本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Abdul Samad at System Weakness
What is Steganography Malware?Steganography is the practice of concealing a file, message, image, or video within another file, message, image, video or network traffic. This type of malware operates by building a steganographic system to hide malicious data within its resources and then extracts and executes them dynamically.Requirements:Kali LinuxAutoit SoftwareLet’s Start Making Malware/Payload:1. Install Git.sudo apt-get -y install git2. Clone the Repositorygit clone //github.com/Veil-Framew...
Adam at Hexacorn
January 3, 2023 in Malware Analysis In my last post I referred to something what I call “putting elf on the shelf”. The idea is simple — Windows is a very rich environment when it comes to reversing and it provides us with many good quality tools that help us with code analysis, both static and dynamic, while other platforms (f.ex. Linux) are not providing so much in this space (I dare to say ‘yet’, but also: ‘I may simply don’t know what is available and am choosing the worst possible path, ple...
Alexandre Borges at ‘Exploit Reversing’
Malware Analysis Series (MAS) – Article 7 Alexandre Borges malwareanalysis, reverseengineering, threatanalysis, threathunting January 5, 2023 1 Minute The seventh article in the Malware Analysis Series (MAS) is available for reading on: (PDF): //exploitreversing.files.wordpress.com/2023/01/mas_7.pdf I hope readers like it. Have an excellent day and keep reversing! Alexandre Borges Share this:TwitterFacebookLike this:Like Loading... Related Tagged#blueteam#cybersecurity#cyberthreats#idapro#inform...
Andrea Fortuna
Jan 6, 2023 These days I am finishing the first draft of a new book of the “Little Handbooks” series, dedicated to Malware Analysis. One of the first chapters is a brief history of computer viruses. Comments and feedback are welcome! Malware is a term used to describe malicious software that is designed to harm or exploit computer systems. It can take various forms, such as viruses, worms, trojans, rootkits, ransomware, and adware, and can be used for various purposes, such as stealing data, dis...
Ofek Itach and Assaf Morag at Aqua
Recently, a dependency of the widely used PyTorch-nightly Python package was targeted in a dependency confusion attack, resulting in thousands of individuals downloading a malicious binary that exfiltrated data through DNS. The individual responsible for this attack claimed to be a security researcher whose research had gone awry. In this blog, we will provide an explanation of this attack and how to safeguard against similar supply chain attacks. What is PyTorch and Torchtriton? PyTorch is an o...
Ilay Goldman at Aqua
Aqua Nautilus researchers have recently discovered that attackers can easily impersonate popular Visual Studio Code extensions and trick unknowing developers into downloading them. In original vulnerability research, we’ve uncovered a new attack method which could act as an entry point for an attack on many organizations. We’ve also discovered that some extensions may have already been taking advantage to exploit this attack vector. In this blog, we will further explore our findings, including a...
Arch Cloud Labs
Know Your Tools, and Fear No Bug One of my favorite series of blog posts of all time is “Unix as an IDE”. These blog posts walks you through how your Unix/Linux environment is your IDE. This philosophy of thought challenges using a dedicated IDE for development, as all the tools you need are already on your Operating System. Debugger integration? Why not just use gdb rather than the wrapper your IDE provides? Remote file editing? How about wrapping a call to scp/rsync within vim/emacs? Auto-comp...
ASEC
ContentsTop 1 – BeamWinHTTPTop 2 – AgentTeslaTop 3 – TofseeTop 4 – FormbookTop 5 – SnakeKeylogger The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from December 19th, 2022 (Monday) to December 25th, 2022 (Sunday). For the main category, Infostealer ranked top with 37.3%, followed by downloader with 35.7%, backdoor with 23.9%, and ransomware with 3.1%. Top 1 – BeamWinHTTP BeamWinHTTP is...
ContentsPhishing EmailsFile Extensions in Phishing EmailsCases of DistributionCase: FakePageCase: Malware (Infostealer, Downloader, etc.)Keywords to Beware of: ‘RAR Compressed FileFakePage C2 URL Preventing Phishing Email Attacks The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from December 18th, 2022 to December 24th, 2022 and provide stat...
