本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Tarek Mostafa
2 minute read On this page Challenge-SillyPutty Objective Tools We can see path, some urls and i think a powershell payload. These one i feel that this program has some keylogger capabilities. Challenge-SillyPutty Hello Analyst, The help desk has received a few calls from different IT admins regarding the attached program.They say that they’ve been using this program with no problems until recently. Now, it’s crashing randomly and popping up blue windows when its run. I don’t like the sound of t...
Andrew Brandt at Sophos
A large-scale "QakNote" attack deploys malicious .one files as a novel infection vector Written by Andrew Brandt February 06, 2023 Security Operations Threat Research .one ApplicationReject ComplaintCopy featured malware OneNote Qakbot Since the beginning of the year, we’ve been tracking the growth of malware threat actors taking advantage of a (previously) rarely abused Office file format – the .one files used by the OneNote application. So have a few other security companies. Our initial look ...
ASEC
Contents Sliver is an open-source penetration testing tool developed in the Go programming language. Cobalt Strike and Metasploit are major examples of penetration testing tools used by many threat actors, and various attack cases involving these tools have been covered here on the ASEC blog. Recently, there have been cases of threat actors using Sliver in addition to Cobalt Strike and Metasploit. The ASEC (AhnLab Security Emergency response Center) analysis team is monitoring attacks against sy...
In order to evade analysis and sandbox detection, DarkSide ransomware only operates when the loader and data file are both present. The loader with the name “msupdate64.exe” reads the “config.ini” data file within the same path that contains the encoded ransomware and runs the ransomware on the memory area of a normal process. The ransomware is structured to only operate when a specific argument matches. It will then register itself to the task scheduler and run itself periodically. Figure 1. Ra...
Contents The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from January 22nd, 2023 to January 28th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineering metho...
On the morning of January 28th, the ASEC analysis team discovered the redistribution of Magniber disguised as normal Windows Installers (MSI). The distributed Magniber files have MSI as their extensions, disguising themselves as Windows update files. According to AhnLab’s log system as seen in Figure 1, it can be noted that the distribution increased starting from January 27th. MS.Update.Center.Security.KB17347418.msi MS.Update.Center.Security.KB2562020.msi MS.Update.Center.Security.KB44945726.m...
Contents The ASEC analysis team has recently discovered the distribution of Quasar RAT through the private Home Trading System (HTS). No information could be found when looking up the HTS called HPlus that was used in the attack. Furthermore, the company’s name could not be found in even the clause of the installation process, so it is assumed that the victims did not install their HTS from an institutional financial company, but instead, they got HPlus HTS through an unsanctioned source or a di...
Contents The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 30th, 2023 (Monday) to February 5th, 2023 (Sunday). For the main category, downloader ranked top with 39.3%, followed by Infostealer with 28.8%, backdoor with 27.0%, ransomware with 2.6%, and CoinMiner with 2.2%. Top 1 – SmokeLoader SmokeLoader is an Infostealer/downloader malware that is distributed via exploit kit...
Jossef Harush at Checkmarx Security
Published incheckmarx-securityJossef HarushFollowFeb 10·4 min read400+ Malicious Python Packages Manipulating Victim’s Clipboard to Steal CryptoStarting Feb 9 2023, an attacker published a total of 444 malicious packages via 22 different PyPi user accounts. The malicious packages infect the victim’s web browser with a hidden extension that manipulates the clipboard and change the value of a copied crypto wallet address to match the attacker’s crypto wallet address.Attack TechniqueFor those who a...
Cofense
Eliya Stein at Confiant
Over the last few years, as AdTech and browser security has continued to mature, many malvertisers have moved on from forced redirect campaigns that target premium publishers and top-tier advertising platforms. The ones that are left, however, typically have little tricks that they employ in order to try and achieve some sort of positional advantage in order to optimize their impact and reach.Today we are looking at part of a payload from a threat actor that we call D-Shortiez. A group that runs...
