www.trendmicro.com
Open in
urlscan Pro
96.16.156.66
Public Scan
URL:
https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html
Submission: On August 01 via api from IN — Scanned from DE
Submission: On August 01 via api from IN — Scanned from DE
Form analysis 3 forms found in the DOM
<form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
</td>
</tr>
</tbody>
</table>
</div>
</form><form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form-mobile">
<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
</td>
<td class="gsc-search-close collapsed" style="width:1%;" data-target="#search-mobile-wrapper" data-toggle="collapse">
<span class="icon-close"></span>
</td>
</tr>
</tbody>
</table>
</div>
</form>POST #
<form class="acsb-form" data-acsb-search="form" enctype="multipart/form-data" action="#" method="POST"> <input type="text" tabindex="0" name="acsb_search" autocomplete="off" placeholder="Unclear content? Search in dictionary..."
aria-label="Unclear content? Search in dictionary..."> <i class="acsbi-search"></i> <i class="acsbi-chevron_down"></i> </form>Text Content
Skip to Content
↵ENTER
Skip to Menu
↵ENTER
Skip to Footer
↵ENTER
dismiss
4 Alerts
* Achieve consolidated visibility and meet compliance standards when migrating
to the cloud
dismiss
Start today
* Trend Micro Vision One™: Detect, investigate, prioritize, and respond to
threats quicker
dismiss
Join live demos
* How to secure your private 5G networks
dismiss
Learn more
* IDC announces Trend Micro is #1 in Cloud Workload Security Market Share
dismiss
Learn more
* No new notifications at this time.
Download
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
Buy
* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
Region
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Log In
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
Free trials
* Cloud
* Detection and Response
* User Protection
Folio (0)
Contact Us
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
Business
For Home
Products Products
Trend Micro One - our unified cybersecurity platform >
Hybrid Cloud Security
Workload Security
Conformity
Container Security
File Storage Security
Application Security
Network Security
Open Source Security
Network Security
Intrusion Prevention
Advanced Threat Protection
Industrial Network Security
Mobile Network Security
Zero Trust Secure Access
User Protection
Endpoint Security
Email Security
Mobile Security
Web Security
Industrial Endpoint
Detection & Response
XDR
Risk Insights
Powered by
AI/Machine Learning
Global Threat Intelligence
All Products & Trials
Our Unified Platform
Service Packages
Small & Midsize Business Security
Solutions Solutions
For Cloud
Cloud Migration
Cloud-Native App Development
Cloud Operational Excellence
Data Center Security
SaaS Applications
Internet of Things (IoT)
ICS / OT
Connected Car
5G Security for Enterprises
Risk Management
Ransomware
Cyber Insurance
End-of-Support Systems
Compliance
Detection and Response
Industries
Healthcare
Manufacturing
Oil & Gas
Electric Utility
Federal
Why Trend Micro Why Trend Micro
The Trend Micro Difference
Customer Successes
The Human Connection
Strategic Alliances
Industry Leadership
Research Research
Research
About Our Research
Research and Analysis
Research, News and Perspectives
Security Reports
Security News
Zero Day Initiative (ZDI)
Blog
Research by Topic
Vulnerabilities
Annual Predictions
The Deep Web
Internet of Things (IoT)
Resources
DevOps Resource Center
CISO Resource Center
What Is?
Threat Encyclopedia
Cloud Health Assessment
Cyber Risk Assessment
Enterprise Guides
Glossary of Terms
EXPLORE THE CYBER RISK INDEX (CRI)
Use the CRI to assess your organization’s preparedness against attacks, and get
a snapshot of cyber risk across organizations globally.
