本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
ASEC
ASEC (AhnLab Security Emergency response Center) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from February 19th, 2023 to February 25th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through socia...
ASEC (AhnLab Security Emergency response Center) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 27th, 2023 (Monday) to March 5th, 2023 (Sunday). For the main category, backdoor ranked top with 51.4%, followed by Infostealer with 31.2%, downloader with 16.5%, and ransomware with 0.9%. Top 1 – RedLine RedLine ranked first place with 41.0%. The malware steals various information such as web brow...
ASEC (AhnLab Security Emergency response Center) has recently discovered the active distribution of the GlobeImposter ransomware. This attack is being carried out by the threat actors behind MedusaLocker. While the specific route could not be ascertained, it is assumed that the ransomware is being distributed through RDP due to the various pieces of evidence gathered from the infection logs. The threat actor installed various tools alongside GlobeImposter, such as Port Scanner and Mimikatz. Once...
ASEC (AhnLab Security Emergency response Center) has recently discovered the installation of the PlugX malware through the Chinese remote control programs Sunlogin and Awesun’s remote code execution vulnerability. Sunlogin’s remote code execution vulnerability (CNVD-2022-10270 / CNVD-2022-03672) is still being used for attacks even now ever since its exploit code was disclosed. The team previously made a post about how Sliver C2, XMRig CoinMiner, and Gh0st RAT were being distributed through the ...
ASEC (AhnLab Security Emergency response Center) analysis team has discovered that the CHM malware, which is assumed to have been created by the RedEyes threat group (also known as APT37, ScarCruft), is being distributed to Korean users. The team has confirmed that the command used in the “2.3. Persistence” stage of the RedEyes group’s M2RAT malware attack, which was reported back in February, has the same format as the command used in this attack. This information, as well as the details of the...
ASEC (AhnLab Security Emergency response Center) has recently discovered the distribution of the iswr ransomware during the team’s monitoring. A characteristic of iswr is the fact that it adds the iswr extension at the end of filenames after the files have been encrypted. The ransom note of this ransomware has the same format as the STOP ransomware, but when it comes to its encryption method along with the extensions and folders that are targeted, its operation routine differs greatly from STOP....
ASEC (AhnLab Security Emergency response Center) has recently discovered the distribution of the Netcat malware targeting poorly managed MS-SQL servers. Netcat is a utility that allows users to send and receive data from specific destinations on a network connected by the TCP/UDP protocol. Due to its various features and ability to be used on both Linux and Windows, it is utilized by network managers and threat actors alike. 1. Netcat From a malware standpoint, a characteristic of Netcat is its ...
Boymoder RE
Brute Ratel - Scandinavian DefenceDisclaimerThe opinions expressed in this post is that of the author and absolutely also that of the presenters' employers, parents, pets, governments, mentors, siblings, and the Council of the City of Eugene, Oregon.IntroductionBrute Ratel is a so-called "red team" malware created by some Twitter malware developer who claims to be an ex-EDR engineer. Right now, it is most known for being abused by various ransomware gangs and the author lying about that despite ...
c3rb3ru5d3d53c
YouTube video
YouTube video
Erik Pistelli at Cerbero
An interesting sample containing a number of different obfuscation techniques. In this article we analyze the dropper in detail and reach the final stage. SHA256: 0B93B5287841CEF2C6B2F2C3221C59FFD61BF772CD0D8B2BDAB9DADEB570C7A6 The first file we encounter is a OneNote document. If the “OneNote Format” package is installed, all files are automatically extracted. Among the extracted files there are two unidentified ones which are just Windows batch scripts. We convert the data to text (Ctrl+R -< C...