CTF导航
GooberBot—Scar租赁僵尸网络新成员样本演进分析 逆向病毒分析 2天前 admin 20 0 0 1. 概述 2023 年 1月初,奇安信威胁情报中心威胁监控系统监测到一起未知家族恶意样本利用CVE-2022-30525漏洞传播的事件。经过分析,该家族样本还处于测试阶段,近期进行了多次更新迭代。除该漏洞外该家族样本还通过CVE-2021-22205、CVE-2021-35394进行传播。 该家族归属 Scar 租赁僵尸网络,Scar 租赁网络价格低廉,最低仅 15$ 就可以获取长达一个月的DDoS攻击权限。 该新型僵尸网络家族初始样本于2022年8月份开始传播,按照初始样本的落地名称我们将本次发现的家族命名为GooberBot。 2. 样本关键行为分析 本文以 x86-64 样本为例进行分析,样本信息: 文件名 文件大小 文件MD5 git.x86_64 18412 bytes FF3DD951F62D20ECC66450F8BB783F0D 2.1 运行参数 样本支持带参数运行,"Show" 参数可在样本运行时输出一些显示运行状态的Debug字符串,"UpDaTe" 参数可...
DCSO CyTec
ShortAndMalicious — PikaBot and the Matanbuchus connectionPhoto by Timothy Dykes on UnsplashContinuing our #ShortAndMalicious series, where we aim to briefly highlight new or otherwise noteworthy malware, a tweet by Unit 42 Intel caught our attention early February 2023:Thank you Unit 42 for sharing!Having covered Matanbuchus before, DCSO CyTec jumped in to investigate this new sample, which quickly turned out to be a new malware family instead.Twitter user Germán Fernández then identified it a...
dr4k0nia
Post CancelAnalysing A Sample Of Arechclient2 Posted Feb 5, 2023 Updated Feb 5, 2023 By dr4k0nia 11 min readIn this post, I will be going over my process of analyzing a sample of ArechClient2. Including initial analysis, deobfuscation and unpacking of the loader. Followed by the analysis of the .NET payload revealing its config and C2 information.It began with this tweet by @Gi7w0rm. They mentioned me and a few others asking for help analyzing this sample. I decided to look into the sample. Afte...
Gameel Ali
12 minute read On this page Summary Technical analysis second stage thrid stage mutex obfuscation collecting sensitive information Evade Detection Establish a connection implemention of a simple HTTP Encryption data with AES c2 response commands Analysis Infrastructure Classification and attribution TTPs Yara Rule IOCs Frist stage second stage third stage IP domain ip addresses 199.36.158.100 urls Files Summary This attack chain begins with the victim receiving a malicious RTF file through a phi...
Igor Skochinsky at Hex Rays
Baran S at K7 Labs
Posted byBaran S February 8, 2023February 8, 2023 AndroidBanking Malware Play Store App Serves Coper Via GitHub By Baran SFebruary 8, 2023 We at K7 Labs recently came across this twitter post about Coper, a banking Trojan. The main infection vector of Coper was found on the official Google Play Store where it posed as UniFile manager – PDF viewer app with 10,000+ downloads as shown in Figure 1. Figure 1: UniFile manager – PDF viewer from Google Play Store Once launched, this app requests the use...
Kamran Saifullah
Report this article Report Report Back Submit Kamran Saifullah Kamran Saifullah Cyber Security Frog Published Feb 11, 2023 + Follow Recently, i have been taking a closer look into supply chain attacks and how adversaries are pushing malicious packages on PyPi to compromise the users who download and install these packages. It's true that most of the users specially developers are using these packages blindly and are not taking a closer look into what they have downloaded and are working with eit...
Lucija Valentić at ReversingLabs
Aabquerys is a malicious npm package discovered typosquatting on a legitimate module that downloads malicious components Blog Author Lucija Valentić, Software Threat Researcher, ReversingLabs. Read More... As part of the ReversingLabs research team's ongoing surveillance of open source repositories, we have identified aabquerys, a malicious npm package that downloads second and third stage malware payloads to systems that have downloaded and run the npm package. Since discovering the aabquerys p...
Malware Hell
c3rb3ru5d3d53c included in Docs 2023-02-05 2156 words 11 minutes Contents IntroductionSignature DevelopmentLimitationsConclusionReferencesIntroductionMalware tends to obfuscate itself using many different techniques from opaque predicates, garbage code, control flow manipulation with the stack and more. These techniques definitely make analysis more challening for reverse engineers. However, from a detection and hunting standpoint to find interesting samples to reverse engineer we can leverage o...
Muhammad Hasan Ali at muha2xmad
7 minute read On this page Introduction Anti-emulator Collect vectim’s device info USSD Call forwarding Push notifications Smishing Steal SMSs Record the screen VNC Overlay attack Start/Kill the malware Cache cleaner Communications IoCs Yara rule Article quote REF بسم الله الرحمن الرحيم FreePalestine Introduction Godfather is a malware that targets Android devices. It was first discovered in 2020 and is known for its sophisticated and aggressive behavior. The malware is designed to steal sensiti...