Calculate your risk
Services & Support Services & Support
Services
Service Packages
Managed XDR
Support Services
Business Support
Log In to Support
Technical Support
Virus & Threat Help
Renewals & Registration
Education & Certification
Contact Support
Downloads
Free Cleanup Tools
Find a Support Partner
For Popular Products
Deep Security
Apex One
Worry-Free
Worry-Free Renewals
Partners Partners
Channel Partners
Channel Partner Overview
Managed Service Provider
Cloud Service Provider
Professional Services
Resellers
Marketplace
System Integrators
Alliance Partners
Alliance Overview
Technology Alliance Partners
Our Alliance Partners
Tools and Resources
Find a Partner
Education and Certification
Partner Successes
Distributors
Partner Login
Company Company
Overview
Leadership
Customer Success Stories
Human Connections
Strategic Alliances
Industry Accolades
Newsroom
Webinars
Events
Security Experts
Careers
History
Corporate Social Responsibility
Diversity, Equity & Inclusion
Trust Center
Internet Safety and Cybersecurity Education
Investors
Legal
×
Folio (0)
4 Alerts
* Achieve consolidated visibility and meet compliance standards when migrating
to the cloud
dismiss
Start today
* Trend Micro Vision One™: Detect, investigate, prioritize, and respond to
threats quicker
dismiss
Join live demos
* How to secure your private 5G networks
dismiss
Learn more
* IDC announces Trend Micro is #1 in Cloud Workload Security Market Share
dismiss
Learn more
* No new notifications at this time.
Download
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
Buy
* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
Region
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Log In
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
Free trials
* Cloud
* Detection and Response
* User Protection
Folio (0)
Contact Us
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
* Achieve consolidated visibility and meet compliance standards when migrating
to the cloud
dismiss
Start today
* Trend Micro Vision One™: Detect, investigate, prioritize, and respond to
threats quicker
dismiss
Join live demos
* How to secure your private 5G networks
dismiss
Learn more
* IDC announces Trend Micro is #1 in Cloud Workload Security Market Share
dismiss
Learn more
* No new notifications at this time.
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
* Cloud
* Detection and Response
* User Protection
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
undefined
Cyber Threats
Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike
Subscribe
Content added to Folio
Folio (0) close
Cyber Threats
GOOTKIT LOADER’S UPDATED TACTICS AND FILELESS DELIVERY OF COBALT STRIKE
Gootkit has been known to use fileless techniques to drop Cobalt Strike and
other malicious payloads. Insights from a recent attack reveal updates in its
tactics.
By: Buddy Tancio, Jed Valderama July 27, 2022 Read time: 7 min (1891 words)
Save to Folio
Subscribe
--------------------------------------------------------------------------------
Our in-depth analysis of what began as an unusual PowerShell script revealed
intrusion sets associated with Gootkit loader. In the past, Gootkit used
freeware installers to mask malicious files; now it uses legal documents to
trick users into downloading these files. We uncovered this tactic through
managed extended detection and response (MxDR) and by investigating a flag for a
PowerShell script that allowed us to stop it from causing any damage and
dropping its payload.
Gootkit has been known to use fileless techniques to deliver noteworthy threats
such as the SunCrypt, and REvil (Sodinokibi) ransomware, Kronos trojans, and
Cobalt Strike. In 2020, we reported on Gootkit capabilities. While it has kept
much the same behavior as that in our previous report, updates reveal its
continuing activity and development nearly two years later.
Attack overview
Having been associated with a variety of payloads, we can assume that Gootkit
runs on an access-a-as-a-service model. It can therefore be used by different
groups to conduct their attacks, making it worth monitoring to prevent bigger
threats from successfully entering a system.
Figure 1 illustrates its infection routine. It begins with a user searching for
specific information in a search engine. In this case, the user had searched for
the keywords “disclosure agreement real estate transaction”. A website
compromised by Gootkit operators was among the results, meaning that the user
did not open this compromised website by chance. Indeed, the operators had
tweaked the odds in their favor by using Search Engine Optimization (SEO)
poisoning to make this website rank high in the search results, leading the user
to visit the compromised website. This also means that the website’s URL will
not be available for long and that a full analysis would be difficult to conduct
if not done immediately.
Figure 1. The infection chain of Gootkit Loader as seen by MxDR
Upon opening the website, we found that it presented itself as an online forum
directly answering the victim’s query. This forum housed a ZIP archive that
contains the malicious .js file. When the user downloaded and opened this file,
it spawned an obfuscated script which, through registry stuffing, installed a
chunk of encrypted codes in the registry and added scheduled tasks for
persistence. The encrypted code in the registry was then reflectively loaded
through PowerShell to reconstruct a Cobalt Strike binary that runs directly in
the memory filelessly.