Infostealer is a type of information-stealing malware with the goal of stealing user credentials such as the user account information, cryptocurrency wallet address, and files that are saved in programs such as web browsers and email clients. According to the ASEC report for Q3 2022, Infostealers make up more than half of malware types with executable formats reported by client companies or collected by AhnLab. As the downloader types also actually install Infostealers or backdoor-type malware, ...
Contents1. Shc (Shell Script Compiler)2. Shc Downloader3. XMRig CoinMiner4. DDoS IRC BotConclusion The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot...
NetSupport Manager is a remote control tool that can be installed and used by ordinary or corporate users for the purpose of remotely controlling systems. However, it is being abused by many threat actors because it allows external control over specific systems. Unlike backdoors and RATs (Remote Access Trojans), which are mostly based on command lines, remote control tools (Remote Administration Tools) place emphasis on user-friendliness, so they offer remote desktops, also known as GUI environm...
ContentsTop 1 – SmokeLoaderTop 2 – RedlineTop 3 – BeamWinHTTPTop 4 – VidarTop 5 – Tofsee The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from December 26th, 2022 (Monday) to January 1st, 2023 (Sunday). For the main category, downloader ranked top with 48.8%, followed by backdoor with 24.2%, Infostealer with 18.4%, CoinMiner with 4.8%, ransomware with 3.4%, and lastly banking malware w...
David Zimmer at Avast Threat Labs
CTF导航
GandCrabV2.0勒索病毒分析 逆向病毒分析 2天前 admin 62 0 0 本文为看雪论坛优秀文章 看雪论坛作者ID:Sin hx 一原始样本分析 首先对原本样本hmieuy.exe查壳,没有发现壳。 再使用pe工具查看原始样本: 发现EnumResourceNamesA、FindFirstFIleA、MoveFileW、GetProcAddress等函数,同时原本资源节中还含有内容;初步猜测样本可能会搜索资源节中数据并进行某种操作。 1.1 代码分析 IDA打开原始样本hmieuy.exe分析,在wWinMain函数函数入口发现代码混淆: 寻找关键点,发现分配堆空间函数GlobalAlloc函数的调用,并且分配的起始地址为StarAddress: 向下分析发现样本使用EnumResourceNamesA函数来枚举hmieuy.exe中的资源并将资源节中的内容,也就是shellcode复制到刚刚申请的堆空间中: 继续向下分析,发现在复制完shellcode之后,样本通过使用VirtualProtect函数将申请的堆空间提升为可执行状态;并且在调用shellcode之前(Sta...
Dr4k0nia
Post CancelUnpacking RedLine Stealer Posted Jan 4, 2023 By dr4k0nia 7 min readIn this post, we are going to take a look at Redline Stealer, a well-known .NET based credential stealer. I will focus on unpacking the managed payload and extracting it’s config, for a more detailed analysis of the payload you can check out this post by c3rb3ru5d3d53c.Dealing with the native dropperMany of the in-the-wild samples of Redline are plain .NET applications with pretty basic custom obfuscation. Considering ...
Hex Rays
Hussein Adel
1 minute read On this page DES Cipher Using Python What is the DES Cipher? Who it works? What do you find in this script? Python Code Screenshots From Run How to run this script? Whole Code On GitHub DES Cipher Using Python What is the DES Cipher? It is one of the encryption techniques. DES stands for Data Encryption Standard. There are certain machines that can be used to crack the DES algorithm. The DES algorithm uses a key of 56-bit size. Using this key, the DES takes a block of 64-bit plain ...
1 minute read On this page playfair Cipher Using Python What is the playfair Cipher? Who it works? What do you find in this script? Python Code Encryption Decryption Screenshots From Run How to run this script? Whole Code On GitHub playfair Cipher Using Python What is the playfair Cipher? It is one of the encryption techniques. Playfair cipher is the first and best-known digraph substitution cipher, which uses the technique of symmetry encryption. Who it works? For example, the key is alphabet( ...
1 minute read On this page Autokey Cipher Using Python What is the Autokey Cipher? Who it works? What do you find in this script? Python Code Encryption Decryption Screenshots From Run How to run this script? Whole Code On GitHub Autokey Cipher Using Python What is the Autokey Cipher? It is one of the encryption techniques. It is a type of polyalphabetic substitution cipher where each character in the plain text is replaced by another character based on the key entered. Who it works? For example...