Pham Duy Phuc and Max Kersten at Trellix
By Pham Duy Phuc and Max Kersten · February 08, 2023 Threat actors often rely on the same techniques until their hand is forced, usually due to defensive changes or chance-based opportunities, to leverage a new technique. Malicious macros in Microsoft Office have long been the “industry standard” to initially compromise devices. As such, Microsoft’s default blocking of internet-originating macros caused threat actors to find new methods to infect victims, leading to the rise of search engine opt...
Phylum
Phylum discovers over 451 unique malicious packages targeting popular PyPI packages like Selenium. Published on Feb 10, 2023 Written by The Phylum Research Team Category Malware Share UPDATE: This campaign is still unfolding. Currently, the actor appears to have typosquatted several major packages in PyPI. We will continue to update this blog post as new details emerge. In November of 2022, Phylum discovered and published an article about an attack on PyPI in which threat actors attempted to rep...
Axel F at Proofpoint
Screentime: Sometimes It Feels Like Somebody's Watching Me Screentime: Sometimes It Feels Like Somebody's Watching Me Share with your network! February 08, 2023 Axel F Key Findings Proofpoint began tracking a new threat actor, TA866. Proofpoint researchers first observed campaigns in October 2022 and activity has continued into 2023. The activity appears to be financially motivated, largely targeting organizations in the United States and Germany. With its custom toolset including WasabiSeed and...
Jennifer Gregory at Security Intelligence
You’re likely familiar with the names of common malware strains such as MOUSEISLAND, Agent Tesla and TrickBot. But do you know how new malware threats get their names? As a cybersecurity writer, I quickly add new strains to my vocabulary. But I never knew how they came to have those names in the first place. After writing numerous articles on malware, I decided to dig deep into the naming conventions to shed some light on that question. As it turns out, a name can tell you a lot about the malwar...
Antonis Terefos at SentinelLabs
Antonis Terefos / February 7, 2023 Executive Summary SentinelLabs has observed the first Linux variant of Cl0p ransomware. The ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom. SentinelLabs has published a free decryptor for this variant here. Background SentinelLabs observed the first ELF variant of Cl0p (also known as Clop) ransomware variant targeting Linux systems on the 26th of December 2022. The new variant is simila...
Sonatype
February 08, 2023 By Ax Sharma 4 minute read time SHARE: This week we have identified malicious Python packages on the PyPI software registry that carry out a bunch of nefarious activities including: dropping malware deleting the “netstat” utility tampering with the SSH “authorized_keys” file on your system. Tracked under sonatype-2023-0810 in our data, these malicious PyPI packages are listed below: aptx - 237 downloads bingchilling2 - 70 downloads httops - 39 downloads* tkint3rs - 105 downlo...
Malware Monthly - January 2023 February 10, 2023 By Sonatype Developer Relations 11 minute read time SHARE: In this edition of Malware Monthly, we take you on a journey through malware that rejects virtual machines, Linux crypto miners, evasive variants of RAT mutants, and a ubiquitous package that’s dependent on the entire publicly-available npm ecosystem—all targeted at modern software supply chains. Follow us as we continue uncovering suspicious activities in open source registries. In terms ...
Aliakbar Zahravi and Peter Girnus at Trend Micro
Subscribe Content added to Folio Folio (0) close Malware Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs We discovered an active campaign targeting Eastern Europeans in the cryptocurrency industry using fake job lures. By: Aliakbar Zahravi, Peter Girnus February 09, 2023 Read time: ( words) Save to Folio Subscribe We recently found an active campaign that uses a fake employment pretext targeting Eastern Europeans in the cryptocurrency industry to install an information stealer. In ...
Uriel Kosayev
Jason Reaves at Walmart
By: Jason ReavesRecently, SentinelOne released a report on a loader they named MalVirt[1] which was also previously called KoiVM[2]. In both these reports, the loader was alluded to being a dropper and having encoded payloads on board. I was researching an interesting .NET loader which was being misclassified as the various things it was delivering. Even the Emerging Threats suricata rule created for it was named based on a delivery. Some communities mention it as being ATLoader, LuminosityLink,...
Zhassulan Zhussupov
5 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! This post is the result of my own research on Yara rule for Murmurhash2 hashing. How to use it for malware analysis in practice. MurmurHash MurmurHash2A is a non-cryptographic hash function optimized for performance and speed. It divides the input data into 4-byte blocks, applies bitwise operations and XORs to each block, and then uses a finalizer to produce the final hash result. Here’s a high-level overview of the algorithm: d...