解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 52 – 2022 - MALWARE

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。Week 52 – 2022 は こちら からご確認いただけます。「Buy me a coffee」からカンパをすると喜ばれます。

MALWARE

0day in {REA_TEAM}

  • [Z2A]Bimonthly malware challege – Emotet (Back From the Dead)

[…] Leave a Reply Enter your comment here... Fill in your details below or click an icon to log in: Email (required) (Address never made public) Name (required) Website You are commenting using your WordPress.com account. ( Log Out / Change ) You are commenting using your Twitter account. ( Log Out / Change ) You are commenting using your Facebook account. ( Log Out / Change ) Cancel Connecting to %s Notify me of new comments via email. Notify me of new posts via email. Δ This site uses Akismet ...

ASEC

The ASEC analysis team recently discovered that a threat actor has been using Nitol DDoS Bot to install Amadey. Amadey is a downloader that has been in circulation since 2018, and besides extorting user credentials, it can also be used for the purpose of installing additional malware. Amadey is being actively distributed again this year, and even until very recently, it has been propagating itself on websites disguised as cracks and keygens for normal software and installing other malware on the...

  • Vidar Stealer Exploiting Various Platforms

Vidar Malware is one of the active Infostealers, and its distribution has been significantly increasing. Its characteristics include the use of famous platforms such as Telegram and Mastodon as an intermediary C2. The link below is a post about a case where malicious behaviors were performed using Mastodon. Vidar Exploiting Social Media Platform (Mastodon) Even afterward, Vidar saw continuous version updates while actively being distributed. In the recent samples in circulation, various other pl...

  • Qakbot Being Distributed via Virtual Disk Files (*.vhd)

There’s been a recent increase in the distribution of malware using disk image files. Out of these, the Qakbot malware has been distributed in ISO and IMG file formats, and the ASEC analysis team discovered that it has recently changed its distribution to the use of VHD files. Such use of disk image files (IMG, ISO, VHD) is seen to be Qakbot’s method of bypassing Mark of the Web (MOTW). Disk image files can bypass the MOTW feature because when the files inside them are extracted or mounted, MOTW...

  • ASEC Weekly Phishing Email Threat Trends (December 4th, 2022 – December 10th, 2022)

ContentsPhishing EmailsFile Extensions in Phishing EmailsCases of DistributionCase: Fake Login Pages (FakePage)Fake Login Page (FakePage) C2 URLPreventing Phishing Email Attacks The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from December 4th, 2022 to December 10th, 2022 and provide statistical information on each type. Generally, phishing...

  • Phishing Attacks Impersonating Famous Korean Banking Apps

The ASEC analysis team recently identified that multiple malicious domains targeting normal websites of the financial sector had been created. From early November, we detected multiple distribution cases of phishing emails impersonating Naver Help. Through these, we had been monitoring the malicious URL that was included in these emails. The sender’s username was ‘Naver Center’ and the emails had a variety of topics to deceive users, including notifications for changes to contact details, creati...

Assume-breach

Welcome to part 3 of our series! That last one was crazy long. This one is going to be pretty short because we’re not really going to introduce any new concepts or encryption or fancy stuff like that.This post is going to be all about the dll!A dll is a great way to avoid detection. Many of the code snippets that you’ll find on Github or ExploitDB will be written to compile as executables, but they can easily be converted for use as a dll.Let’s get started.Setting Up Our ScriptIf you remember fr...

Cluster25

  • An infostealer comes to town: Dissecting a highly evasive malware targeting Italy

By Cluster25 Threat Intel Team December 22, 2022 Cluster25 researchers analyzed several campaigns (also publicly reported by CERT-AGID) that used phishing emails to spread an InfoStealer malware written in .NET through an infection chain that involves Windows Shortcut (LNK) files and Batch Scripts (BAT). Taking into account the used TTPs and extracted evidence, the attacks seem perpetrated by the same adversary (internally named AUI001). Even if the majority of the attacks seem to have impacted ...