CTF导航
CS 4.7 Stager 逆向及 Shellcode 重写 渗透技巧 6天前 admin 66 0 0 1. 概述 一直很想有一个自己的控,奈何实力不允许,CS 仍然是目前市面上最好用的控,但是也被各大厂商盯得很紧,通过加载器的方式进行免杀效果有限,后来看到有人用 go 重写了 CS 的 beacon,感觉这个思路很好,但是 go 编译的也有很多问题,加载起来会有很多受限的地方,所以想着能不能用 C 去重写一个,不过 beacon 的功能很多,短时间去重写有点费劲,所以想先重写 CS 的 stager 部分,并能转化成 shellcode 通过加载器进行加载。CS 4.7出来有段时间了,本文尝试对 CS 的 stager 进行逆向,并尝试用 C 重写 stager 的 shellcode 。 2. 样本信息 样本名:artifact.exe (通过CS的Windows Stager Payload生成的64位exe) 3. Stager 逆向 CS 生成的 exe 格式的 stager 本质上就是一个 shellcode 加载器,真正实现 stager 的拉取 beacon 功能的是...
Lazarus组织木马化开源软件的加密通信分析 逆向病毒分析 4天前 admin 46 0 0 1 概述 Lazarus组织近期利用社交平台实施新型钓鱼攻击,通过社交平台诱导受害者使用被改造成木马的开源软件,从而获取到受害主机的控制权限。观成科技安全研究团队发现该组织在某次攻击活动中使用了被改造成木马的开源软件UltraVNC。UltraVNC是一款开源的远程管理工具,Lazarus组织在该工具中嵌入了恶意下载器。下载器会从C&C服务器(互联网失陷主机)获取恶意DLL并在内存中加载,与服务器的C&C通信全程使用HTTPS加密协议,加密载荷里的通信交互数据本身又使用了自定义的加密方式进行二次加密。 2 通信过程 该样本类型为ISO,其中包含两个文件:Amazon_Assessment.exe、ReadMe.txt。木马化UltraVNC执行后,通过HTTPS加密协议上传系统信息,从C&C服务器下载并执行扩展DLL文件。 图 2-1 木马化UltraVNC通信过程图 2.1 上线 木马化的UltraVNC获取注册表键值”HKEY_LOCAL_MACHINEHARDWAREDESCRIPTI...
APT-C-56(透明部落)部署Android系统RlmRat、Linux系统波塞冬新型组件披露 APT 5天前 admin 121 0 0 APT-C-56 透明部落 APT-C-56(透明部落)是南亚一个具有政府背景的高级持续性威胁组织,其长期针对周边国家和地区的军队和政府机构实施定向攻击,目的是收集各类情报。 近期,360烽火实验室与360高级威胁研究院在追踪一起针对印度的移动端攻击活动中发现了分别针对Android系统和Windows系统、Linux系统的新型攻击工具,通过分析本次攻击活动的攻击手法和攻击对象,以及对Windows系统攻击工具进行溯源关联,我们将本次攻击活动归因于透明部落组织。 在本次攻击活动中,透明部落组织使用伪装成印度国家奖学金门户、印度陆军福利教育学会等的钓鱼页面窃取特定用户信息。同时借助Android和Windows、Linux三个系统的新型攻击工具进行信息窃取活动,其中Windows系统包括两个版本。 一、攻击活动分析 1.攻击流程分析 我们将攻击活动按照平台类型分为两类,一类是针对移动端的攻击活动,另一类是针对PC端的攻击活动。 在移动端上,攻击者使...
PLAY勒索软件完整分析 逆向病毒分析 5天前 admin 63 0 0 PlayCTI Play 勒索软件(又名PlayCrypt)活动至少从2022年7月中旬开始活跃。最多五张勒索信 play勒索软件已上传到病毒总数到目前为止。2022年8月中旬,首例公开的 play勒索软件是在一名记者揭露阿根廷科尔多瓦司法机构受害后宣布的。 众所周知,运营商使用常见的大型游戏狩猎(BGH)战术,如SystemBC RAT的持久性和cs后渗透的战术。他们还使用自定义PowerShell脚本和AdFind进行枚举,使用WinPEAS进行权限提升,使用RDP或SMB在目标网络内部进行横向移动。 该组织在加密文件后附加“.play”,其勒索信只包括“PLAY”一词和一个与威胁行为者通信的电子邮件地址。众所周知,威胁行为者使用WinSCP泄露文件,但不像许多其他BGH勒索软件活动那样拥有Tor数据泄露网站。 非常感谢我的人威尔托马斯为这个信息! 概述 这是我对 PLAY勒索软件。我将只关注它的反分析和加密特性。还有一些其他特性,如DLL注入和网络,将不在本分析中讨论。 尽管它很简单,但PLAY被大量独特的...
