本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。「Buy me a coffee」からカンパをすると喜ばれます。
MALWARE
0day in {REA_TEAM}
MustangPanda – Enemy At The Gate [QuickNote] CobaltStrike SMB Beacon Analysis [QuickNote] CobaltStrike SMB Beacon Analysis A Deep Dive into Zloader – the Silent Night [QuickNote] Analysis of Pandora ransomware [QuickNote] Techniques for decrypting BazarLoader strings [QuickNote] Analysis of malware suspected to be an APT attack targeting Vietnam [QuickNote] Emotet epoch4 & epoch5 tactics REVERSING WITH IDA FROM SCRATCH (P37) Bình luận gần nhất Peter on [ARTUT] Manual Unpack and Fix…Ho Duy on Mus...
Abdallah Elshinbary
6 minute read On this page Setup Plugin structure SDK functions Implementation Trying our plugin Final words In the previous post we talked about writing x64dbg scripts, now let’s dive deeper and write our own plugin to do the same job (automatically dumping unpacked PE payloads in memory). x64dbg comes with an integrated plugin SDK for creating plugins using C++. Setup The easiest way to create a plugin is to use the PluginTemplate to create a new repository for your plugin. Next you can edit c...
5 minute read x64dbg is an open-source x64/x32 debugger for windows, it has dozens of features that make the life of reverse engineers and malware analysts easier. One of the coolest features of x64dbg is that it’s extendable, it comes with a debuggable scripting language and a software development kit for writing your own plugins. In this post we will talk about x64dbg scripting and in the next one we will talk about plugins. Scripts are just a sequence of commands, you can see all the availabl...
Any.Run
December 13, 2022 Add comment 493 views 7 min read HomeMalicious HistoryThe End of Sodinokibi: the Infamous Ransomware Goes Down Recent posts Release notes December 14, 2022 589 0 The End of Sodinokibi: the Infamous Ransomware Goes Down 493 5 ANY.RUN at Black Hat Middle East and Africa 2022 457 2 HomeMalicious HistoryThe End of Sodinokibi: the Infamous Ransomware Goes Down Sodinokibi was, perhaps, the most ill-renowned ransomware. While it was active, it netted crooks hundreds of millions of dol...
ASEC
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from November 27th, 2022 to December 3rd, 2022 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a...
Many corporations and users both in and outside Korea use Microsoft accounts to use major services offered by Microsoft, including Outlook, Office, OneDrive, and Windows. Users use integrated login to easily access all Microsoft services linked to their account. What does this mean for the threat actor? There is no better target for attacks because there is a large volume of information that can be gained using just one account. Particularly in the case of users that handle sensitive information...
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from December 5th, 2022 (Monday) to December 11th, 2022 (Sunday). For the main category, downloader ranked top with 44.3%, followed by Infostealer with 28.2%, backdoor with 18.3%, ransomware with 8.5%, and CoinMiner with 0.7%. Top 1 – Amadey This week, Amadey Bot ranked first place with 15.9%. Amadey is a downloader that can receive comm...
On December 9th, 2022, the ASEC analysis team discovered that Magniber Ransomware is being distributed again. During the peak of the COVID-19 outbreak, Magniber was found being distributed with COVID-19 related filenames alongside the previous security update related filenames. C:\Users\$USERS\Downloads\COVID.Warning.Readme.2f4a204180a70de60e674426ee79673f.msiC:\Users\$USERS\Downloads\COVID.Warning.Readme.502ef18830aa097b6dd414d3c3edd5fb.msiC:\Users\$USERS\Downloads\COVID.Warning.Readme.a179a924...
The ASEC analysis team discovered that the STOP ransomware is being distributed in Korea. This ransomware is being distributed at a very high volume that it is ranked among the Top 3 in the ASEC Weekly Malware Statistics (November 28th, 2022 – December 4th, 2022). The files that are currently being distributed are in the form of MalPe just like SmokeLoader and Vidar, and the filenames include a random 4-byte string as shown below. %SystemDrive%\users[user]\appdata\local\temp\4316.exe %SystemDri...
Assume-breach
As promised during part 1 of this series, we have reached part 2! If you haven’t read my first post, you can find it here. In the first part of this series, we wrote some malware, encrypted our payload with AES and XOR encrypted some WinAPI functions to bypass Windows Defender and some other AVs.That was a fun project, but let’s take it a step further and create a script that will replicate the process and obfuscate the functions within our malware template so we get a new, unsignatured EXE ever...
