本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
0day in {REA_TEAM}
(1) [QuickNote] CobaltStrike SMB Beacon Analysis (1) [QuickNote] Emotet epoch4 & epoch5 tactics (1) [QuickNote] Techniques for decrypting BazarLoader strings (1) [QuickNote] VidarStealer Analysis (1) [Write-up] Chal6 {Flareon4} (1) [Write-up] Chal7 {Flareon4} (1) [Z2A] Custom sample 1 challenge write-up (1) [Z2A]Bimonthly malware challege – Emotet (1) Đánh cờ vi diệu … (1) {note}-phan-tich-powershell-dược-nen-trong-mal-doc (1) OllyDbg Tutorials (48) OllyDbg tut_1 (1) OllyDbg tut_10 (1) OllyDbg t...
Alex Turing and Hui Wang at 360 Netlab
Share this Botnet 警惕:魔改后的CIA攻击套件Hive进入黑灰产领域 Alex.Turing, Hui Wang Jan 9, 2023 • 17 min read 概述 2022年10月21日,360Netlab的蜜罐系统捕获了一个通过F5漏洞传播,VT 0检测的可疑ELF文件ee07a74d12c0bb3594965b51d0e45b6f,流量监控系统提示它和IP45.9.150.144产生了SSL流量,而且双方都使用了伪造的Kaspersky证书,这引起了我们的关注。经过分析,我们确认它由CIA被泄露的Hive项目server源码改编而来。这是我们首次捕获到在野的CIA HIVE攻击套件变种,基于其内嵌Bot端证书的CN=xdr33, 我们内部将其命名为xdr33。关于CIA的Hive项目,互联网中有大量的源码分析的文章,读者可自行参阅,此处不再展开。 概括来说,xdr33是一个脱胎于CIA Hive项目的后门木马,主要目的是收集敏感信息,为后续的入侵提供立足点。从网络通信来看,xdr33使用XTEA或AES算法对原始流量进行加密,并采用开启了Client-Ce...
Adam at Hexacorn
January 13, 2023 in elf, linux, shc In its recent blog post AhnLab described a campaign that relies on SHell Compiled (SHC) ELF files. I wanted to see if I can replicate their reverse engineering work and decrypt actual shell commands they had shared in their post. This turned out to be a bit more complicated than I thought, hence this post aiming at making it a bit easier for you. Before I go into nitty-gritty details – when I try to crack new stuff I usually look for an existing body of work f...
ASEC
ContentsPhishing EmailsFile Extensions in Phishing EmailsCases of DistributionCase: FakePageCase: Malware (Infostealer, Downloader, etc.)Keywords to Beware of: ‘IMG, ISO’ FakePage C2 URLPreventing Phishing Email Attacks The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from December 25th, 2022 to December 31st, 2022 and provide statistical in...
The ASEC analysis team recently identified a fake Kakao login page attempting to gain access to the account credentials of specific individuals. The specific route through which users first arrive on these pages is unknown, but it is assumed that users were led to log in via web on a page whose link is provided in phishing emails. When the user arrives on the web page, the ID of the Kakao account is autocompleted, as shown in Figure 1 below. It is created identically to the original format of th...
ContentsTop 1 – BeamWinHTTPTop 2 – SmokeLoaderTop 3 – AgentTeslaTop 4 – FormbookTop 4 – Mallox The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 2nd, 2023 (Monday) to January 8th, 2023 (Sunday). For the main category, downloader ranked top with 55.9%, followed by Infostealer with 21.3%, backdoor with 14.2%, ransomware with 7.9%, and CoinMiner with 0.8%. Top 1 – BeamWinHTTP ...
Contents1. Distribution Method2. Installer3. Downloader4. XMRig CoinMiner5. Orcus RATConclusion The ASEC analysis team recently identified Orcus RAT being distributed on file-sharing sites disguised as a cracked version of Hangul Word Processor. The threat actor that distributed this malware is the same person that distributed BitRAT and XMRig CoinMiner disguised as a Windows license verification tool on file-sharing sites.[1] The malware distributed by the threat actor has a similar form as tho...
