本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Alexander Adamov at ‘Malware Research Academy’
YouTube video
Any.Run
January 17, 2023 Add comment 885 views 7 min read HomeMalicious HistoryWannaCry: The Most Preventable Ransomware is Still at Large Recent posts WannaCry: The Most Preventable Ransomware is Still at Large 885 1 Annual Report 2022 1570 0 5 Ways Virtualization Can Improve Security 1461 0 HomeMalicious HistoryWannaCry: The Most Preventable Ransomware is Still at Large The WannaCry attack of 2017 is the perfect example of why you should always install security updates as soon as they’re released. Thi...
ASEC
ContentsPhishing EmailsFile Extensions in Phishing EmailsCases of DistributionCase: FakePageCase: Malware (Infostealer, Downloader, etc.)Keywords to Beware of: ‘RAR’ FakePage C2 URLPreventing Phishing Email Attacks The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from January 1st, 2023 to January 7th, 2022 and provide statistical information...
On January 8th, the ASEC analysis team identified the distribution of a document-type malware targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro. Such a technique is called the template Injection method. and a similar attack case was covered in a previous blog post. Malicious Word Documents with External Link of North Korea Related Materials When the Word document is opened, it downloads and execut...
The ASEC analysis team recently discovered that a phishing email impersonating the National Tax Service was being distributed. This phishing email emphasizes the urgency of the company email password expiring on the same day, and it is being sent with a message urging recipients to extend their password duration before the account is locked. Figure 1. Original email Figure 2. Phishing site for entering account information Figure 3. Source code of the login page Clicking the hyperlink inserted to...
ContentsTop 1 – SmokeLoaderTop 2 – BeamWinHTTPTop 3 – FormbookTop 4 – AgentTeslaTop 5 – Lokibot The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 9th, 2023 (Monday) to January 15th, 2023 (Sunday). For the main category, downloader ranked top with 38.4%, followed by Infostealer with 37.0%, backdoor with 18.2%, ransomware with 4.0%, CoinMiner with 1.5%. Top 1 – SmokeLoader Sm...
Avast Threat Labs
CTF导航
Raccoon家族之卷土重来 逆向病毒分析 1周前 admin 14 0 0 本文为看雪论坛优秀文章 看雪论坛作者ID:JinMu 一介绍 Raccoon 是一个恶意软件家族,自 2019 年初以来一直在地下论坛上作为恶意软件即服务出售。2022 年 7 月上旬,发布了该恶意软件的新变种。Raccoon 木马会收集目标系统的重要数据,并将收集到的数据回传至攻击者服务器,给用户造成隐私泄露、经济损失等严重后果。 二详细分析 MD5:4ceae09ac95a169bf12d7c4f1048006c SHA1:3b6858ad62a80ecc157733111f556b92d3cfb7b0 FILE TYPE:exe(x86) 编译时间: 初始动态加载必要DLL DLL 和 WinAPI 函数的名称以明文形式存储在二进制文件中。 依旧使用的是常见的加载函数手段,Loadlibrary GetprocAddress 。 DLL: kernel32.dll Shlwapi.dll Ole32.dll WinInet.dll Advapi32.dll User32.dll Crypt32.dll ...
Bar Block at Deep Instinct
Bar BlockThreat Intelligence ResearcherDeep Instinct Threat LabSince its release in November 2022, ChatGPT has been gaining popularity, being asked everything from how to explain quantum computing to writing a birthday poem. The big question on everyone’s mind in the cybersecurity industry: Will ChatGPT become a tool for attackers to create and accelerate more sophisticated attacks? Our research below demonstrates how dangerous ChatGPT can be in the wrong hands. There is also the potential for r...
Eli Salem
Threat BackgroundRhadamanthys is a newly emerged Information-Stealer that is written in C++. according to multiple reports[1] the malware has been active since late 2022.In addition, the malware appears to masquerade itself as legitimate software such as AnyDesk installers[2], and Google Ads[3][13] to get the initial foothold.As for usage, in the dark web, the malware authors offer various deals for using the malware such as monthly or even lifetime payments.RhadamanthysAlso, the authors emphasi...
Jacob Pimental at GoggleHeadedHacker
18 January 2023 By Jacob Pimental The majority of my earlier posts focus on reversing binaries using Radare2/Rizin from the command line. While this is a great option, I have recently switched to using the GUI alternative: Cutter. This post will be an introduction to the tool and how to use it. What is Cutter Cutter UI Adding New Tabs Disassembly View Graph View Functions Decompiler Hexdump Search Functionality Console Conclusion What is Cutter Cutter is a GUI interface for the Rizin disassemble...
Hex Rays
Natalie Zargarov at Minerva Labs
Natalie Zargarov | 19.01.23 | 5 Minutes Read Remcos is a legitimate commercial Remote Access Tool (RAT) created by the security company Breaking Security. It was first released in 2016 but started being used for malicious purposes during 2017. This is a powerful tool that grants the capability of comprehensive remote surveillance including keylogging, activating cameras, taking screenshots, capturing audio, and monitoring clipboard activity. It allows threat actors to quietly transfer files to a...
