本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Alex Petrov at Hex Rays
ASEC
In January, the ASEC (AhnLab Security Emergency response Center) analysis team discovered that the RedEyes threat group (also known as APT37, ScarCruft) had been distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291). This report will share the RedEyes group’s latest activity in Korea. 1. Overview The RedEyes group is known for targeting specific individuals and not corporations, stealing not only personal PC information but also the mobile phone d...
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from February 5th, 2023 to February 11th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a...
The AhnLab Security response Center (ASEC) analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 13th, 2023 (Monday) to February 19th, 2023 (Sunday). For the main category, backdoor ranked top with 50.8%, followed by downloader with 41.0%, Infostealer with 7.3%, ransomware with 0.8%, and CoinMiner with 0.2%. Top 1 – RedLine RedLine ranked first place with 49.4%. The malware steals vari...
Since approximately a year ago, the Lazarus group’s malware has been discovered in various Korean companies related to national defense, satellites, software, and media press. The AhnLab ASEC analysis team has been continuously tracking the Lazarus threat group’s activities and other related TTPs. Among the recent cases, this post aims to share the anti-forensic traces and details found in the systems that were infiltrated by the Lazarus group. Overview Definition of Anti-Forensics Anti-forensic...
Since the previous year, there has been a steady increase in cases where disk image files, such as ISO and VHD, have been used in malware distribution. These have been covered several times in previous ASEC blog posts. This post will cover a recent discovery of ChromeLoader being distributed using VHD files. These VHD files are being distributed with filenames that make them appear like either hacks or cracks for Nintendo and Steam games. Some of the filenames used in distribution are as follows...
The ASEC (AhnLab Security Emergency response Center) analysis team has discovered the distribution of malware targeting users with vulnerable versions of Innorix Agent. The collected malware is a backdoor that attempts to connect to a C&C server. Figure 1. Vulnerability security update notice from Korea Internet & Security Agency[1] The exploited Innorix Agent is a file transfer solution client. Details about the vulnerability were posted by the Korea Internet & Security Agency (KISA)[1] where t...
ASEC (AhnLab Security Emergency Response Center) has been constantly monitoring the Magniber ransomware which has been displaying a high number of distribution cases. It has been distributed through the IE (Internet Explorer) vulnerability for the past few years, but stopped exploiting the vulnerability after the support for the browser ended. Recently, the ransomware is distributed as a Windows installer package file (.msi) in Edge and Chrome browsers. There have been recent reports of systems ...
Jarosław Jedynak and Michał Praszmo at CERT Polska
A tale of Phobos - how we almost cracked a ransomware using CUDA 23 February 2023 | JarosÅaw Jedynak, MichaÅ Praszmo | #ransomware, #malware, #analysis Abstract: For the past two years we've been tinkering with a proof-of-concept decryptor for the Phobos family ransomware. It works, but is impractical to use for reasons we'll explain here. Consequently, we've been unable to use it to help a real-world victim so far. We've decided to publish our findings and tools, in hope that someone will fin...
CISA
Last RevisedSeptember 28, 2022 Alert CodeAR22-272A Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable r...
Last RevisedSeptember 27, 2022 Alert CodeAR22-270B Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable r...
Last RevisedSeptember 27, 2022 Alert CodeAR22-270A Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable r...
Last RevisedJuly 28, 2022 Alert CodeAR22-203A Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk o...
Last RevisedJuly 18, 2022 Alert CodeAR22-197A Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk o...
Last RevisedJuly 18, 2022 Alert CodeAR22-174B Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk o...
Last RevisedJuly 28, 2022 Alert CodeAR22-174A Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk o...
Last RevisedApril 28, 2022 Alert CodeAR22-115B Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk ...
Last RevisedApril 28, 2022 Alert CodeAR22-115C Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk ...
Last RevisedApril 28, 2022 Alert CodeAR22-115A Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk ...
Cofense
The Rise of Agent Tesla: Understanding the Notorious Keylogger
Threat Actors Abuse Atlassian, Bypass Multiple Secure Email Gateways (SEGs)
Flashpoint
SHARE THIS: Flashpoint Team February 24, 2023 “United States Attorney Roger B. Handberg announced on Wednesday February 23 the arrest and extradition of Dariy Pankov a/k/a “dpxaker.” Pankov is charged with conspiracy, access device fraud, and computer fraud. If convicted on all counts, he faces a maximum penalty of 47 years in federal prison. The indictment also notifies Pankov that the United States intends to forfeit $358,437, which is alleged to be traceable to proceeds of the offenses. Panko...
Igor Skochinsky at Hex Rays
Mellvin S at K7 Labs
Posted byMellvin S February 22, 2023February 23, 2023 Stealer Trojan RedLine Stealer spreading through OneNote By Mellvin SFebruary 22, 2023 Recently OneNote files are being abused a lot to carry malware and users are being tricked to execute the same. This count has increased in the last couple of weeks. The sample under consideration was a .one file in the wild carrying the RedLine info stealer. Figure 1 – VT detection The .one file just had a simple dialog box saying ‘Double click to view’. F...
Jérôme Segura at Malwarebytes Labs
Multilingual skimmer fingerprints 'secret shoppers' via Cloudflare endpoint API Posted: February 21, 2023 by Jérôme Segura Magecart threat actors continue to go after e-commerce sites while also collecting data points from fake customers. One important aspect of data theft in criminal markets revolves around the authenticity of the data that is being resold. There are different services that exist to vet such things as credit card numbers so that buyers can purchase with confidence. Criminals ar...