Krzysztof Gajewski at CyberDefNerd

  • Python analysis: how to deal with compiled scripts.

Cyble

  • GodFather Malware Returns Targeting Banking Users

December 20, 2022 Android Malware Mimics MYT Müzik App to Target Turkish Users GodFather is a notorious Android banking trojan known for targeting banking users, mostly in European countries. Cyble Research & Intelligence Labs (CRIL) blogged about this GodFather android malware in March 2022 and explained how it targeted android banking users worldwide. Recently, CRIL identified several GodFather Android samples masquerading as MYT application. This application has the name MYT Müzik which is wr...

  • New Ransomware Strains Emerging from Leaked Conti’s Source Code  

December 22, 2022 Putin Team Leaks Victim’s Details in Their Telegram Channel Cyble Research and Intelligence Labs (CRIL) have spotted multiple ransomware strains created based on the source of other ransomware families. Recently, CRIL observed new ransomware families, such as Putin Team, ScareCrow, BlueSky Meow, etc., created from the leaked source code of Conti Ransomware. Figure 1 – Emerging Variants ScareCrow Ransomware: ScareCrow is a new ransomware strain that is based on Conti ransomware....

December 23, 2022 Uncovering the C&C Communication Capabilities of Malicious YouTube Bot YouTube is one of the great platforms for many content creators. It also has a high potential for making good revenue. However, YouTube content creators need help to gain a maximum number of views, likes, comments, and subscribers for their videos and channels. As a result, some may turn to using YouTube bots to artificially boost their rankings on the YouTube platform, which can help them reach a wider audi...

Flashpoint

  • “RisePro” Stealer and Pay-Per-Install Malware “PrivateLoader”

RisePro’s presence on Russian Market, and the appearance of the stealer as a payload for a pay-per-install service, may indicate its growing popularity—and viability—within the threat actor community. SHARE THIS: Flashpoint Team December 19, 2022 Table Of ContentsTable of ContentsKey TakeawaysRisePro logs on Russian MarketVidar and RisePro stealersIndicators of compromise (IOCs) Key takeaways “RisePro” is a stealer malware that began appearing as a stealer source for log credentials on the illic...

Fortinet

  • The Taxman Never Sleeps

By James Slaughter | December 21, 2022 For most people, taxes are a certainty. In the United States and Canada, tax forms are usually submitted by individuals and businesses in the spring (although, due to COVID, extensions were granted for anyone that asked for them). So, our interest was piqued when we came across an e-mail that included a tax form seemingly from the United States Internal Revenue Service (IRS) in early November. Affected Platforms: Windows Impacted Users: Windows users Impact...

By Shunichi Imano and James Slaughter | December 22, 2022 On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This latest edition of the Ransomware Roundup covers the Play ransomware. Affected platforms: Microsof...

  • Trying to Steal Christmas (Again!)

By Shunichi Imano, Fred Gutierrez and James Slaughter | December 22, 2022 Much of the world’s population observes and celebrates Christmas every December to connect with friends and family and reflect on the year. Malware operators also observe the holiday, perennially attempting to compromise the systems of users who have let their guard down during the festivities. Affected Platforms: Windows Impacted Users: Windows users Impact: Malware opens a backdoor and exfiltrates information from compro...

Hex Rays

  • The Hex-Rays plugin repository

  • Plugin focus: IPyIDA

  • Igor’s Tip of the Week #120:  Set call type

John Hammond

  • Filter Evasion in a REVERSE SHELL (no spaces!!)

YouTube video

K7 Labs

  • Python crawling on your keys

  • Lazarus APT’s Operation Interception Uses Signed Binary

Keysight

Lordx64

  • L’art de l’évasion: How Shlayer hides its configuration inside Apple proprietary DMG files

image generated using OpenAI DALL·E modelsIntroWhile conducting routine threat hunting for macOS malware on Ad networks, I stumbled upon an unusual Shlayer sample. Upon further analysis, it became clear that this variant was different from the known Shlayer variants such as OSX/Shlayer.D, OSX/Shlayer.E, or ZShlayer. We have dubbed it OSX/Shlayer.F.I then started tracking this OSX/Shlayer.F variant and checked to see if other vendors had encountered or written about it. It turns out that this var...