Mohamed Adel
Mohamed Adel included in Malware Analysis 2023-01-16 762 words 4 minutes views Contents Conclusion Infection through Email Loader Analysis Downloading the second stage second stage Analysis Network capture analysis References File hashes Conclusion Origin Logger is a variant of Agent tesla, it is build on top of it and uses all of its capabilities. The malware is spreading using spam emails with a malicious attachments. The malware exfiltrate user accounts and passwords and other information fro...
OALABS Research
A deeper look at the Dumpulator advanced emulation capabilities Jan 15, 2023 • 257 min read guloader emulation dumpulator veh exceptions Overview Guloader VEH Obfuscated Strings Dumpulator String Decryption IDA Label Trace Overview We are going to take a closer look at how to emulate exceptions with Dumpulator using a recent Guloader sample as an example. Guloader SHA256 = E3A8356689B97653261EA6B75CA911BC65F523025F15649E87B1AEF0071AE107 malshare Guloader VEH The sample we are analyzing uses a VE...
What is this thing are we just looking at a downloader Jan 19, 2023 • 3 min read rhadamanthys config IDA shifted pointers PEB LIST_ENTRY LDR_DATA_TABLE_ENTRY Overview Sample References Stage 1 Stage 2 PEB Walk _LDR_DATA_TABLE_ENTRY and Shifted Pointers in IDA IDA Shifted Pointers References Thanks Overview Sample dca16a0e7bdc4968f1988c2d38db133a0e742edf702c923b4f4a3c2f3bdaacf5 Malware Bazaar References Triage Run Dancing With Shellcodes: Analyzing Rhadamanthys Stealer Downloader af04ee03d69a79...
petikvx
YouTube video
Securelist
APT reports 19 Jan 2023 minute read Table of Contents DNS changer via malicious mobile appInvestigation of landing page statisticsGeography based on KSNConclusionsIoCs Authors GReAT Roaming Mantis (a.k.a Shaoye) is well-known as a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal device information; it also uses phishing pages to steal user credentials, with a strong financial motivation. Kaspersky has been investigating ...
Sonatype
Malware Monthly - December 2022 January 17, 2023 By Sonatype Developer Relations 10 minute read time SHARE: Welcome to the latest edition of Malware Monthly, where our teams of security researchers and developer advocates bring you the latest discoveries of malicious packages in software registries. Thankfully the 2022 holiday season did not deliver the level of disruption seen in last year’s Log4Shell zero-day vulnerability. But some developers and security professionals did receive an unwelcom...
January 19, 2023 By Juan Aguirre 11 minute read time SHARE: Sonatype’s next-generation AI behavioral analysis systems are constantly on the search for malicious packages published to Open Source repositories. Once a package is flagged by these systems they are passed on to our Security Research team where we verify what is truly malicious. In this article, we are going to dive into the waters of malware analysis, starting with some basics and slowly going into the deep end as we see fit along th...
Melusi shoko at System Weakness
Source: SecurityIntelligence.comI’m back again this year with a new concept for a project that you can use in your organisation as a table top exercise.This helps cyber security specialists, employees and students to learn how a ransomware can computer.We are going to simulate a generic ransomware infection using just PowerShell thanks to a simple tool called PSRansom, this tool has been created and designed from scratch by Joel Gámez Molina. We will also be able to use both the Windows and Linu...
ThreatFabric
19 January 2023 Jump to Introduction A malware created “from scratch” Capabilities Targets Conclusions Fraud Risk Suite Appendix Introduction The joint police operation that brought down the Cabassous network infrastructure in May 2022, together with the slow but steady disappearance of Anatsa from the threat landscape, left an open space in the Android banking malware market. This space was filled initially by Hydra, and in minor part by the latest variants of ExobotCompact (also known as Octo)...
Zhassulan Zhussupov
Malware development: persistence - part 21. Recycle Bin, My Documents COM extension handler. Simple C++ example. 3 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! This post is based on my own research into one of the more interesting malware persistence tricks: via modifying Recycle Bin COM extension handling. CLSID list Certain special folders within the operating system are identified by unique strings: {20d04fe0-3aea-1069-a2d8-08002b30309d} - My Computer {450d8fba-ad25-11d0-...
بانک اطلاعات تهدیدات بدافزاری پادویش
Spy.Win32.SecondEye 2023-01-182023-01-18 شرح کلی نوع: جاسوس افزار (Spyware) درجه تخریب: متوسط میزان شیوع: متوسط اسامی بدافزار: Spy.Win32.SecondEye (Padvish) Win32/Spy.SecondEye.A جاسوس افزار (Spyware) چیست؟ اين نوع از بدافزارها به منظور سرقت اطلاعات شخصي سازماني و اهداف جاسوسي مورد استفاده قرار ميگيرند. با نصب شدن spyware بر روي سیستم، از نظر امنيتي اطلاعات کاربر در معرض تهديد مداوم قرار دارد و در هر لحظه امکان سرقت اطلاعات و دسترسی افراد غیر مجاز به آن وجود دارد. جاسوس افزارها معمولا به طور پن...
