本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Akshata Rao, Esmid Idrizovic, Sujit Rokka Chhetri, Bob Jung and Mark Lim at Palo Alto Networks
7,380 people reacted 4 12 min. read Share By Akshata Rao, Esmid Idrizovic, Sujit Rokka Chhetri, Bob Jung and Mark Lim January 31, 2023 at 6:00 AM Category: Malware Tags: Advanced WildFire, AI, Evasive Malware, Guloader, Machine Learning, memory detection, Sandbox evasion, WildFire This post is also available in: 日本語 (Japanese)Executive Summary Unit 42 researchers discuss a machine learning pipeline we’ve built around memory-based artifacts from our hypervisor-based sandbox, which is part of Adva...
Asaf Eitani and Nitzan Yaakov at Aqua
This blog was co-authored by Nitzan Yaakov Aqua Nautilus researchers discovered a new elusive and severe threat that has been infiltrating and residing on servers worldwide since early September 2021. Known as HeadCrab, this advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers. The HeadCrab botnet has taken control of at least 1,200 servers. This blog will delve ...
ASEC
This document is an analysis report on malware that is being actively distributed using Microsoft OneNote. The ASEC analysis team identified the rapidly increasing trend of OneNote malware distribution from November 2022 and has classified the malware according to the level of intricacy based on the screen that appears when the file is actually opened. These categories include ‘1) The type where malicious objects are hidden with simple block images’ and ‘2) The more intricately created malicious...
ContentsTop 1 – BeamWinHTTPTop 2 – AgentTeslaTop 3 – FormbookTop 4 – SmokeLoaderTop 4 – Pony The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 16th, 2022 (Monday) to January 22nd, 2023 (Sunday). For the main category, Infostealer ranked top with 43.0%, followed by downloader with 30.06%, backdoor with 19.9%, ransomware with 3.8%, CoinMiner 2.4%, and baking malware with 0.3%...
ContentsPhishing EmailsFile Extensions in Phishing EmailsCases of DistributionCase: FakePageCase: Malware (Infostealer, Downloader, etc.)Keywords to Beware of: ‘Remittance Copy’FakePage C2 URL The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from January 15th, 2023 to January 21st, 2023 and provide statistical information on each type. Gener...
The ASEC analysis team continuously monitors phishing emails, and we have been detecting multiple phishing emails that are distributed with a changing icon to reflect the mail account service entered by the user. The following is an email distributed on January 16, 2023, warning users that their account will be shut down, prompting them to click the ‘Reactivate Now’ link if they need their account kept active. The linked phishing page steals the user’s email account and password. Figure 1. Distr...
Contents0. Overview1. Ethereum CoinMiner Attack Cases1.1. Distribution Using Discord1.2. Attack Abusing dnSpy Tool2. Ethereum Classic CoinMiner Attack Cases2.1. Change to Ethereum ClassicA. Ethereum Classic CoinMinerB. CLIPBANKERC. QUASAR RATD. VIDAR INFOSTEALER3. Conclusion The ASEC analysis team is monitoring CoinMiners that are targeting Korean and overseas users. We have covered cases of various types of CoinMiner attacks over multiple blog posts in the past. This post aims to introduce the ...
The ASEC analysis team has recently been monitoring phishing emails with content related to requests for product quotations. These phishing emails are all disguised to seem as if they were sent by a manager with a high position, such as the team leader or department director of production companies or foundries. There were also .html and .htm attachments. This post will cover the two major phishing emails disguised as quotation requests. For convenience, these emails will be referred to as Phish...
Through internal monitoring, the ASEC analysis team recently discovered the distribution of the TZW ransomware, which encrypts files before adding the “TZW” file extension to the original extension. This ransomware is being propagated with the version info marked as “System Boot Info”, disguising itself as a normal program file related to boot information. Figure 1. File version info It was created in a .NET format and includes a loader and the actual ransomware data within it. It ultimately loa...
ContentsTop 1 – BeamWinHTTPTop 2 – SmokeLoaderTop 3 – FormbookTop 4 – AgentTeslaTop 5 – SnakeKeylogger The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 23rd, 2023 (Monday) to January 29th, 2023 (Sunday). For the main category, downloader ranked top with 44.2%, followed by Infostealer with 34.3%, backdoor with 18.5%, ransomware with 2.6%, and CoinMiner with 0.4%. Top 1 – Be...
The ASEC analysis team discovered the distribution of a malicious LNK file disguised as a normal HWP document, Along with a text file impersonating the National Tax Service. A normal HWP document with related contents is opened simultaneously, making it difficult for users to realize the file is rogue. The malicious script file executed in the end is the same type as the script covered in ‘Malicious Word Files Disguised as Product Introduction‘ and is deemed to be created by the same threat acto...
Erik Pistelli at Cerbero
Microsoft OneNote is rising in popularity as a vector for malware. Therefore, all commercial licenses of Cerbero Suite can now download our “OneNote Format” package from Cerbero Store which parses the OneNote format and extracts embedded files. Installing the package from Cerbero Store takes only a few mouse clicks. Once the package is installed, you can directly inspect OneNote documents in Cerbero Suite and all embedded files are automatically extracted and ready to be inspected In this image ...