Much of what we have just described is still in line with the behavior we
reported in 2020, but with a few minor updates. This indicates that Gootkit
Loader is still actively being developed and has proved successful in
compromising unsuspecting victims.
Two noticeable changes stand out:
* The search term now leverages legal document templates instead of freeware
installers.
* Encrypted registries now use custom text replacement algorithm instead of
base64 encoding.
The compromised website
Following the behavior of users, we can now look at the website visited in the
attack. Threat actors have been known to simply compromise a vulnerable or a
misconfigured website to plant their malware or tools instead of creating or
registering a new one for their malicious operation. In the case of Gootkit,
since it compromised a legitimate domain, the website used was likely to pass
reputation services. For an unsuspecting user, visiting the site would not
arouse suspicion as it appears like a harmless website for a singing and voice
coach.
Figure 2. Homepage of the legitimate compromised website
Performing Google search specifically on the downloaded file (“disclosure
agreement real estate transaction”) shows that the site’s content was unrelated
to its owner and its purpose. Additionally, none of these search result links
can be found by navigating the site’s homepage itself. This is evidence that the
website has been compromised, as it has allowed adversaries to inject or create
new unrelated web content. We also found more evidence of vulnerabilities when
we queried the IP address via Shodan where the website was hosted.
Figure 3. Google searches reveal unwanted contents in the website
This tactic is nothing new for Gootkit. Coupled with SEO poisoning, Gootkit
operators can herd victims into a compromised website and bait them into
downloading a file they are looking for. For this incident, we were able to stop
Gootkit loader in its tracks before it dropped its payload. However, the user
had already visited the website, downloaded the malicious ZIP file, and opened
it. The unusual PowerShell script that resulted from these actions alerted us to
possible malicious activity. In this investigation, we try to piece together
what would have happened if the PowerShell script had not been flagged and had
been allowed to run.
Investigation and analysis
As mentioned, the user visited the compromised website and downloaded the ZIP
archive using Google Chrome. As logged by Trend Micro Vision OneTM, the exact
URL they visited is as follows:
> hxxps://www[.]{domain
> name}[.]co[.]uk/forum[.]php?uktoz=znbrmkp&iepdpjkwxusknzkq=3147417f829ff54ffe9acd67bbf216c217b16d47ac6a2e02c1b42f603121c9ad4b18757818e0bbdd5bab3aa154e5794b
As of writing, this URL is no longer accessible. However, we were able to
analyze the ZIP archive downloaded by the user. As mentioned, it was named
disclosure agreement real estate transaction(8321).zip. In another instance, the
JavaScript file was named tenancy agreement between family members
template(98539).zip. Both file names strongly suggest that Gootkit leverages
keywords that refer to legal document templates, likely to lure users into
downloading files. It’s important to note that this chosen search term and topic
is one of the notable changes from past campaigns.
Figure 4. Vision One interface showing evidence of the user visiting the
compromised website and downloading the ZIP archive
The ZIP archive was successfully saved in the Downloads folder
C:\Users\{username}\Downloads\disclosure agreement real estate transaction
(8321).zip.
Figure 5. The ZIP archive successfully saved in the user’s Downloads folder
The user then opened the .js file inside the ZIP archive, which spawned an
obfuscated PowerShell Script. The detected command line included wscript.exe,
the default script interpreter of Windows operating systems. This command line
runs the malicious JavaScript file. The folder file path and the file name can
be seen here:
> C:\Windows\System32\WScript.exe
> C:\Users\{username}AppData\Local\Temp\Temp1_disclosure agreement real estate
> transaction(8321).zip\disclosure_agreement_real_estate_transaction 3994.js
Figure 6. Obfuscated PowerShell Script spawned through the .js file
By using Vision One’s AMSI Telemetry, the team was able to view the decoded
script at runtime and build the order of events that it generated. In the
decoded script, there are three potentially compromised domains listed. The
domains themselves are legitimate websites. Gootkit only selects one and
constructs the full URL to get the next stage of script execution. The three
domains are listed here:
* learn[.]openschool.ua – Education
* lakeside-fishandchips[.]com – Restaurants and food
* kristinee[.]com – Personal sites
Figure 7. Decoded script logged by Vision One’s AMSI telemetry
Decoding the script also led us to discover that two stages of script are used
to complete the operation. The first stage script carries out the following:
* It checks for the registry HKCU\PJZTLE and creates it if not found. This
serves as an infection marker as we discussed in our previous blog.
