本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。「Buy me a coffee」からカンパをすると喜ばれます。
MALWARE
ASEC
In August, the ASEC analysis team made a post on the malware being distributed with filenames that utilize RTLO (Right-To-Left Override). RTLO is a unicode that makes an override from right to left. This type of malware induces users to execute its files by mixing filenames with extensions, with its distribution still being continued to this day. RAT Tool Disguised as Solution File (*.sln) Being Distributed on Github As of November 30th, 2022, when the keywords based on the last blog post are en...
The ASEC analysis team has recently discovered a phishing email that impersonates a well-known Korean airline to collect user credentials. The phishing email contains a notice on airline ticket payment, inducing the reader to connect to the disguised phishing page with specific ticket prices and details that implies that the sender has background information of the reader. The subject and the body of the email are shown below. Figure 1. Subject and body of the email When the attached HTML file i...
In mid-2022, the ASEC analysis team shared that malware with the XLL file format (file extension: .xll) was being distributed via email. The XLL file has a DLL form of a PE (Portable Executable) file but is executed with Microsoft Excel. Since then, this type of malware had not been distributed actively, but for the first time in a long while, we found that it was being distributed with the filename, ‘Resume.xll‘. Post from May 20th, 2022: XLL Malware Distributed Through Email Post from Nov 21st...
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 28th, 2022 (Monday) to December 4th, 2022 (Sunday). For the main category, Infostealer ranked top with 34.8%, followed by downloader with 28.2%, backdoor with 21.1%, ransomware with 14.6%, and CoinMiner with 0.3%. Top 1 – SmokeLoader SmokeLoader is an infostealer/downloader malware that is distributed via exploit kits. This...
The ASEC analysis team has recently detected the distribution of a phishing email impersonating a non-profit quasi-governmental organization. Since the email is using a webpage disguised as a login page of GobizKOREA serviced by Korea SMEs and Startups Agency (KOSME), users who are working in the trading industry should take extra caution. The figure below shows the email’s subject and body. It tells the reader that a new inquiry from a buyer was registered. Since all five hyperlinks in the emai...
ASEC Weekly Phishing Email Threat Trends (November 20th, 2022 – November 26th, 2022) The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from November 20th, 2022 to November 26th, 2022 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or imper...
Assume-breach
Welcome back! In this installment of Home Grown Red Team, we’re going to make some malware. Most of these techniques are we are going to go over were learned from the Sektor 7 Malware Essentials Course. I can’t recommend that course enough! So, if you have an interest in creating droppers, head over to their site and take their courses.It should be said from the beginning that this is not a FUD malware type of post. There are a lot of those out there, but that’s not the goal of this. This is jus...
CTF导航
Flare-ON 9th 之第八题BackDoor WriteUp 1周前 admin 75 0 0 本文为看雪论坛精华文章 看雪论坛作者ID:wmsuper 一概述 今年由火眼举办的flare-on 9th CTF刚刚结束,接下来准备介绍令我印象比较深刻的第八题BackDoor的解题方法。 二C#反混淆 混淆原理 使用DnSpy打开exe,确定无疑的是该C#编写的程序肯定经过了混淆,不是已知的任何一种混淆壳,无法使用De4dot直接反混淆: 第一层混淆 让我们简单先分析下混淆的原理,根据原理来完成去混淆,通过分析,有大部分函数是通过触发异常来完成解密方法体的调用的,如下所示:flare_71方法使用DynamicMethod根据传入的字节码数组来进行动态调用:这类受保护的方法还有一个很明显的特征就是开头是两个NOP,而且调用了flare_71,知道这些后就可以编写代码还原第一层混淆:代码如下所示,自动寻找符合特征的函数,调用目标exe里面的相关方法并修复exe。 private static void flareon_wrap_decrypt(IList>TypeDef< typeD...
Cybereason
Threat Analysis: MSI - Masquerading as a Software Installer Written By Cybereason Global SOC Team December 5, 2022 | 16 minute read The Cybereason Global Security Operations Center (GSOC) issues a Purple Team Series of its Threat Analysis reports to provide a technical overview of the technologies and techniques threat actors use to compromise victims’ machines. In this Threat Analysis report, the Cybereason GSOC team analyzes a technique that utilizes Microsoft’s Windows Installation file (.msi...
