BUT even after this why would i unpack it and open another file??
I guess some folks are just curious. At the end of the day these things rely on numbers. For every n 1000 recipients probably some are not informed and very curious.
Props from Portugal !
3:22 lol _"Materrials."_
Now I’m worried if I get an error on my calculator I must be infected.
don't use windows
Use SpeedCrunch instead 😉😎
@@serecano104 Use open BSD!
@@marshalllee2837 use temple OS!
@@serecano104 that's really useful in corporate environments with 10k's of hosts 🙄
Its more likely they wanted the system upgraded but the employer was fine with the current system, so they hacked it and removed the system themselves. imagine a foreign nation attacks and they would do the same thing and easily gain access.
Windows 8.x shared the same calculator app with Windows 7 but in Windows 8.1 Microsoft introduced a metro version for the calculator along side with the the Win32 version with the Win32 version was removed from Windows 10 with the metro/uwp version sticking around in modern versions of Windows but you can still use the old calculator by extracting the executable file Windows 7/8/8.1 and then run as the necessary dlls are still in Windows for compatibility with some older application
This exposes multiple flaws in antivirus software
1. Why would you trust a common app. Its not malicious, but it still can be exploited
2. Base64 is such a painfully obvious encoding and they dont check for that?
im learning lots of ways to exploit school desktops from these videos
Reminds me of when I downloaded Wayne's World to watch with my roommates... turns out it was "wanesworld.exe", my roommate was eager to watch it, so took the liberty of double clicking it. I laughed, told him it was an exe, his eyes grew wide, and then I let him know it's fine I use Linux. Then wine opened... and my eyes grew wide.
Great Man !
Background sound please
How do u connect ur contentinterface to soft soft so u can record?
Microsoft POV:
Microsoft didn't need to repair that bug, since when get hacked, just blame the hacker and Microsoft are free to go
This was very useful information and I loved how that "calc.exe" attack seemed to use "RUSSIAN DOLL" nested techniques to gain access.
The simplest way that attack can be avoided is by NOT OPENING EMAILS FROM UNKNOWN SENDERS AND CLICKING LINKS!.
Thanks again Seytonic. Also I wonder if there has ever been attacks directed towards SOLAR WEATHER data collection servers and the similar space agencies. (I'm sure that had to be some)
> The simplest way that attack can be avoided is by NOT OPENING EMAILS FROM UNKNOWN SENDERS AND CLICKING LINKS!.
Or like, not being dumb, but ok. Tho I guess that's too much to expect.
Red flags:
- Sending an HTML file which fails to open and displays ads
- Who tf automatically lets a file download, normal browsers just ask
- Who tf uses ISOs as archives
- Imagine having anything but dotfiles hidden and hiding extensions
- And ofc this attack would not work at all on non-dumb OSes.
And they haven't fixed the ddl sidloading bug?!
They have, the malware comes with an old version however.
@@mrbanana6464
Ah right, true.
It’s not fixed. They will never fix it. I sideloaded a popular and common application that my company and other businesses use a few weeks ago lol
Nice video!
Even the fricking calculator. Lol
Gives new meaning to popping the calculator!!
I don’t get a bit of it, but I know it’s serious stuff
Computers are related but it’s hard for some to know how that is. It is a sensible idea that the two states are interconnected.
In general sabotage or any kind of attack against nuclear power plants is extremely unlikely considering the enormous consideration given towards safety in their design. Gen III+ power plants are safe against anything other than a missile strike and Gen IV plants will have reinforced concrete domes capable of withstanding most attacks. Luckily most plants older than Gen III have been shut down so in general nuclear power plants are probably the safest parts of any grid, I guess apart from solar and wind which are physically incapable of causing harm. I say all of this as someone who is actually fairly critical of nuclear power and generally oppose it, I just know enough physics to understand the safety mechanisms at play.
If someone wanted to cause significant damage they'd be better off attacking the grid itself since it has many somewhat vulnerable parts that were more or less built on the assumption of peace. Of course carrying out such an attack successfully would require extensive coordination and you have to be physically present so that makes it a lot easier for law enforcement to spot you, which is probably why it has never happened. Hacking would be of limited use probably, it could perhaps let you temporarily shut down parts of the grid and it is a bit of a hassle to restore grid functionality but you couldn't do actual damage as all of the safety is physically built into the infrastructure. And grid operators are just pretty smart people in general.
Really you're best off targeting oil pipelines or tankers. The environmental damage a spill can do is immense and pipelines are relatively unguarded.
How is your opsec so bad that you actually access a compromised system via a public network.
Nice among us joke as two imposters vented!
cybercrime mercenaries, that's a new one
Note: If you're still using win7. It's not more dangerous for those systems.
thank you LOL!