* It then checks if the current user is logged in to a domain that might be
used to bypass sandbox tools.
* Next, it connects to the constructed URL to fetch the next script to be
executed. For this case, it retrieved the second stage script from
hxxps://learn[.]openschool[.]ua/test.php?mthqpllauigylit=738078785565141.
* It then sleeps for 10 seconds before running the fetched codes.
Figure 8. First stage script execution flow as logged by Vision One’s AMSI
telemetry
The second stage script retrieved from the aforementioned compromised website
accomplishes the listed information here:
* It gets the current username via environment strings.
* It checks the target registry and creates it if it does not exist. It
performs registry stuffing for persistence, wherein two sets of registries
are created, each containing encrypted binaries to be decoded and executed
later:
* HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Phone\\{loggedOnUser}\\{consecutive
numbers}, which contains binary payload encrypted using custom text
replacement
* HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Phone\\{loggedOnUser}0\\{consecutive
numbers}, which contains hex-encoded binary used to decode and execute the
first registry
* *
Figure 9. Registry stuffing on \\Phone\\{loggedOnUser}\\ as logged by Vision
One’s AMSI telemetry
Figure 10. Registry stuffing on \\Phone\\{loggedOnUser}0\\ as logged by Vision
One’s AMSI telemetry
After these two stages, it finally executes two encrypted PowerShell scripts
also logged by AMSI Telemetry. The first one decrypts the binary of the registry
\\Phone\\{loggedOnUser}0\\ and uses to initiate a function named “Test”.
Figure 11. Decoded first PowerShell script as logged by Vision One’s AMSI
telemetry
The second PowerShell script installs persistence mechanism via Scheduled Task,
where it assigns the username as its Task Name.
Figure 12. Decoded second PowerShell script as logged by Vision One’s AMSI
telemetry
The scheduled task loads the binary on \Phone\{loggedOnUser}0 registry, which in
turn decrypts and executes the final payload found in \Phone\{loggedOnUser}
registry using the same reflective code loading technique.
The final payload for this instance was found to be a Cobalt Strike binary,
which has also been spotted to connect to Cobalt Strike’s command-and-control
(C&C) server.
The Cobalt Strike payload
The Cobalt Strike binary reflectively loaded directly to the memory has been
seen connecting to the IP address 89[.]238[.]185[.]13. Using internal and
external threat intelligence, the team validated that the IP address is a Cobalt
Strike C&C. Cobalt Strike, a tool used for post-exploitation activities, uses
the beacon component as the main payload that allows the execution of PowerShell
scripts, logging keystrokes, taking screenshots, downloading files, and spawning
other payloads.
Figure 13. Cobalt Strike C&C based on the graph from Virus Total
Security recommendations
One key takeaway from this case is that Gootkit is still active and improving
its techniques. This implies that this operation has proven effective, as other
threat actors seem to continue using it. Users are likely to encounter Gootkit
in other campaigns in the future, and it is likely that it will use new means of
trapping victims.
This threat also shows that SEO poisoning remains an effective tactic in luring
unsuspecting users. The combination of SEO poisoning and compromised legitimate
websites can mask indicators of malicious activity that would usually keep users
on their guard. Such tactics highlight the importance of user awareness and the
responsibility of website owners in keeping their cyberspaces safe.
Organizations can help by conducting user security awareness training for their
employees, which aims to empower people to recognize and protect themselves
against the latest threats. In this instance, for example, the threat could have
been avoided earlier if the user had been more wary of downloading JavaScript
files. On the other hand, website owners must make better web hosting choices by
opting for web host providers who emphasize security in their own servers.