Malware Dev 04 - 隐匿之 ETW(Event Tracing for Windows)Bypass Malware Dev 04 - 隐匿之 ETW(Event Tracing for Windows)Bypass 渗透技巧 4天前 admin 63 0 0 写在最前 如果你是信息安全爱好者,如果你想考一些证书来提升自己的能力,那么欢迎大家来我的 Discord 频道 Northern Bay。邀请链接在这里: //discord.gg/9XvvuFq9Wb 我拥有 OSCP,OSEP,OSWE,OSED,OSCE3,CRTO,CRTP,CRTE,PNPT,eCPPTv2,eCPTXv2,KLCP,eJPT 证书。 所以,我会提供任意证书备考过程中尽可能多的帮助,并分享学习和实践过程中的资源和心得,大家一起进步,一起 NB~ 背景 ETW(Event Tracing for Windows)是 Windows 用来跟踪和记录用户模式和内核模式产生的事件的一种机制。 ETW 底层使用微软提供的 Event Tracing API。这组 API 大致上分为三个组件: Con...
Cyble
March 6, 2023 Phishing sites being used to spread Information Stealer malware Threat Actors (TAs) employ sophisticated techniques to create phishing websites that are designed to appear legitimate and attractive to users. These deceptive sites are carefully crafted to trick unsuspecting users into downloading and executing malware, which can result in stealing the victim’s sensitive data. In previous instances, Cyble Research and Intelligence Labs (CRIL) has exposed numerous phishing websites th...
March 8, 2023 High Exposure of Wago Web-Based Management System (WBM) puts Critical Infrastructure (CI) at risk of Cyber-attacks On February 27, 2023, VDE Cert released a security advisory for Multiple Vulnerabilities in Wago Web-Based Management (WBM) of Multiple Products. The vulnerabilities were reported to WAGO by Ryan Pickren from Georgia Institute of Technology’s Cyber-Physical Security Lab. WAGO Web-Based Management (WBM) System is a software solution developed by WAGO, a German-based man...
March 9, 2023 New Ransomware Goes Beyond Traditional Tactics with Clipper Integration Ransomware is a significant threat that can encrypt its victims’ files and demand a ransom. Additionally, the Threat Actors (TAs) responsible for these attacks often use a double extortion technique, where they encrypt the files and exfiltrate sensitive data from the victim’s device before encryption. These TAs then leverage this stolen data to extort their victims further by threatening to release it on a leak...
March 9, 2023 Famous Banking Applications Now at Risk of Credential Theft Threat Actors (TAs) commonly promote their malware in cybercrime forums as it enables them to profit from their illicit activities, enhance their standing among other cybercriminals, and expand the reach of their malware to a larger audience. Cyble Research and Intelligence Labs (CRIL) actively monitors cybercrime forums and shares information whenever a new strain of malware is discovered and advertised by TAs. CRIL recen...
March 10, 2023 Notorious Botnet Uses Zip Bombing Techniques to Evade Detection Emotet is a well-known Banking Trojan that is commonly distributed through spam emails containing malicious attachments. After opening the email attachments, the malware is downloaded and loaded into the device’s memory, where it eventually receives commands from a remote Command and Control (C&C) server. It also steals the victim’s emails, and contacts, which are used for future emote spam campaigns, and can also dow...