Atomic Matryoshka
In this blog post, we'll be doing some basic analysis of a Metamorfo MSI package. According to MITRE, Metamorfo is a Latin American banking trojan primarily targeting Brazil and Mexico.The first thing I did was grab the MSI package and see what tables it contained:I then dumped the tables to be better able to interact with them and view their contents:I took a look in the CustomAction table, and that's where I found some obfuscated VB code:Normally in this instance, I copy the code over to Visua...
Avast Threat Labs
Simon Kenin at Deep Instinct
Simon KeninThreat Intelligence ResearcherDeep Instinct Threat LabThroughout 2022, Deep Instinct observed various combinations of polyglot files with malicious JARs.The initial technique dates to around 2018 when it used signed MSI files to bypass Microsoft code signing verification. A year later, in 2019, Virus Total wrote about the MSI+JAR polyglot technique. Microsoft decided not to fix the issue at that time. Then in 2020, this technique was again abused in malicious campaigns and Microsoft a...
Fortinet
By Jin Lee | January 14, 2023 The FortiGuard Labs team has discovered a new 0-day attack embedded in three PyPI packages (Python Package Index) called ‘colorslib’, ‘ib’, and “lib. They were found on January 10, 2023, by monitoring an open-source ecosystem. The Python packages “colorslib” and “ib” were published on January 7, 2023, and “lib was published on January 12, 2023. All three were published by the same author, ‘Lolip0p’, as shown in the official PyPI repository. ‘Lolip0p’ joined the repo...
Igor Skochinsky at Hex Rays
Jouni Mikkola at “Threat hunting with hints of incident response”
January 8, 2023January 8, 2023JouniMi Post navigation I haven’t observed any interesting new techniques recently, which is why I decided to analyze something that has been around for some time now. I’ve been interested in AsyncRAT for a while and decided to analyze it closer with threat hunting in mind. AsyncRAT is a Remote Access Tool which has been according to the Github page designed to remotely monitor and control other computers through a secure encrypted connection. It is quite often used...
Shusei Tomonaga at JPCERT/CC
朝長 秀誠 (Shusei Tomonaga) January 10, 2023 Automating Malware Analysis Operations (MAOps) Email I believe that automating analysis is a challenge that all malware analysts are working on for more efficient daily incident investigations. Cloud-based technologies (CI/CD, serverless, IaC, etc.) are great solutions that can automate MAOps efficiently. In this article, I introduce how JPCERT/CC automates malware analysis on the cloud, based on the following case studies. Malware C2 Monitoring Malware H...
Jérôme Segura at Malwarebytes Labs
Posted: January 9, 2023 by Threat Intelligence Team One criminal scheme often leads to another. This blog digs into a credit card skimmer and its ties with other malicious services. This blog post was authored by Jérôme Segura Online criminals rarely reinvent the wheel, especially when they don't have to. From ransomware to password stealers, there are a number of toolkits available for purchase on various underground markets that allow just about anyone to get a jumpstart. During one of our cra...
Michael Koczwara
Sliver C2 Implant AnalysisC2 serverIntroIn this short blog, I will analyze a Sliver sample that I was able to identify during my adversaries' infrastructure scans. I will start with Static Analysis with PEStudio, Dynamic Analysis with ProcMon, and Wireshark. I will perform some basic Reversing with IDA and finally, I will analyze the Threat Actor infrastructure.----1More from Michael KoczwaraFollowSecurity Researcher [RED&BLUE]Recommended from MediumGopi VikranthTen from the weekend 09/12: A few...