1 minute read On this page Vigener Cipher Using Python What is the Vigener Cipher? Who it works? What do you find in this script? Python Code Encryption Decryption Screenshots From Run How to run this script? Whole Code On GitHub Vigener Cipher Using Python What is the Vigener Cipher? It is one of the encryption techniques. It is a type of polyalphabetic substitution cipher where each character in the plain text is replaced by another character based on the key entered. Who it works? For example...
John Hammond
YouTube video
Microsoft Security
Microsoft Security Threat Intelligence Share Twitter LinkedIn Facebook Email Print Ransomware continues to be one of the most prevalent and impactful threats affecting organizations, with attackers constantly evolving their techniques and expanding their tradecraft to cast a wider net of potential targets. This is evident in the range of industries, systems, and platforms affected by ransomware attacks. Understanding how ransomware works across these systems and platforms is critical in protecti...
Natalie Zargarov at Minerva Labs
Natalie Zargarov | 29.12.22 | 4 Minutes Read We recently discovered ransomware, which performs MSDTC service DLL Hijacking to silently execute its payload. We have named this ransomware CatB, based on the contact email that the ransomware group uses. The sample was first uploaded to VT on November 23, 2022 and tagged by the VT community as a possible variant of the Pandora Ransomware. The assumed connection to the Pandora Ransomware was due to some similarities between the CatB and Pandora ranso...
Phylum
Phylum uncovers new PyPI malware distributing remote access tools. Published on Jan 05, 2023 Written by The Phylum Research Team Category Research Share Phylum has uncovered yet another malware campaign waged against PyPI users. And once again, the attack chain is complicated and obfuscated, but it’s also quite novel and further proof that supply chain attackers aren’t going to be giving up any time soon. Background On the morning of December 22, 2022 Phylum’s automated risk detection platform f...
Akshat Pradhan at Qualys
Splunk
Share: By Splunk Threat Research Team January 05, 2023 This blog summarizes the Splunk Threat Research Team’s (STRT) recent review of the CISA Top 10 Malware strains for the year 2021 report. While many of these payloads have been covered in our past and present research (available at research.splunk.com), these malware families are still active in the wild. Notably, five malware families we analyzed in this article can still be seen in the ANY.RUN Malware Trends Tracker. Malware, viewed through...
ThreatFabric
05 January 2023 Jump to Uncovering the Latest Developments in SpyNote SpyNote Alias CypherRat Outstanding Capabilities means Exceptional Abilities Other common Capabilities Conclusion Appendix Uncovering the Latest Developments in SpyNote Android Spyware is one of the most common kinds of malware used by attackers to gain access to personal data and carry out fraud operations. Due to its capability to track a user’s location, examine web browsing behavioral patterns, and even steal sensitive inf...
Armando Nathaniel Pedragoza at Trend Micro
Vishal Thakur
Next edition of this course will be taught at DEF CON — Bellevue, WA (USA)13–14 April 2023This 90% practical, lab-based, 2-day course covers the three phases of Modern Malware Analysis:Attack phase: learn what goes into creating malware, author malicious code and build (code) techniques that real-world malware developers use to evade detection.Automate phase: learn how to automate parts of the analysis process for speed and scalingAnalysis phase: finally, learn how to analyse malware using all t...
Zack Zorn at Checkmarx Security
Published incheckmarx-securityTzachi(Zack) ZornFollowJan 1·6 min readPyTorch, a Leading ML Framework, Was Poisoned with Malicious DependencyFor a period of five days, the nightly version of PyTorch, a popular machine-learning framework, was compromised by a supply chain attack. The infected version contained a malicious dependency that used the “dependency confusion” technique to target PyTorch Linux users with a C++ malware specifically designed for Linux systems. This malware collected system ...
Zhassulan Zhussupov
3 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! This post is the result of my own research into the malware dev trick: prevent self-execution via mutexes. Sometimes, when developing malware, for maximum stealth, it is necessary that the program be launched only once. To do this, according to the MSDN documentation, we can use mutexes. mutex For simplicity, we can use CreateMutexA function from Windows API: HANDLE CreateMutexA( LPSECURITY_ATTRIBUTES lpMutexAttributes, BOOL bIn...