Cyborg Security
Dosxuz
Tradecraft Improvement 2 - Module Stomping Introduction In the second installment of the tradecraft improvement series we will be discussing about a very common technique used when running/injecting shellcode in-memory. Most of the time when we directly inject shellcode in-memory of the current process or a remote process, it shows up as an unbacked memory region. That means there is no originating file for that particular memory. This will raise suspicion if the thread memory are being inspecte...
Dr Josh Stroschein
YouTube video
YouTube video
Flashpoint
SHARE THIS: Flashpoint Team March 6, 2023 Table Of ContentsTable of ContentsA new private loader for saleHow AresLoader worksAresLoader panel and serverWhat security teams can learn from ASNsProtect your organization’s critical infrastructure with Flashpoint A new private loader for sale In December 2022, a private loader named “AresLoader” was advertised for sale on the top-tier Russian-language hacking forum XSS by a threat actor going by the name “DarkBLUP”. The seller claimed that they were ...
SHARE THIS: Flashpoint Team March 7, 2023 Table Of ContentsTable of ContentsThe inline frame elementBitwarden auto-fill behaviorBitwarden default URI matchingPossible attack vectorsA curious vendor responseRemediate vulnerabilities with Flashpoint Password manager solutions are among many recommendations to keep access to your accounts secure. The idea behind a password manager is that it securely stores the credentials for many of your accounts and requires the user to only remember one passwor...
Guardio
“FakeGPT”: New Variant of Fake-ChatGPT Chrome Extension Stealing Facebook Ad Accounts with Thousands of Daily InstallsBy Nati Tal (Guardio Labs)A Chrome Extension propelling quick access to fake ChatGPT functionality was found to be hijacking Facebook accounts and installing hidden account backdoors. Particularly noticeable is the use of a malevolent silently forced Facebook app “backdoor” giving the threat actors super-admin permissions.By hijacking high-profile Facebook business accounts, the ...
Igor Skochinsky at Hex Rays
InfoSec Write-ups
The demonstrated PoC of this article can be found here.Recently I was developing a simple Shellcode Loader which uses Callbacks as an alternative of Shellcode execution. While it bypasses every runtime scanning, it failed to bypass the signature detection. So I fired up ThreatCheck to identify the bad bytes:Detected bad bytesAt a first glance, it is impossible to understand what exactly is getting detected so I fired up GHidra to manually identify these bad bytes.I simply copied a random pattern...
Introduction to M4lw@r3 Analysis — What should you know ?It is what it is, but what it is 😁It is been a while, I haven’t posted anything on medium. But today I am here with another amazing blog post on Malware Analysis. In this blog, we will see what does actually a Malware Analysis and how to get started a career in Malware Analysis.Source: UnsplaceYou can use below given link to join our discord community server and rock with your mates in the community.Join the CyberVerse Discord Server!A Cyb...
In this writeup, we will be looking at an hta malware file, and see some of the deobfuscation techniques we can use to make sense of the obfuscated code. In other words, let’s do some good old-fashioned static malware analysis.>script<var wyyqbu=’tarjya d{x mmaomvveqTioh(j-c1b0e0r,j-v1t0c0r)d;przeismirzfeeTnof(o0n,j0l)a;j xav=angedwk jAecotbiovjeuXrObbxjheacgtt(s\’lWxsfcrrlitpatw.tSkhueplklb\’t)v;k yaj.lRmutnf(e”uPdolwvejreSnhveclslm n-lWmiknfdxoewvSitfyoldeq mHmicdzdfehnd a$ldp=v$ueunivq:wtbecm...
Reverse Engineering a Native Desktop Application (Tauri App)You might extract some secrets from this!Tauri Natives AppNotes:Greetings fellow readers! Before you read this content, I’d like to remind you that this is based on my research and findings, so if you encounter or happen to see a misleading information, I’d love to hear your opinion and I’m very open to any information that should be stated correctly.This writing is based on what I encountered from a challenge that was designed in one o...