Rob Bone at Nettitude Labs

  • Avoiding Detection with Shellcode Mutator

By Rob Bone|2022-12-21T16:32:17+00:00December 21, 2022| Today we are releasing a new tool to help red teamers avoid detection. Shellcode is a small piece of code that is typically used as the payload in an exploit, and can often be detected by its “signature”, or unique pattern. Shellcode Mutator mutates exploit source code without affecting its functionality, changing its signature and making it harder to reliably detect as malicious. Download Shellcode Mutator GitHub: //github.com/nettitude/Sh...

NTT Security Japan

Yasuyuki Tanaka December 20, 2022 //www.passle.net/Content/Images/passle_logo-186px.png Passle //passle.net Yasuyuki Tanaka はじめに社会情報研究所NTT-CERTの田中です。2019/03にNSAリバースエンジニアリングツールGhidraをオープンソースとして公開しました。多くのアーキテクチャに対してデコンパイラが無償で使えるようになり、解析のハードルが下がりました。ただ現場では、多くの解析者がIDA Pro等の慣れ親しんだ有償ツールを使っており、Ghidraはそこまで広がっていないように感じます。理由として、有償と比較しての使い勝手や信頼性、機能追加のスピード等が不足している点があるかと思われますが、中でもPython3への対応が進んでいない点も一因となっていると思われます。そういった中、Mandiantの解析チームがGhidraをPython3に対応させるGhidrathonをVer1として2022/08にリリースしました。本ブログでは、Ghidra+Pyt...

Karlo Zanki at ReversingLabs

  • SentinelSneak: Malicious PyPI module poses as security software development kit

Blog Author Karlo Zanki, Reverse Engineer at ReversingLabs. Read More... A malicious Python file found on the PyPI repository adds backdoor and data exfiltration features to what appears to be a legitimate SDK client from SentinelOne. A malicious Python package is posing as a software development kit (SDK) for the security firm SentinelOne, researchers at ReversingLabs discovered. The package, SentinelOne has no connection to the noted threat detection firm of the same name and was first uploade...

Sekoia

  • New RisePro Stealer distributed by the prominent PrivateLoader

Cybercrime Infrastructure Stealer Threat & Detection Research Team December 22 2022 178 0 Read it later Remove 18 minutes reading Table of contentsContextQuick infection reviewMalware analysisDynamic lookup of APIs via GetProcAddress Embedded DLLsHost fingerprintingStolen InformationCommand and Control communicationLoader capabilitySimilaritiesCode & functionalitiesInfrastructureAccesses & Support – ContactsConclusionIoCs & Technical DetailsIoCsRisePro C2Shared domains based on NSDomains sharing...

Antonio Cocomazzi at SentinelLabs

  • Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development

Antonio Cocomazzi / December 22, 2022 Executive Summary The Vice Society group has adopted a new custom-branded ransomware payload in recent intrusions This ransomware variant, dubbed “PolyVice”, implements a robust encryption scheme, using NTRUEncrypt and ChaCha20-Poly1305 algorithms We assess it is likely that the group behind the custom-branded ransomware for Vice Society is also selling similar payloads to other groups Background First identified in June 2021, Vice Society is a well-resource...

Team Cymru

  • Inside the IcedID BackConnect Protocol

Deriving Threat Actor TTPs from Management Infrastructure Tracking You can find our previous work on Stage 1 and Stage 2 of IcedID’s initial infection chain in our Dragons News Blog. Data on Stage 1 C2 infrastructure is now also shared as part of our Botnet Analysis and Reporting Service (BARS). As part of our ongoing tracking of IcedID / BokBot, we wanted to share some insights derived from infrastructure associated with IcedID’s BackConnect (BC) protocol. When deployed post “initial” compromis...