Marcus Hutchins at MalwareTech
Marcus Hutchins Recently thereâs been a lot of bold claims about how ChatGPT is going to revolutionize the cybercrime landscape, but it can be hard to distinguish the facts from the fiction. In this article Iâm going to dive into some claims, as well as share some of my thoughts on where things might be heading. AI will allow low skilled hackers to develop advanced malware This is one of the claims that seems to be everywhere. I canât even scroll down three posts on LinkedIn without someon...
Michael Koczwara
Static/Dynamic Analysis and ReversingI will be back soonIntroRight so again I will keep this intro very short. I have scanned (again) malicious infrastructure (maybe Threat Actors, maybe Red Teams, or maybe …)----More from Michael KoczwaraFollowSecurity Researcher [RED&BLUE]AboutHelpTermsPrivacyGet the Medium appGet unlimited accessMichael Koczwara966 FollowersSecurity Researcher [RED&BLUE]FollowHelpStatusWritersBlogCareersPrivacyTermsAboutText to speech
Quick Heal
By Anjali Raut 21 February 2023 6 min read 0 Comments Microsoft Office documents are used worldwide by both corporates and home-users alike. It’s different office versions, whether licensed or unlicensed offers users an easy way to create and modify files. However, this software is also susceptible to cyberattacks. Cybercriminals often take advantage of its vulnerability and use VBA (Visual Basic Application) macros as entry points to gain access to targeted systems and devices. Over the years, ...
By Quick Heal Security Labs 24 February 2023 6 min read 0 Comments A recent virus infection faced by some users was swiftly detected as being caused by Expiro. We have conducted an in-depth investigation and analysis on the intricacies of Expiro and what makes it such a potent threat. This article lays out our analysis and understanding of the matter from our Security Research Lab and offers a detailed explanation on the necessary steps forward for those impacted. Let’s begin. About Expiro Expir...
ReversingLabs
Lesson from Core-JS: Beware hidden dependencies from indebted Russian developers This is not a drill: Denis Pushkarev has big debts — and his code is EVERYWHERE Blog Author Richi Jennings, Independent industry analyst, editor, and content strategist. Read More... The Code-JS project is absolutely huge. Perhaps your project has a dependency on it? The likelihood is you’d never know. But its sole developer is in trouble. Brilliant Russian coder Denis Pushkarev desperately needs money — he’s vulner...
ReversingLabs researchers discovered dozens of malicious packages on Python Package Index that mimic popular libraries Blog Author Lucija Valentić, Software Threat Researcher, ReversingLabs. Read More... While monitoring different malicious packages found in public software repositories, ReversingLabs researchers have noticed an increase of malicious HTTP libraries on the Python Package Index (PyPI) repository. Actually, we should air-quote “HTTP libraries.” In reality, most of these are simple,...
Pedro Tavares at Segurança Informática
Sekoia
This blogpost aims at presenting the activities of the Stealc’s alleged developer, a technical analysis of the malware and its C2 communications, and how to track it. CTI Cybercrime Malware Stealer Threat & Detection Research Team February 20 2023 387 0 Read it later Remove 23 minutes reading Table of contentsA successful entry into the cybercrime marketFirst Stealc advertisementPlymouth’s activity carried out in a professional mannerTechnical analysisMalware sample associationTechnical overview...
Tony Lambert
Post CancelNetSupport Manager RAT from a Malicious Installer Posted Feb 25, 2023 By Tony Lambert 6 min readAdversaries love to use pre-made tools for remote access and one perennial favorite is the legitimate NetSupport Manager. This post is a short and sweet look at a malicious installer that distributes NetSupport Manager to unwitting victims, allowing remote control to adversaries. If you want to follow along at home, I’m working with this file from MalwareBazaar: //bazaar.abuse.ch/sample/8cc...
Jason Hill at Varonis
Jason Hill | 8 min read | Last updated February 20, 2023 Contents Introduction First observed in October 2022, HardBit is a ransomware threat that targets organizations to extort cryptocurrency payments for the decryption of their data. Seemingly improving upon their initial release, HardBit version 2.0 was introduced toward the end of November 2022, with samples seen throughout the end of 2022 and into 2023. Like most modern ransomware threats, HardBit claims to steal sensitive data from their ...
WeLiveSecurity
The targeted region, and overlap in behavior and code, suggest the tool is used by the infamous North Korea-aligned APT group Vladislav Hrčka 23 Feb 2023 - 11:30AM Share The targeted region, and overlap in behavior and code, suggest the tool is used by the infamous North Korea-aligned APT group ESET researchers have discovered one of the payloads of the Wslink downloader that we uncovered back in 2021. We named this payload WinorDLL64 based on its filename WinorDLL64.dll. Wslink, which had the f...
ESET Research has compiled a timeline of cyberattacks that used wiper malware and have occurred since Russia’s invasion of Ukraine in 2022 ESET Research 24 Feb 2023 - 11:30AM Share ESET Research has compiled a timeline of cyberattacks that used wiper malware and have occurred since Russia’s invasion of Ukraine in 2022 This blogpost presents a compiled overview of the disruptive wiper attacks that we have observed in Ukraine since the beginning of 2022, shortly before the Russian military invasio...
Zhassulan Zhussupov
Malware AV/VM evasion - part 12: encrypt/decrypt payload via TEA. Simple C++ example. 10 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! This post is the result of my own research on try to evasion AV engines via encrypting payload with another encryption: TEA algorithm. TEA TEA (Tiny Encryption Algorithm) is a symmetric-key block cipher algorithm that operates on 64-bit blocks and uses a 128-bit key. The basic flow of the TEA encryption algorithm can be outlined as follows: Ke...
Nikolaos Pantazopoulos and Sarthak Misraa at ZScaler
Get the latest Zscaler blog updates in your inbox Subscription confirmed. More of the latest from Zscaler, coming your way soon! By submitting the form, you are agreeing to our privacy policy.