Simon Kenin at Deep Instinct
Simon KeninThreat Intelligence ResearcherThe Polonium APT group activity was first detected by Microsoft in June 2022. The group is based in Lebanon and exclusively attacks Israeli companies.The group takes its name from chemical elements in the periodic table:“Polonium is a chalcogen. A rare and highly radioactive metal with no stable isotopes.”At the beginning of October 2022, ESET published comprehensive research about the threat group, which included over a hundred hashes of malicious files....
A new MuddyWater threat campaign was discovered by Deep Instinct. We analyze this threat below. Simon KeninThreat Intelligence ResearcherDeep Instinct Threat LabMuddyWater, also known as Static Kitten and Mercury, is a cyber espionage group that’s most likely a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).Since at least 2017 MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, def...
Didier Stevens
[…] Pingback by Week 50 – 2022 – This Week In 4n6 — Sunday 11 December 2022 @ 11:47 RSS feed for comments on this post. TrackBack URI Leave a Reply (comments are moderated) Enter your comment here... Fill in your details below or click an icon to log in: Email (Address never made public) Name Website You are commenting using your WordPress.com account. ( Log Out / Change ) You are commenting using your Twitter account. ( Log Out / Change ) You are commenting using your Facebook account. ( Log Ou...
Esentire
Read more GootLoader Striking with a New Infection Technique Read more eSentire Named in 2023 Waterloo Area’s Top Employers List for Sixth… Read more Visit the eSentire Blog → RESOURCES Case Studies Customer testimonials and case studies. Videos Stories on cyberattacks, customers, employees, and more. Reports Cyber incident, analyst, and thought leadership reports. Webinars Demonstrations, seminars and presentations on cybersecurity topics. Data Sheets Information and solution briefs for our ser...
Read more eSentire Named in 2023 Waterloo Area’s Top Employers List for Sixth… Read more Visit the eSentire Blog → RESOURCES Case Studies Customer testimonials and case studies. Videos Stories on cyberattacks, customers, employees, and more. Reports Cyber incident, analyst, and thought leadership reports. Webinars Demonstrations, seminars and presentations on cybersecurity topics. Data Sheets Information and solution briefs for our services. Cybersecurity Tools MITRE ATT&CK Framework, Cybersecur...
Fatih Yilmaz
05 Dec 2022 What is PE ? PE (Portable Executable) are files that can be moved and run between Windows systems without compatibility problems. To be portable, a common language/architecture must be defined for all devices, data that means “A” on one device must mean “A” on another device. Here, too, an architecture emerges. For example, at the 0x24 address of a portable file, it is known by all devices that the ImageBase data is represented, and the file is interpreted and executed accordingly. I...
05 Dec 2022 PE Nedir? PE(Portable Executable) yani taşınılabilir yürütülebilir dosyalar Windows sistemler arasında uyumluluk sorunu yaşamadan taşınıp çalıştırılabilen dosyalardır. Taşınabilir olması için tüm cihazlar için ortak bir dil/mimari tanımlanması gerekmektedir, bir cihazda “A” anlamına gelen veri diğer cihazda da “A” anlamına gelmelidir. Burada da ortaya bir mimari çıkıyor. Örneğin bir taşınabilir dosyanın 0x24 adresinde ImageBase verisinin taşındığı bütün cihazlar tarafından bilinmekte...
08 Dec 2022 Assembly Nedir? Bilgisayarların ilk yıllarında birbirinden farklı işlemci mimarileri üretilmeye başlandı. Bu mimariler üzerinde çalıştırılabilecek kodları ve çalıştırılan kodların sonuçlarını belirleyen kurallardır. Çok fazla tarihine dalmak istemiyorum(çok fazla bilgim yok :) ), günümüze kadar ulaşan ve bu blog yazısında konusu geçecek olan Assembly dili ise Intel 8086 mimarisi için oluşturulmuş olan x86 Assembly dilidir. Assembly düşük seviye dillerden birisidir. Makine kodundan da...
09 Dec 2022 What is Assembly? In the first years of computers, different processor architectures began to be produced. These architectures are the rules that determine the code that can be run on and the results of the code that is run. I don’t want to dive too far into its history (I don’t know too much :)), the Assembly language that has survived to the present day and will be discussed in this blog post is the x86 Assembly language created for the Intel 8086 architecture. Assembly is one of t...