This case highlights the importance of 24/7 monitoring. Notably, cross-platform
XDR prevented this attack from escalating, since we were able to isolate the
affected machine quickly stopping the threat from inflicting further damage on
the network. A Cobalt Strike payload, for example, can result in worse problems,
such as the deployment of ransomware, credential dumping for lateral movement,
and data exfiltration. Managed XDR service prevented all of this from being
realized.
Organizations can consider Trend Micro Vision One, which offers the ability to
detect and respond to threats across multiple security layers. It can isolate
endpoints, which are often the source of infection, until they are fully cleaned
or the investigation is done.
Indicators of compromise (IOCs)
Trojan.BAT.POWLOAD.TIAOELD
* cbc8733b9079a2efc3ca1813e302b1999e2050951e53f22bc2142a330188f6d4
* f1ece614473c7ccb663fc7133654e8b41751d4209df1a22a94f4640caff2406d
Trojan.PS1.SHELLOAD.BC
* 8536bb3cc96e1188385a0e230cb43d7bdc4f7fe76f87536eda6f58f4c99fe96b
URLs
* hxxps://www[.]{domain
name}[.]co[.]uk/forum[.]php?uktoz=znbrmkp&iepdpjkwxusknzkq=3147417f829ff54ffe9acd67bbf216c217b16d47ac6a2e02c1b42f603121c9ad4b18757818e0bbdd5bab3aa154e5794b&pohokt=ifgde
= Disease vector
* hxxps://learn[.]openschool.ua/test[.]php?mthqpllauigylit=738078785565141 =
Disease vector
* 89[.]238[.]185[.]13 = C&C server (Cobalt Strike IP address)
Tags
Articles, News, Reports | Research | Cyber Threats
AUTHORS
* Buddy Tancio
Threats Analyst
* Jed Valderama
Threats Analyst
Contact Us
Subscribe
RELATED ARTICLES
* Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot
Trojan and PrintNightmare Exploit
* Examining New DawDropper Banking Dropper and DaaS on the Dark Web
* NetDooka Framework Distributed via PrivateLoader Malware as Part of
Pay-Per-Install Service
See all articles
RECOMMENDED FOR YOU
LOCKBIT RANSOMWARE GROUP AUGMENTS ITS LATEST VARIANT, LOCKBIT 3.0, WITH
BLACKMATTER CAPABILITIES
LEARN MORE
* Contact Sales
* Locations
* Careers
* Newsroom
* Trust Center
* Privacy
* Accessibility
* Support
* Site map
* linkedin
* twitter
* facebook
* youtube
* instagram
* rss
Copyright © 2022 Trend Micro Incorporated. All rights reserved.
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept
English
Accessibility Adjustments
Reset Settings Statement Hide Interface
Choose the right accessibility profile for you
OFF ON
Seizure Safe Profile Clear flashes & reduces color
This profile enables epileptic and seizure prone users to browse safely by
eliminating the risk of seizures that result from flashing or blinking
animations and risky color combinations.
OFF ON
Vision Impaired Profile Enhances website's visuals
This profile adjusts the website, so that it is accessible to the majority of
visual impairments such as Degrading Eyesight, Tunnel Vision, Cataract,
Glaucoma, and others.
OFF ON
ADHD Friendly Profile More focus & fewer distractions
This profile significantly reduces distractions, to help people with ADHD and
Neurodevelopmental disorders browse, read, and focus on the essential elements
of the website more easily.
OFF ON
Cognitive Disability Profile Assists with reading & focusing
This profile provides various assistive features to help users with cognitive
disabilities such as Autism, Dyslexia, CVA, and others, to focus on the
essential elements of the website more easily.
OFF ON
Keyboard Navigation (Motor) Use website with the keyboard
This profile enables motor-impaired persons to operate the website using the
keyboard Tab, Shift+Tab, and the Enter keys. Users can also use shortcuts such
as “M” (menus), “H” (headings), “F” (forms), “B” (buttons), and “G” (graphics)
to jump to specific elements.
Note: This profile prompts automatically for keyboard users.
OFF ON
Blind Users (Screen Reader) Optimize website for screen-readers
This profile adjusts the website to be compatible with screen-readers such as
JAWS, NVDA, VoiceOver, and TalkBack. A screen-reader is software that is
installed on the blind user’s computer and smartphone, and websites should
ensure compatibility with it.