Trend Micro

  • Raspberry Robin Malware Targets Telecom, Governments

Subscribe Content added to Folio Folio (0) close Malware Raspberry Robin Malware Targets Telecom, Governments We found samples of the Raspberry Robin malware spreading in telecommunications and government office systems beginning September. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools. By: Christopher So December 20, 2022 Read time: ( words) Save to Folio Subscribe We...

  • A Closer Look at Windows Kernel Threats

Subscribe Content added to Folio Folio (0) close Cyber Threats A Closer Look at Windows Kernel Threats In this blog entry, we discuss the reasons why malicious actors choose to and opt not to pursue kernel-level access in their attacks. It also provides an overview of kernel-level threats that have been publicly reported from April 2015 to October 2022. By: Sherif Magdy, Mahmoud Zohdy December 19, 2022 Read time: ( words) Save to Folio Subscribe Windows kernel threats have long been favored by m...

  • A Technical Analysis of CVE-2022-22583 and CVE-2022-32800

Subscribe Content added to Folio Folio (0) close Exploits & Vulnerabilities A Technical Analysis of CVE-2022-22583 and CVE-2022-32800 This blog entry discusses the technical details of how we exploited CVE-2022-22583 using a different method. We also tackle the technical details of CVE-2022-32800, another SIP-bypass that we discovered more recently, in this report. By: Mickey Jin December 21, 2022 Read time: ( words) Save to Folio Subscribe On Jan. 26, 2022, Apple patched a System Integrity Prot...

  • Detecting Windows AMSI Bypass Techniques

Subscribe Content added to Folio Folio (0) close Cyber Threats Detecting Windows AMSI Bypass Techniques We look into some of the implementations that cybercriminals use to bypass the Windows Antimalware Scan Interface (AMSI) and how security teams can detect threats attempting to abuse it for compromise with Trend Micro Vision One™. By: Jiri Sykora December 21, 2022 Read time: ( words) Save to Folio Subscribe Windows Antimalware Scan Interface (AMSI) is an agnostic security feature in the Window...

  • Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks

Subscribe Content added to Folio Folio (0) close Ransomware Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks From September to December, we detected multiple attacks from the Royal ransomware group. In this blog entry, we discuss findings from our investigation of this ransomware and the tools that Royal ransomware actors used to carry out their attacks. By: Ivan Nicole Chavez, Byron Gelera, Monte de Jesus, Don Ovid Ladores, Khristian Joseph Morales Dec...

Subscribe Content added to Folio Folio (0) close Malware IcedID Botnet Distributors Abuse Google PPC to Distribute Malware We analyze the latest changes in IcedID botnet from a campaign that abuses Google pay per click (PPC) ads to distribute IcedID via malvertising attacks. By: Ian Kenefick December 23, 2022 Read time: ( words) Save to Folio Subscribe After closely tracking the activities of the IcedID botnet, we have discovered some significant changes in its distribution methods. Since Decemb...

Wojciech Cieslak at Trustwave SpiderLabs

  • Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT

access_timeDecember 21, 2022 person_outlineWojciech Cieslak share After Microsoft announced this year that macros from the Internet will be blocked by default in Office, many threat actors have switched to different file types such as Windows Shortcut (LNK), ISO or ZIP files, to distribute their malware. Nevertheless, Office documents are still actively leveraged in many campaigns and pose a large risk to organizations, especially with threat actors continuously finding new ways to avoid detecti...

Zhassulan Zhussupov

  • Malware development tricks: part 25. EnumerateLoadedModules. C++ example.

4 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! This post is the result of my own research into the malware dev trick: shellcode running via EnumerateLoadedModules. listing the loaded modules EnumerateLoadedModules API can be used to retrieve an application’s loaded modules. Using this API, the list of loaded modules can be dumped for debugging purposes during the development of error handler frameworks, crash dumps, etc: BOOL IMAGEAPI EnumerateLoadedModules( [in] HANDLE hPro...