Fortinet
By Gergely Revay | December 05, 2022 In the last issue of our Ransomware Roundup series, we discussed a publicly available open-source ransomware toolkit called Cryptonite. As part of that investigation, we also discovered a Cryptonite sample in the wild that never offers the decryption window, instead acting as a wiper. We recently saw an increase in ransomware intentionally turned into wiper malware, primarily as part of a political campaign. So in this post, we take a closer look at the Crypt...
By Cara Lin | December 06, 2022 In November, FortiGuard Labs observed a unique botnet written in the Go language being distributed through IoT vulnerabilities. This botnet, known as Zerobot, contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol. Based on some IPS signatures trigger count (shown in Figure 1), this campaign started its distribution of the cur...
By Jin Lee | December 08, 2022 Our Fortinet Advanced Research Team recently discovered a 0-day attack in a PyPI package (Python Package Index) called “shaderz”. It was discovered on December 6, 2022, through a system we use to monitor open-source ecosystems. This Python package was published on December 2, 2022, as shown in its official PyPI repository. Our suspicions were initially raised because it only has one published version, 0.0.1, and does not include a clear description of the package, ...
By Shunichi Imano and Fred Gutierrez | December 08, 2022 On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This latest edition of the Ransomware Roundup covers Vohuk, ScareCrow, and AERST ransomware. Affected p...
Igor Skochinsky at Hex Rays
InfoSec Write-ups
In the first part we discussed some common techniques used by malware authors to protect their applications from reverse engineering. In this second part, we will take a look at more methods and techniques used to detect and prevent reverse engineering.Debugger Detecting:Code Execution Timing technique:When using a debugger to analyze an executable sometimes we use a single step execution to go through some assembly instructions, the time of execution will be much longer than normal execution, l...
Lacework
Lacework Labs December 6, 2022 Hackers may hijack AWS infrastructure for a number of reasons. However, the most common motives are to facilitate illicit cryptomining or spamming. While cryptomining is more profitable on infrastructure owned by somebody else, the same can also be said for SMTP abuse and spam. Over the past year, nearly a third of compromised key incidents observed by Lacework are believed to be for the purposes of spamming or malicious email campaigns. And the majority of this ac...
Théo Letailleur at Synacktiv
Aller au contenu principal Rechercher Switch Language FRToggle Dropdown FREN GithubTwitterLinkedin La sociétéNotre équipeNotre OffreNous rejoindreContactLe LabPublicationsRessources GithubTwitterLinkedin PrideLocker - a new fork of Babuk ESX encryptor Rédigé par Théo Letailleur - 05/12/2022 - dans CSIRT - Téléchargement A few months after the leak of Babuk source code in September 2021, new ransomware families with very similar capabilities already seem to emerge. During an incident resp...
Ana Maria Martinez Gomez, Blaine Stancill, and Moritz Raabe at Mandiant
Blog FLARE VM: A FLAREytale Open to the PublicAna Maria Martinez Gomez, Blaine Stancill, Moritz Raabe Dec 05, 20226 min read | Last updated: Dec 08, 2022FLAREReverse EngineeringFLARE VM is a collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a virtual machine (VM). Thousands of reverse engineers, malware analysts, and security researchers rely on FLARE VM to configure Windows and to install an expert ...
Morphisec
Babuk Ransomware Found in Major Attack Posted by Morphisec Labs on December 7, 2022 Tweet During November, Morphisec identified a brand-new variant of Babuk ransomware while investigating a customer's prevention event. Babuk was first discovered at the beginning of 2021, when it began targeting businesses to steal and encrypt data in double-extortion attacks. Later in the year, a threat actor leaked the complete source code for Babuk on a Russian-speaking hacking forum. Now threat actors have co...
Louis Lang at Phylum
Phylum Detects Ongoing Typosquat/Ransomware Campaign in PyPI and NPM Malicious packages that download ransomware binaries written in Golang published today, with more expected in the coming hours. Published on Dec 09, 2022 Written by Louis Lang, CTO Share An Ongoing Attack Against Python and Javascript Developers Update Dec 13: Malware author continues to publish packages to PyPI. We identified these packages within 20m of publication and got them removed. Update Dec 09: This actor is now active...
Poncho
05 Dec, 2022 Blurb With the beta release of the Huntress macOS agent, I wanted to share some of the Apple-y stuff we’ve been up to behind the scenes. In this article, we’ll put our red team hats on and look at a macOS ransomware script and discuss how I improved its offensive efficiency. "Macs don't get malware, stupid." An interesting urban myth of information security is that Apple products don’t get malware. Now, whilst this is nonsense, of course it’s important that we briefly look at what i...