Note: This profile prompts automatically to screen-readers.
Content Adjustments
Content Scaling
Default
Readable Font
Highlight Titles
Highlight Links
Text Magnifier
Adjust Font Sizing
Default
Align Center
Adjust Line Height
Default
Align Left
Adjust Letter Spacing
Default
Align Right
Color Adjustments
Dark Contrast
Light Contrast
High Contrast
High Saturation
Adjust Text Colors
Cancel
Monochrome
Adjust Title Colors
Cancel
Low Saturation
Adjust Background Colors
Cancel
Orientation Adjustments
Mute Sounds
Hide Images
Read Mode
Reading Guide
Useful Links
Select an option Home Header Footer Main Content
Stop Animations
Reading Mask
Highlight Hover
Highlight Focus
Big Black Cursor
Big White Cursor
HIDDEN_ADJUSTMENTS
Keyboard Navigation
Accessible Mode
Screen Reader Adjustments
Read Mode
Web Accessibility Solution By accessiBe
Choose the Interface Language
English
Español
Deutsch
Português
Français
Italiano
עברית
繁體中文
Pусский
عربى
عربى
Nederlands
繁體中文
日本語
Polski
Türk
Accessibility StatementCompliance status
We firmly believe that the internet should be available and accessible to anyone
and are committed to providing a website that is accessible to the broadest
possible audience, regardless of ability.
To fulfill this, we aim to adhere as strictly as possible to the World Wide Web
Consortium’s (W3C) Web Content Accessibility Guidelines 2.1 (WCAG 2.1) at the AA
level. These guidelines explain how to make web content accessible to people
with a wide array of disabilities. Complying with those guidelines helps us
ensure that the website is accessible to blind people, people with motor
impairments, visual impairment, cognitive disabilities, and more.
This website utilizes various technologies that are meant to make it as
accessible as possible at all times. We utilize an accessibility interface that
allows persons with specific disabilities to adjust the website’s UI (user
interface) and design it to their personal needs.
Additionally, the website utilizes an AI-based application that runs in the
background and optimizes its accessibility level constantly. This application
remediates the website’s HTML, adapts its functionality and behavior for
screen-readers used by blind users, and for keyboard functions used by
individuals with motor impairments.
If you wish to contact the website’s owner please use the website's form
Screen-reader and keyboard navigation
Our website implements the ARIA attributes (Accessible Rich Internet
Applications) technique, alongside various behavioral changes, to ensure blind
users visiting with screen-readers can read, comprehend, and enjoy the website’s
functions. As soon as a user with a screen-reader enters your site, they
immediately receive a prompt to enter the Screen-Reader Profile so they can
browse and operate your site effectively. Here’s how our website covers some of
the most important screen-reader requirements:
1. Screen-reader optimization: we run a process that learns the website’s
components from top to bottom, to ensure ongoing compliance even when
updating the website. In this process, we provide screen-readers with
meaningful data using the ARIA set of attributes. For example, we provide
accurate form labels; descriptions for actionable icons (social media icons,
search icons, cart icons, etc.); validation guidance for form inputs;
element roles such as buttons, menus, modal dialogues (popups), and others.
Additionally, the background process scans all of the website’s images. It
provides an accurate and meaningful image-object-recognition-based
description as an ALT (alternate text) tag for images that are not
described. It will also extract texts embedded within the image using an OCR
(optical character recognition) technology. To turn on screen-reader
adjustments at any time, users need only to press the Alt+1 keyboard
combination. Screen-reader users also get automatic announcements to turn
the Screen-reader mode on as soon as they enter the website.
These adjustments are compatible with popular screen readers such as JAWS,
NVDA, VoiceOver, and TalkBack.
2. Keyboard navigation optimization: The background process also adjusts the
website’s HTML and adds various behaviors using JavaScript code to make the
website operable by the keyboard. This includes the ability to navigate the
website using the Tab and Shift+Tab keys, operate dropdowns with the arrow
keys, close them with Esc, trigger buttons and links using the Enter key,
navigate between radio and checkbox elements using the arrow keys, and fill
them in with the Spacebar or Enter key.