U know he is a programmer when he started with hello world !
Why tf does the attack require dll injection if the user already opens an allegedly unknown exe file.
Also almost every software that uses dynamic linked libraries suffers this problems, so this is nothing special.
As stated in the video, Windows calculator is identified as safe by antivirus and therefore you have less chance for it to be blocked than a regular unsigned exe file
@@florenthugouvieux5138 Yeh but this kind of attack is so common and trivial i doubt antivirus software wouldn't notice anything wrong
@@simoc.1225 The .dll masks it essentially as if they just gave a calc.exe file that was modified the signature of the file would be flagged pretty quick against the database of malware.
Nowadays i think most antiviruses will be suspicious from the dll itself since its has an injection routine..
To evade anti-malware.
And that's why you display the file extensions
I bet someone is going to make a hacker-mercenary for hire. It will be called Oceans 1337.
I didnt know you could store other files using html, might use it to hide my stuff from my friends
lol it's pron isn't it.
what music is playing in the background
3:24 "Radioactive materrials" 🤔 Hmm...
Dll side loading has existed since stuxnet. What a shame that Microsoft still hasn’t fixed this. Good for us red teamers but not so good for threat actors smh
the LG smart fridge will get weaponized after this istg
So happy I never check my email lol
Recheck your map on 3:14; in Spain we only have 7 active reactors; two on extremadura (that are fine but they're part of the same power station named Almaraz), two on Tarragona, Catalonya (they're also fine but again are same Power Station named Ascó), not so far from Ascó there is Vandellos (that was ok), Cofrentes in Valencia (spot is 150km away) and the last one in Guadalajara, Andalucia, named as Trillo. Of course thats actually, your map must have at least 10 years because on 2012 Castille and León Nuclear Power Station (St Mary from Garoña roughly translated) was close permanently. Like from Spain!
Is was probably to f**k goverment politics in Spain has a tendency to do policy by hard way, if you know what it means. There's A LOT of corruption here
Would it be possible to email you a question?
Me saw this video pop up on my youtube , quickly delete calculator from windows !
this is why windows should warn you about shortcut files
It's not Calculator.exe, it's actually calc.exe. I clicked this video after reading the title and having immersive pain not writing this comment. 😅
So, I will not get hacked if I use the calculator app on my Windows machine, right? I guess the hackers need to work harder and infect all calculator apps in all Windows machines which will automatically get anyone using the calculator app to be hacked.
Chernobyl needed RBMK type of reactor to able disaster to happen, and only 8 of those left (all in Russia), retrofitted with security features. Facepalm every time someone talks about "next Chernobyl"..
Ngl the dll hijacking thingy is nothing new at all. I've seen CoinLoader samples doing the same thing for quite a while. Literally nothing new to see there.
No real reason to have a system dll in the applications folder hence the name system dll. Too many apps ship with dll's they should be leaving up to the system to provide. One of the many M$ things I despise. At one time you could even make a registry entry to load a specified dll into every process when it started.
Why would a calculator app need something to do with codecs to begin with?
I'll keep saying it until people pay attention and catch on: cyberpunk is Now.
Uhh that says qakbot (cackbot) not qUack ya duck
3:25 Typo??
Ugh.. windows is so braindead. Who codes an OS that randomly runs code from anywhere, rather than a strictly defined set?
Oh yeah, FortiMail.... warn that end user!
yes!
isn't it calc.exe? and not Calculator.exe
* deletes calculator *
hahaha yes that's totally logical
Easiest thing to do is block all inbound htm and html attachments…
where ?
@@densidste9137 Think he means from email. You could see from the s.shot it was something Fortimail picked up as sus.
Most email filtering services offer the ability to strip email attachments sometimes at a cost. Using something like a virtual machine could be one way of preventing malicious attachments infecting your main machine, or an old laptop not connected to your main network such as a tethered connection.
@@computerspek VMs aren't 100% safe though. Some malware is able to escape them.
@@renakunisaki very true!
change the shortcuts
Oh no…
Good among us joke
I got hacked on BO2 through calc
Why are Nicholas Cage and the Rock trying to hack my computer?
ok
version, standard is more than sufficient
Sha-nayble 💀💀💀
Simply Delete the Calculator
Wait.
i just have saw the thumbnail
what the fuck
it's calc.exe not Calculator.exe
I was a victim of this but tronscript saved me
it's calc.exe
Oath
okay, this is interesting 🤔
LOLBAS
hi
7:20 screw isn'treal, bring pack Palestine
why
👆❤️🏴☠️
have you ever heard of linux debian based operating systems? or not? Becuase my 70 yo granpa can identify that thats a scam
#UseLinux
Edited