Securelist
If one sheep leaps over the ditch, the rest will follow. This is an old saying, found in various languages, and it can be applied to ransomware developers. In previous blog posts, we highlighted an increase in the popularity of platform-independent languages and ESXi support, and recently, we wrote about ransomware borrowing these propagation methods. Last month, we wrote in our crimeware reporting service about further ransomware variants that now had their own methods for copying and executing...
Publications 06 Dec 2022 minute read Table of Contents The history of scams and phishingPhishing and scams: current types of fraudPhishing:ScamsDistributionMessengersSocial networksMarketplacesPhishing and scam attack methodsSpoofingWebsite hackingUsing legitimate servicesAvoiding detectionSocial engineering elementsConclusion Authors Olga Svistunova There are two main types of online fraud aimed at stealing user data and money: phishing and scams. Phishers primarily seek to extract confidential...
APT reports 08 Dec 2022 minute read Table of Contents Initial footholdThe execution flowJanicab malware evolutionInfrastructureAttributionConclusionOutlookHow to protect your organization against this threatIndicators of CompromiseFile hashesDDR PatternsDomains and IPsURLsDead-drop resolvers Authors GReAT “Dosen't matter how long you wait for the bus on a rainy day, X seconds was enough to get wet?” Just to clarify, the above subheading isn’t a normal quote, but a message that Janicab malware at...
Software 09 Dec 2022 minute read Table of Contents Getting started with GhidraDisclaimerBuilding GhidraWindows buildLinux buildmacOS buildSetting up the UIOpening a file for analysisGoing furtherA few more thingsThis is just the beginning Authors Igor Kuznetsov Getting started with Ghidra For about two decades, being a reverse engineer meant that you had to master the ultimate disassembly tool, IDA Pro. Over the years, many other tools were created to complement or directly replace it, but only ...
Secureworks
Research & Intelligence Drokbk Malware Uses GitHub as Dead Drop Resolver A subgroup of the Iranian COBALT MIRAGE threat group leverages Drokbk for persistence. Friday, December 9, 2022 By: Counter Threat Unit Research Team Secureworks® Counter Threat Unit™ (CTU) researchers are investigating the Drokbk malware, which is operated by a subgroup of the Iranian government-sponsored COBALT MIRAGE threat group. This subgroup is known as Cluster B. Drokbk is written in .NET and is made up of a dropper ...
Phil Stokes at SentinelOne
December 7, 2022 by Phil Stokes PDF 2022 saw a number of significant malware campaigns targeting the macOS platform and the emergence of ten new malware strains or campaigns targeting Apple Mac users. In this post, we review the essential behavior of each threat, offer primary IOCs for defenders, and provide links to further insights and analyses on each malware discovery. Summary of Key Trends Emerging During 2022 Mac malware across 2022 has shown some interesting consistencies in approach from...
ThreatFabric
08 December 2022 Jump to Targeting different platforms and introducing Zombinder Everyone needs Wi-Fi Multiple Windows threats Conclusion Fraud Risk Suite Appendix Targeting different platforms and introducing Zombinder The history of the threat landscape has seen several cases of threat actors using Trojans targeting different platforms and systems. This time while analyzing the activity of the Android banking Trojan Ermac, ThreatFabric’s analysts discovered a campaign employing several Trojans...
Oleg Boyarchuk and Stefano Ortolani at VMware Security
WeLiveSecurity
ESET researchers analyzed a supply-chain attack abusing an Israeli software developer to deploy Fantasy, Agrius’s new wiper, with victims including the diamond industry Adam Burgher 7 Dec 2022 - 11:30AM Share ESET researchers analyzed a supply-chain attack abusing an Israeli software developer to deploy Fantasy, Agrius’s new wiper, with victims including the diamond industry ESET researchers discovered a new wiper and its execution tool, both attributed to the Agrius APT group, while analyzing a...
9 Dec 2022 - 12:15PM Share Xenomorph pilfers victims’ login credentials for banking, payment, social media, cryptocurrency and other apps with valuable data More than 50,000 Android devices were compromised with an Android banking trojan called Xenomorph earlier this year. First reported by ThreatFabric, Xenomorph posed as a system-optimizing app called “Fast Cleaner”. Disguising malicious software as device optimizers, battery- or performance-enhancing and other utility tools is a rather common...