Ayedaemon
auditing linux systems with auditdDecember 11, 2022 · 12 min · ayedaemon | Suggest ChangesTable of ContentsHow to do auditing in linuxAudit framework in kernel.User-space auditdConfiguring auditdInspecting audit logsWriting custom audit rulesPre-packaged audit rulesHardening the auditWrap-upAudits are critical for system administrators to detect security violations and track security-relevant information on their systems. Anyone concerned about the security, stability, and proper operation of th...
Jiri Vinopal at Check Point Research
CTF导航
IDA 插件大赛 2022 逆向病毒分析 5天前 admin 63 0 0 Hex-rays 每年都会为 IDA 举办插件大赛,该大赛每年都会涌现出各种类型的插件,有安全团队也有个人安全研究员,为了解决各种问题从而开发各种插件。今年的插件大赛一共入围了九款插件。评审团最终评出的前三名为: ttdbg ida_kcpp FindFunc 以下是本届插件大赛上九款插件的简要介绍: Condstanta 该插件用于搜索条件语句中的常量,不论是 if 还是 switch-case 语句都可以。 Condstanta //github.com/Accenture/Condstanta FindFunc 该插件用于使用特定代码模式或者特定字节模式匹配发现函数,目前针对 x86/x64 架构,但也支持其他架构。 FindFunc //github.com/FelixBer/FindFunc FirmLoader 该插件解决了 SVD 插件的缺陷,不仅读写 XML 更具有优势,而且能够更方便地浏览制造商/设备列表。这样在分析固件时,可以获得更多便利。 FirmLoader //github.com/A...
Cybereason
Written By Cybereason Global SOC & Cybereason Security Research Teams December 14, 2022 | 7 minute read The Royal ransomware group emerged in early 2022 and has gained momentum since the middle of the year. Its ransomware, which the group deploys through different TTPs, has impacted multiple organizations across the globe. The group itself is suspected of consisting of former members of other ransomware groups, based on similarities researchers have observed between Royal ransomware and other ra...
Cyble
December 13, 2022 RAT capable of stealing Credit Card Information A RAT (Remote Access Trojan) is a tool used by Threat Actors (TAs) to gain full access and remote control of a victim’s machine, including mouse and keyboard control, file access, network resources access, etc. Cyble Research and Intelligence Labs (CRIL) has been actively monitoring such RATs and blogging about them as and when they emerge. Recently, CRIL came across a newer version of the popular malicious remote administration s...
December 16, 2022 Malware Modifies User’s .LNK files to Establish persistence During a routine threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) identified a malicious campaign where we observed Threat Actors (TAs) dropping DarkTortilla malware. DarkTortilla is a complex .NET-based malware that has been active since 2015. The malware is known to drop multiple stealers and Remote Access Trojans (RATs) such as AgentTesla, AsyncRAT, NanoCore, etc. Recently, security researchers p...
December 16, 2022 Cyble Research & Intelligence Labs (CRIL) investigated a fraudulent operation carried out by impostors posing as Village Level Entrepreneurs (VLEs) to dupe and scam Indian rural subscribers registering for Customer Service Point (Bank Mitra), an initiative under the Common Services Center (CSC) Scheme of the Ministry of Electronics and Information Technology (MEITY), India. According to official figures, CSC Bank Mitra has established over 8500 Customer Service Points or kiosks...
Jin Lee at Fortinet
By Jin Lee | December 14, 2022 In this second part of our Shaderz zero-day analysis, we look closely at its downloaded executables. Refer to Part One of this blog for more background. To start, we found that this is a multi-stage attack: 1. Stage one – Connect to a suspicious URL to download the executable ‘stub.exe’ using setup.py found in the package 2. Stage two – ‘stub.exe’ downloads another executable called ‘main.exe’ 3. Stage three – executing ‘main.exe’ Downloaded stub.exe executable As ...
Igor Skochinsky at Hex Rays
InfoSec Write-ups
Advent of Cyber 2022 [Day 12] Malware Analysis | Forensic McBlue to the REVscue! | Task 16 Answers Write-up and Walkthrough By Karthikeyan NagarajTask 16 —Malware Analysis Forensic McBlue to the REVscue!Start the Machine and get into it1. What is the architecture of the malware sample? (32-bit/64-bit)Let’s Open the File with Detect It EasyDetect It Easy, or abbreviated “DIE” is a program for determining types of files.“DIE” is a cross-platform application, apart from Windows version there are al...
Forensic McBlue to the REVscue! THM — aoc 2022 day 12Malware : software created to harm a computer or an entire network.Goals: infiltrating networks, breaching sensitive data, disrupting operational services etc.Check for : network connections(External and internal-lateral movement which is essentially a technique used to extend access to other hosts or applications), Registry key modifications(registry run keys for example), File manipulations.Static and Dynamic analysisStatic analysis -< witho...