Cleafy
Published:3/2/23Download the PDF version Download your PDF⨠guide to TeaBotGet your free copy to your inbox nowDownload PDF VersionKey pointsBetween the end of 2022 and the beginning of 2023, a new Android banking trojan was discovered by the Cleafy TIR team. Since the lack of information and the absence of a proper nomenclature of this malware family, we decided to dub it PixPirate, to better track this family inside our internal Threat Intelligence taxonomy.PixPirate belongs to the newest ge...
CTF导航
APT 摩诃草样本分析 APT 3天前 admin 89 0 0 本文为看雪论坛优秀文章 看雪论坛作者ID:戴夫的小推车 一ATP简介 摩诃草,又名Hangover、Patchwork、白象等,是一个具有南亚背景的APT组织。该组织主要针对Windows系统进行攻击,同时也会针对Android、Mac OS系统进行攻击。摩诃草APT组织攻击目标涉及中国、巴基斯坦、以色列等国。该组织以鱼叉攻击为主,以少量水坑攻击为辅,针对目标国家的政府、军事、电力、工业、外交和经济进行网络间谍活动,窃取敏感信息。 二概述 一阶样本为rtf格式文件,运行后利用CVE-2017-11882漏洞执行ShellCode,通过ShellCode释放二阶样本("McVsoCfg.dll"、"mcods.exe")并将二阶样本写入启动项中。 二阶样本运行后首先判断受控主机时区,如不是巴基斯坦时区则结束样本运行。随后收集主机安装软件、进程信息、网卡信息、dns配置、部署服务、系统信息详情并写入TEMP目录下"RTYgjfdg.sys"文件中。获取主机uuid后将收集的主机信息一齐发送到CC 51.89.251.8,随后...
Fortinet
By Xiaopeng Zhang | January 31, 2023 FortiGuard Labs recently captured Excel documents in the Microsoft OLE Compound File format that contain malicious VBA Macros. Their file names are Pago_detalles.xls, makbuzu.xls, and Pago.xls. I then conducted deep research on them and found that they all belong to the same malicious campaign that cryptojacks systems to mine for Monero (XMR) cryptocurrency. Affected platforms: Microsoft Windows Impacted parties: Windows Users Impact: Cryptojack Victim’s Devi...
By Shunichi Imano | February 02, 2023 On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This latest edition of the Ransomware Roundup covers the Trigona ransomware. Affected platforms: Microsoft Windows Impacte...
Hardik Manocha at FourCore
Written by Hardik Manocha[email protected] Hackers are using Microsoft OneNote attachments in phishing emails to spread malware and password stealers. Phishing Campaigns is one of the most typical ways hackers obtain private or sensitive information. Phishing involves sending fraudulent emails that appear to come from a trusted source. Its purpose is to trick recipients into clicking on a malicious link or downloading a malicious file, usually to steal money or personal information. According to...
Igor Skochinsky at Hex Rays
Jonathan Sar Shalom at JFrog
Products Solutions Developers Resources Partners Pricing Become a JFrog Partner < Find a JFrog Partner < Get Help < Community < Documentation < Use Case Artifact Management < Scalable binary lifecycle management Software Supply Chain Security < Advanced security designed for DevOps CI/CD < Advanced pipeline automation Edge & IoT < Manage connected devices at scale, with the click of a button Industry Financial Services < Automotive Industry < Healthcare Services < Technology & Software < Gaming ...
K7 Labs
Posted byRahul R February 1, 2023February 1, 2023 Malicious DLLsRansomware Phobos Ransomware found to be using DLL Side Loading By Rahul RFebruary 1, 2023 In one of our recent IR case, we found Phobos ransomware being executed using DLL sideloading technique. The threat actors (TA) used a legitimate signed binary WiseTurbo.exe from Lespeed Technology Co., Ltd to perform sideloading of NlogExt.dll. WiseTurbo.exe imports sqlite3.dll, the TA modified the sqlite3.dll’s import table to include an ent...
Posted byVigneshwaran P February 2, 2023February 3, 2023 Ransomware Ransomed by Warlock Dark Army “OFFICIALS” By Vigneshwaran PFebruary 2, 2023 Recently we came across a tweet shared by petikvx. The tweet was on a ransomware family that had the group name similar to the WARLOCK DARK ARMY. The similarities with Chaos ransomware seem to end with the attacker group’s name. Upon analyzing the ransomware from the tweet we suspect both to be very different groups just based on their malware’s attribut...
Malware Hell
c3rb3ru5d3d53c included in Docs 2023-02-04 176 words One minute Contents Get Python Bytes from AddressGet Section Bytes (Program Tree)Get Executable PathGet Program Start AddressGet Program End AddressCommentsBookmarksFunctionsAddressesLabelsListingThis is a cheatsheet I use for Ghidra scripting.NOTE: Some of these functions use each other 😄Get Python Bytes from Address1 2 def get_bytes(address, size): return bytes(map(lambda b: b & 0xff, getBytes(address, size))) Get Section Bytes (Program Tree...
