本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Amr Ashraf
7 minute read On this page Malicious OneNote Sample info Tricking method Malicious Word Document Campain info Droper analysis Droped file analysis Malicious RTF Sample info Analyzing Malicious ISO Sample info Malicious PDF Description Pcap analysis PDF analysis Malicious OneNote Sample info We are given a Sample OneNote file with hash sha256 "a870d31caea7f6925f41b581b98c35b162738034d5d86c0c27c5a8d78404e860" I always like to start my analysis using the two utilities “file & strings” So running fi...
7 minute read On this page OverView Some Needed Structures GetModuleHandle Implementation “Source Code” GetModuleHandle Implementation “Assembly” GetProcAddress Implementation “Source Code” GetProcAddress Implementation “Assembly Code” OverView Imports are a great place to look at when you need to identify ‘quickly’ if the file is suspicious “and that’s one of the indicators that AVs also make decisions by looking at”, So we always notice malware authors try to resolve the needed malicious APIs ...
Any.Run
February 28, 2023 Add comment 1495 views 7 min read HomeMalware AnalysisXLoader/FormBook: Encryption Analysis and Malware Decryption Recent posts Cybersecurity News Digest: February 2023 669 0 XLoader/FormBook: Encryption Analysis and Malware Decryption 1495 1 Visit ANY.RUN Stand at GISEC 2023 1865 1 HomeMalware AnalysisXLoader/FormBook: Encryption Analysis and Malware Decryption Today ANY.RUN’s malware analysts are happy to discuss the encryption algorithms of XLoader, also known as FormBook. A...
ASEC
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from February 12th, 2023 to February 18th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On ...
The ASEC (AhnLab Security response Center) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 20th, 2023 (Monday) to February 26th, 2023 (Sunday). For the main category, backdoor ranked top with 51.0%, followed by downloader with 24.7%, Infostealer with 22.7%, ransomware with 1.4%, and CoinMiner with 0.2%. Top 1 – RedLine RedLine ranked first place with 46.9%. The malware steals various informati...
c3rb3ru5d3d53c
YouTube video
CTF导航
Malware Dev 01 - 免杀之 PPID Spoofing 原理解析 Malware Dev 01 - 免杀之 PPID Spoofing 原理解析 渗透技巧 4天前 admin 53 0 0 写在最前 如果你是信息安全爱好者,如果你想考一些证书来提升自己的能力,那么欢迎大家来我的 Discord 频道 Northern Bay。邀请链接在这里: //discord.gg/9XvvuFq9Wb 我会提供备考过程中尽可能多的帮助,并分享学习和实践过程中的资源和心得,大家一起进步,一起 NB~ 背景 把免杀主题放在 Malware Dev 里面有点不恰当,但是真的不想分太细了。我目前就两个方向,Active Directory,和 Malware Dev(包括 shellcode 编写,免杀,C2,Windows Kernel/Driver Exploit)。我也不知道自己顾不顾得过来,但是我相信有些东西是通的,越到后面学习曲线越平滑。呵呵呵~ 今天先来看一下进程免杀的技巧第一篇,PPID Spoofing。 PPID Spoofing PPID Spoofing,全称 Pare...
Cybereason
Written By Cybereason Team March 3, 2023 | 6 minute read In a recent post, the Cybereason Global SOC team reported an aggressive ransomware campaign attributed to the Black Basta group: In this threat alert, the Cybereason team describes one attack scenario that started from a Qakbot infection, resulting in multiple key machines loading Cobalt Strike, which finally led to the global deployment of Black Basta ransomware. This attack has become the bread and butter of the hacking industry. Just th...
Félix Guyard at ForensicXlab
February 27, 2023 3-minute read Félix Guyard Windows • Malware Analysis Malware Analysis • Windows • Procmon • Qbot Abstract Link to heading Malware analysis is very useful when performing a digital investigation. Indeed, identifying how a malware works and determining its behavior is very useful to detect future attacks, other compromised equipment, make critical choices and discover new TTPs. In this blog article, we will dive into the behavioral analysis of the latest QBOT campaign using mali...
James Slaughter at Fortinet
By James Slaughter | March 01, 2023 Art, automobiles, and wine are often associated with things that appreciate in value as they age. Malware isn’t usually thought of this way, as most threat actors strive to keep their tools as current as possible with new lures and exploitation techniques. However, every once in a while, a campaign appears that turns this paradigm on its head. FortiGuard Labs came across one such recent campaign using the MyDoom worm. MyDoom (also known as Novarg and Mimail) w...
Igor Skochinsky at Hex Rays
Marco Ramilli
Attack Cyber Crime cybersecurity malwareMarch 2, 2023March 2, 2023 During talks and presentations people often ask me how do I remember so many names, different “artifacts” (a.k.a Malware) and groups. I actually ended up with a “hemmm … well… actually I just remember them since I read and write a lot about cyber threats”. So here it comes the Malware Family CheatSheet. This work does not pretend to be original, it’s just my contribution to people who wants to remember Malware families and their ...