Andrey Polkovnychenko at JFrog
By Andrey Polkovnychenko December 13, 2022 8 min read SHARE: The JFrog Security Research team continuously monitors popular open-source software (OSS) repositories with our automated tooling, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. Most PyPI malware today tries to avoid static detection using various techniques: starting from primitive variable mangling to sophisticated code flattening and steganography techniques. Use o...
John Hammond
YouTube video
Malvuln
YouTube video
YouTube video
OALABS Research
A closer look at this infamous loader Dec 16, 2022 • 1 min read guloader unicorn emulation anti-debug debugging config Overview Sample References Analysis Stage 1 Stage 2 Overview Sample 14d52119459ef12be3a2f9a3a6578ee3255580f679b1b54de0990b6ba403b0fe malshare References Defeating Guloader Anti-Analysis Technique Dissecting the new shellcode-based variant of GuLoader (CloudEyE) Spoofed Saudi Purchase Order Drops GuLoader – Part 2 Analysis Stage 1 file_data = open('/tmp/stage1.bin','rb').read() i...
Phylum
Monitoring the communications of software supply chain malware authors that really don't like Phylum Published on Dec 13, 2022 Written by Louis Lang, CTO Category Research Share Overview Phylum has been busy in 2022, disrupting actors keen on publishing malware into open-source ecosystems, helping to identify and remove malicious software packages, and poking fun at the attackers to their faces. We released our initial findings in November on the W4SP crew, a group of actors responsible for the ...
In case the threat actors haven’t figured it out yet, Phylum has a fully automated package monitoring and analysis platform that works quickly and efficiently at scale. We literally get pinged every time you publish your malware. You can keep spinning the hamster wheel, but you won’t get very far. Published on Dec 15, 2022 Written by The Phylum Research Team Share This one will be short and sweet! Since our last W4SP Stealer update, we’ve seen at least an additional 47 packages containing W4SP S...
Sonatype
Malware Monthly - November 2022 December 15, 2022 By Sonatype Developer Relations 12 minute read time SHARE: Welcome to the first edition of Malware Monthly, where our teams of security researchers and developer advocates bring you the latest information on malicious and suspicious packages discovered in software registries. As developers, it is important to stay informed about the latest security vulnerabilities and threats in order to keep your build environments protected. This monthly public...
Thomas Roccia
This is a list of various resources to learn more about malware techniques, how to analyse them and how to improve your detection! This thread was originally posted on Twitter and saved here! 🤓#1: The Unprotect ProjectOf course, I couldn’t start this thread without talking about this project we started in 2015. Unprotect Project is a database about Malware Evasion techniques with code snippets and detection rules.🌐 (unprotect.it)#2: The LolBas projectLiving off the land refers to the use of dual...
ThreatFabric
15 December 2022 Jump to A varied and wild landscape BrasDex: a trend switch away from overlay attacks Targets Capabilities Panel Casbaneiro: old but gold Conclusion Fraud Risk Suite Appendix A varied and wild landscape The mobile malware landscape of the LATAM region, more specifically Brazil, has recently risen to prominence in the news due to families like Brata and Amextroll, extending their reach all the way to Europe. ThreatFabric has already reported in length about these families. Howeve...
Trend Micro
Subscribe Content added to Folio Folio (0) close Cloud Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT We intercepted a cryptocurrency mining attack that incorporated an advanced remote access trojan (RAT) named the CHAOS Remote Administrative Tool. By: David Fiser, Alfredo Oliveira December 12, 2022 Read time: ( words) Save to Folio Subscribe We’ve previously written about cryptojacking scenarios involving Linux machines and specific cloud computing instances being targeted by threat...
Subscribe Content added to Folio Folio (0) close Ransomware Agenda Ransomware Uses Rust to Target More Vital Industries This year, various ransomware-as-a-service groups have developed versions of their ransomware in Rust, including Agenda. Agenda's Rust variant has targeted vital industries like its Go counterpart. In this blog, we will discuss how the Rust variant works. By: Nathaniel Morales, Ivan Nicole Chavez, Nathaniel Gregory Ragasa, Don Ovid Ladores, Jeffrey Francis Bonaobra, Monte de Je...
Zhassulan Zhussupov
Malware development: persistence - part 20. UserInitMprLogonScript (Logon Script). Simple C++ example. 2 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! This post is based on my own research into one of the more interesting malware persistence tricks: via UserInitMprLogonScript value. UserInitMprLogonScript Windows enables the execution of logon scripts whenever a user or group of users logs into a system. Adding a script’s path to the HKCU\Environment\UserInitMprLogonScript Re...