Pete Cowman at Hatching
Share this: Blog. 2023-01-12 triage Written by Pete Cowman Welcome to the first Triage Thursday blogpost of the year! We hope you’ve all had a great Christmas and New Year if you observe those holidays, and are re-energised and looking forward to 2023. We missed a few blogposts over the holiday period so this week is more of a short patch notes format to quickly round up all changes since early December. We won’t be going in depth with each family, but wherever available we have linked to previo...
petikvx
YouTube video
Ismail Tasdelen at System Weakness
Photo by Ed Hardie on UnsplashIn this article, I will be talking about what is malware analysis and how it is done. Malware analysis is the process of identifying, understanding, and mitigating the potential harm from malware. This typically involves reversing the malware to understand its function and behavior, and determining its intended target and impact.There are several approaches to malware analysis, including:Static analysis: This involves analyzing the code of the malware without execut...
Tony Lambert
Post Cancel.NET Downloader Leading to OriginLogger By Tony Lambert Posted 2023-01-07 8 min readEarlier in January, Unit42 and Brad (@malware_traffic) posted tweets with some details on an instance of OriginLogger floating around in the wild.#pcap of the infection traffic, sanitized copy of the email, and with the associated malware are available at: //t.co/B1wo9XjSQV pic.twitter.com/KoxMLd8K0e— Brad (@malware_traffic) January 6, 2023In this post I want to take a look at the first stage of the ma...
Rene Holt at WeLiveSecurity
ESET Research announces IPyIDA 2.0, a Python plugin integrating IPython and Jupyter Notebook into IDA Rene Holt 12 Jan 2023 - 11:30AM Share ESET Research announces IPyIDA 2.0, a Python plugin integrating IPython and Jupyter Notebook into IDA IDA Pro from Hex-Rays is probably the most popular tool today for reverse-engineering software. For ESET researchers, this tool is a favorite disassembler and has inspired the development of the IPyIDA plugin that embeds an IPython kernel into IDA Pro. Under...
Xorhex
Notes on using Z3 Solver to simplify string deobfuscationJanuary 8, 2023xorhex8-Minute ReadExecutive SummaryZ3 Solver aids in simplifying deobfuscation techinques. This post covers 2 example use cases where a convoluted string decryption routine is broken down and simplified into a single XOR operation. Z3 is used to prove that the extra parts of the decryption routine cancel each other out.Case StudyDuring the course of reverse engineering a binary, I ran across some string decryption routines ...
بانک اطلاعات تهدیدات بدافزاری پادویش
Trojan.Android.SmsSpy.Irpardakht 2023-01-04 شرح کلی نوع: تروجان (Trojan) درجه تخریب: متوسط میزان شیوع: متوسط تروجان(Trojan) چیست؟ تروجانها نوعی از بدافزارها محسوب میشوند که خود را در قالب نرمافزاری سالم و قانونی نشان میدهند و بسیار شبیه نرمافزارهای مفید و کاربردی رفتار میکنند. اما هنگامی که اجرا میشوند، خرابیهای زیادی را برای سیستم ایجاد میکنند. از جمله راههای ورود تروجانها به سیستم: نرمافزارهای دانلود شده از اینترنت، جاسازی شدن در متن HTML، ضمیمه شدن به یک ایمیل و … هستند. تروجانه...
Trojan.VBS.Neoreklami 2023-01-01 شرح کلی نوع: تروجان (trojan) درجه تخریب: متوسط میزان شیوع: زیاد تروجان (Trojan) چیست؟ تروجانها نوعی از بدافزار محسوب میشوند که در قالب یک نرمافزار سالم و قانونی و بسیار شبیه نرمافزارهای مفید و کاربردی رفتار میکنند. اما هنگامی که اجرا میشوند، خرابیهای زیادی را برای سیستم به بار میآورند. از جمله راههای ورود تروجانها به سیستم، میتوان به نرمافزارهای دانلود شده از اینترنت، جاسازی شدن در متن HTML، ضمیمه شدن به یک ایمیل و … اشاره کرد. گفتنی است که تروجانها...