Marco Ramilli
Cyber Crime cybersecurity malware SecurityFebruary 4, 2023February 4, 2023 During the past 4 months Microsoft Onenote file format has been (ab)used as Malware carrier by different criminal groups. While the main infection vector is still on eMail side – so nothing really relevant to write on – the used techniques, the templates and the implemented code to inoculate Malware changed a lot. So it would be interesting to study this new phenomenon for further attribution and for quick identifications...
Michael Haag
共有ログインお使いのブラウザのバージョンはサポートが終了しました。 サポートされているブラウザにアップグレードしてください。閉じるファイル編集表示挿入表示形式データツールフォーム拡張機能ヘルプユーザー補助機能 ドライブに変更を保存できませんでした新しい変更を表示 ユーザー補助機能 閲覧のみ ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB1NameSiteSourceActivePaid/FreeITWWindowsLinuxMacOS2VenomGithub//github.com/r00t-3xp10it/venom3KhepriGithub//github.com/geemion/Khepri4AsyncRATGithub//github.com/NYAN-x-CAT/AsyncRAT-C-Sharp5PowerShellRATGithub//github.com/Viralmaniar/Powershell-RAT6ToRATGithub//github.com/lu4p/ToRat7DCRATGithub//github.com/qwqdanchun/DcRat8...
Quadrant
January 25, 2023 DOWNLOAD THE ANALYSIS DOWNLOAD THE ANALYSIS INTRODUCTION Quadrant was recently able to aid a client during an organization wide compromise by the Black Basta ransomware group. This group is a “Ransomware as a Service” (RaaS) organization known to target medium and large companies. The following contains an overview of the compromise as it progressed, as well a technical analysis of the malware and techniques observed, ranging from a successful phishing campaign to the attempted ...
Securelist
Malware descriptions 31 Jan 2023 minute read Table of Contents Tap-to-payThe pandemic gave a boost to NFC paymentsInsert-to-get-robbedMalware adapting to the latest trends Authors GReAT Prilex is a singular threat actor that has evolved from ATM-focused malware into unique modular PoS malware—actually, the most advanced PoS threat we have seen so far, as described in a previous article. Forget about those old memory scrapers seen in PoS attacks. Prilex goes beyond these, and it has evolved very ...
Aleksandar Milenkoski and Tom Hegel at SentinelLabs
ABOUT CVE DATABASE CONTACT VISIT SENTINELONE.COM en English日本語DeutschEspañolFrançaisItalianoDutch한국어 Back ABOUT CVE DATABASE CONTACT VISIT SENTINELONE.COM Crimeware MalVirt | .NET Virtualization Thrives in Malvertising Attacks Aleksandar Milenkoski / February 2, 2023 By Aleksandar Milenkoski and Tom Hegel Executive Summary SentinelLabs observed a cluster of virtualized .NET malware loaders distributed through malvertising attacks. The loaders, dubbed MalVirt, use obfuscated virtualization for an...
Squiblydoo
Public Notifications Fork 4 Star 90 A GUI tool for removing bloat from executables 90 stars 4 forks Star Notifications Code Issues 0 Pull requests 0 Actions Projects 0 Security Insights More Code Issues Pull requests Actions Projects Security Insights Squiblydoo/debloat This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. main Switch branches/tags Branches Tags View all branches View all tags Name already in use A tag already exists wi...
Ben Martin at Sucuri
TrustedSec
New Attacks, Old Tricks: How OneNote Malware is Evolving January 31, 2023 By Scott Nusbaum in Incident Response, Incident Response & Forensics, Malware Analysis, Office 365 Security Assessment, Purple Team Adversarial Detection & Countermeasures, Threat Hunting 1 Analysis of OneNote Malware A lot of information has been circulating regarding the distribution of malware through OneNote, so I thought it would be fun to look at a sample. It turns out there are a lot of similarities between embeddin...
How Threat Actors Use OneNote to Deploy ASyncRAT February 1, 2023 By Carlos Perez in Incident Response, Incident Response & Forensics, Malware Analysis, Office 365 Security Assessment, Threat Hunting See how Research Team Lead Carlos Perez dissects a sample of a OneNote document that was used to deploy ASyncRAT, an open-source remote admin tool, to enable phishing attacks. You’ll find out how these OneNote files are now being used by threat actors and where to find the location that ASyncRAT is ...
Zhassulan Zhussupov
6 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! This post is the result of my own research on Yara rule for CRC32 hashing. How to use it for malware analysis in practice. At first I wanted to focus on the WinAPI hashing method by CRC32 at malware development. But then this article would differ from this one only in the hashing algorithm. Then I decided to see how to create a Yara rule which indicate using this algorithm at malware samples. I also consider the implementation o...