Additionally, keyboard users will find content-skip menus available at any
time by clicking Alt+2, or as the first element of the site while navigating
with the keyboard. The background process also handles triggered popups by
moving the keyboard focus towards them as soon as they appear, not allowing
the focus to drift outside.
Users can also use shortcuts such as “M” (menus), “H” (headings), “F”
(forms), “B” (buttons), and “G” (graphics) to jump to specific elements.
Disability profiles supported on our website
* Epilepsy Safe Profile: this profile enables people with epilepsy to safely
use the website by eliminating the risk of seizures resulting from flashing
or blinking animations and risky color combinations.
* Vision Impaired Profile: this profile adjusts the website so that it is
accessible to the majority of visual impairments such as Degrading Eyesight,
Tunnel Vision, Cataract, Glaucoma, and others.
* Cognitive Disability Profile: this profile provides various assistive
features to help users with cognitive disabilities such as Autism, Dyslexia,
CVA, and others, to focus on the essential elements more easily.
* ADHD Friendly Profile: this profile significantly reduces distractions and
noise to help people with ADHD, and Neurodevelopmental disorders browse,
read, and focus on the essential elements more easily.
* Blind Users Profile (Screen-readers): this profile adjusts the website to be
compatible with screen-readers such as JAWS, NVDA, VoiceOver, and TalkBack. A
screen-reader is installed on the blind user’s computer, and this site is
compatible with it.
* Keyboard Navigation Profile (Motor-Impaired): this profile enables
motor-impaired persons to operate the website using the keyboard Tab,
Shift+Tab, and the Enter keys. Users can also use shortcuts such as “M”
(menus), “H” (headings), “F” (forms), “B” (buttons), and “G” (graphics) to
jump to specific elements.
Additional UI, design, and readability adjustments
1. Font adjustments – users can increase and decrease its size, change its
family (type), adjust the spacing, alignment, line height, and more.
2. Color adjustments – users can select various color contrast profiles such as
light, dark, inverted, and monochrome. Additionally, users can swap color
schemes of titles, texts, and backgrounds with over seven different coloring
options.
3. Animations – epileptic users can stop all running animations with the click
of a button. Animations controlled by the interface include videos, GIFs,
and CSS flashing transitions.
4. Content highlighting – users can choose to emphasize essential elements such
as links and titles. They can also choose to highlight focused or hovered
elements only.
5. Audio muting – users with hearing devices may experience headaches or other
issues due to automatic audio playing. This option lets users mute the
entire website instantly.
6. Cognitive disorders – we utilize a search engine linked to Wikipedia and
Wiktionary, allowing people with cognitive disorders to decipher meanings of
phrases, initials, slang, and others.
7. Additional functions – we allow users to change cursor color and size, use a
printing mode, enable a virtual keyboard, and many other functions.
Assistive technology and browser compatibility
We aim to support as many browsers and assistive technologies as possible, so
our users can choose the best fitting tools for them, with as few limitations as
possible. Therefore, we have worked very hard to be able to support all major
systems that comprise over 95% of the user market share, including Google
Chrome, Mozilla Firefox, Apple Safari, Opera and Microsoft Edge, JAWS, and NVDA
(screen readers), both for Windows and MAC users.
Notes, comments, and feedback
Despite our very best efforts to allow anybody to adjust the website to their
needs, there may still be pages or sections that are not fully accessible, are
in the process of becoming accessible, or are lacking an adequate technological
solution to make them accessible. Still, we are continually improving our
accessibility, adding, updating, improving its options and features, and
developing and adopting new technologies. All this is meant to reach the optimal
level of accessibility following technological advancements. If you wish to
contact the website’s owner, please use the website's form
Hide Accessibility Interface? Please note: If you choose to hide the
accessibility interface, you won't be able to see it anymore, unless you clear
your browsing history and data. Are you sure that you wish to hide the
interface?
Accept Cancel
Continue
Processing the data, please give it a few seconds...
AddThis Sharing Sidebar
Share to FacebookFacebookShare to TwitterTwitterShare to PrintPrintMore AddThis
Share optionsAddThis
9
SHARES
Hide
Show
Close
AddThis