OALABS Research
Tiny loader that seems very familiar Feb 26, 2023 • 10 min read pikabot yara config loader Overview References Samples Loader Sample 1 Sample 2 Core Analysis String Decryption DLL Names Strings IDA Get Operand Offset Find Stack Strings Label Strings in IDA Mutex Yara Rules Overview References PikaBot and the Matanbuchus connection Tweet from @1ZRR4H After this was published there was another blog whta didn't name the sample on this malware. Beepin’ Out of the Sandbox: Analyzing a New, Extremely ...
Palo Alto Networks
4,230 people reacted 1 10 min. read Share By Rebekah Houser and Daiping Liu March 2, 2023 at 6:00 AM Category: Malware Tags: Cloud-Delivered Security Services, DNS This post is also available in: 日本語 (Japanese)Executive Summary Cybercriminals regularly leverage popular dynamic domain name system (DDNS) or web hosting services to store and distribute their content. Threat actors leverage these for command and control (C2), malware distribution and phishing. This abuse has created the need for new...
2,777 people reacted 6 8 min. read Share By Chris Navarrete, Edouard Bochin, Durgesh Sangvikar, Lei Xu and Yu Fu March 3, 2023 at 6:00 AM Category: Malware Tags: Advanced Threat Prevention, Business Email Compromise, Cortex XDR, information stealer, LokiBot, Machine Learning, next-generation firewall, WildFire Executive Summary Unit 42 researchers have uncovered a malware distribution campaign that is delivering the LokiBot information stealer via business email compromise (BEC) phishing emails....
Prodaft
February 27, 2023 10:23 RIG EK is a financially-motivated program that has been active since 2014. Although it has yet to substantially change its exploits in its more recent activity, the type and version of the malware they distribute constantly change. The frequency of updating samples ranges from weekly to daily updates. This report aims to provide insight into how RIG EK operates, what kinds of malware it distributes, and how the distribution happens. The PTI team has identified and gained ...
Aniruddha Dolas at Quick Heal
By Aniruddha Dolas 27 February 2022 4 min read 0 Comments Summary: While the whole world fights against the COVID-19 pandemic, cybercriminals are busy exploiting the situation and attacking vulnerable users & businesses. In the last few weeks, there has been a rise in coronavirus-themed mail spams, which are being used to deliver a variety of malware. At Quick Heal Security Labs, we have observed Agent Tesla being delivered through such campaigns — the main motive of these campaigns is to steal ...
Pedro Tavares at Segurança Informática
Sekoia
This blogpost is a technical analysis of Stealc infostealer, detailing different characteristics of the malware, including anti analysis, strings de-obfuscation and C2 communication techniques. Cybercrime Malware Reverse Stealer Threat & Detection Research Team February 27 2023 111 0 Read it later Remove 16 minutes reading Table of contentsContextMalware analysisAnti analysisMain function overviewDefeating string encryptionDynamic API resolutionEnvironment detection & checksMiscellaneous functio...
Phil Stokes at SentinelOne
March 1, 2023 by Phil Stokes PDF For the first time since November 2022, Apple last week released an update to its internal YARA-based malware file blocking service, XProtect. Version 2166 added several new signatures for a threat it labels “Honkbox”, a cryptominer characterized by its leverage of XMRig and the “Invisible Internet Project” (aka I2P). Apple’s update comes on the back of new research from Jamf, which itself builds on earlier research from other sources. Honkbox is an active threat...
Sonatype
Platform OverviewAutomate your software supply chain security FirewallBlock malicious open source at the door RepositoryBuild fast with centralized components LifecycleReduce risk across software development IntegrationsWork in the tools, languages, and packages you already use Pricing Solutions Developers Application Security Legal & Compliance Government Financial Services Manufacturing Technology Healthcare Pricing Resources Log4j Resource Center State of the Software Supply Chain Report Laun...
February 27, 2023 By Hernán Ortiz 9 minute read time SHARE: As a writer at Sonatype, I don’t have to wait too long to get a scoop. Our security researchers are always bringing to our attention the latest malware uploaded to open-source registries so I have more than enough material to work from. The challenge comes when trying to uncover the story that’s hidden inside the vast number of packages our AI system flags and our security researchers confirm as malicious. Lately, our AI has been detect...
Threatray
Author: Carlos Rubio from Threatray Labs Published on: 01.03.2023 Multiple blogs have reported about recent activities and tooling of UAC-0056 (also known as Nodaria, SaintBear, TA471). Malwarebytes (April 22) and Mandiant (July 22) report about the “Elephant toolchain” apparently used by UAC-0056. The toolchain consists of Elephant Stealer (GraphSteel), Elephant Implant (GrimPlant), Elephant Downloader, and Elephant Dropper. A very recent article by Symantec reports about the new “Graphiron” to...
ZScaler
Get the latest Zscaler blog updates in your inbox Subscription confirmed. More of the latest from Zscaler, coming your way soon! By submitting the form, you are agreeing to our privacy policy.
Get the latest Zscaler blog updates in your inbox Subscription confirmed. More of the latest from Zscaler, coming your way soon! By submitting the form, you are agreeing to our privacy policy.