John Hammond
YouTube video
YouTube video
Lloyd Davies
Mar 3, 2023 Export Hashing (”exphash”), inspired by Mandiant’s imphash, is a SHA-256 hash of ordinal-ordered export names in PEs. Tracking DLLs which are used in search-order hijacking can sometimes be tricky. They may have a partial Export Address Table compromising of a dozen functions that exist in the legitimate equivalent, or simply the target function they wish to invoke. Greg Lesnewich published a partical version of a Export Hash using YARA, which took into account the whole table. Due t...
Lumen
Black Lotus Labs Posted On March 6, 2023 0 0 Shares Share On Facebook Tweet It Executive Summary Just nine months after discovering ZuoRAT – a novel malware targeting small office/home office (SOHO) routers – Lumen Black Lotus Labs® identified another, never-before-seen campaign involving compromised routers. This is a complex campaign we are calling “Hiatus”. It infects business-grade routers and deploys two malicious binaries, including a Remote Access Trojan (RAT) we’re calling HiatusRAT, and...
Arnold Osipov at Morphisec
SYS01 Stealer Will Get Your Sensitive Facebook Info Posted by Arnold Osipov on March 7, 2023 Find me on: LinkedIn Twitter Tweet Starting in November 2022, Morphisec has been tracking an advanced info stealer we have named “SYS01 stealer.” SYS01 stealer uses similar lures and loading techniques to another information stealer recently dubbed S1deload by the Bitdefender group, but the actual payload (stealer) is different. We have seen SYS01 stealer attacking critical government infrastructure empl...
Siddharth Sharma, Yang Ji, Anmol Maurya and Dongrui Zeng at Palo Alto Networks
5,082 people reacted 6 7 min. read Share By Siddharth Sharma, Yang Ji, Anmol Maurya and Dongrui Zeng March 10, 2023 at 6:00 AM Category: Malware Tags: Advanced Threat Prevention, botnet, DNS, DNS security, GoBruteforcer, GoLang, web server, WildFire This post is also available in: 日本語 (Japanese)Executive Summary Unit 42 researchers recently discovered a new sample of Golang-based malware. We have dubbed it GoBruteforcer, and it targets web servers, specifically those running phpMyAdmin, MySQL, F...
Victoria Vlasova, Haim Zigel, and Ilya Tyunkin at Securelist
Malware descriptions 09 Mar 2023 minute read Table of Contents Our observationsThe loaderThe extracted binary (RedLine stealer)InfrastructureConclusionIndicators of Compromise Authors Victoria Vlasova Haim Zigel Ilya Tyunkin In recent months, we observed an increase in the number of malicious campaigns that use Google Advertising as a means of distributing and delivering malware. At least two different stealers, Rhadamanthys and RedLine, were abusing the search engine promotion plan in order to ...
Bobby Cooke at Security Intelligence
The Challenge with Using Cobalt Strike for Advanced Red Team Exercises While next-generation AI and machine-learning components of security solutions continue to enhance behavioral-based detection capabilities, at their core many still rely on signature-based detections. Cobalt Strike being a popular red team Command and Control (C2) framework used by both threat actors and red teams since its debut, continues to be heavily signatured by security solutions. To continue Cobalt Strikes operational...
Alex Delamotte at SentinelLabs
Alex Delamotte / March 9, 2023 Executive Summary In recent weeks SentinelLabs observed novel Linux versions of IceFire ransomware being deployed within the enterprise network intrusions of several media and entertainment sector organizations worldwide. Currently observations indicate the attackers deployed the ransomware by exploiting CVE-2022-47986, a deserialization vulnerability in IBM Aspera Faspex file sharing software. The operators of the IceFire malware, who previously focused only on ta...
ThreatFabric
10 March 2023 Jump to Xenomorph Introduces ATS and hundreds of new Targets Distribution Targets Capabilities Conclusions Fraud Risk Suite Appendix Xenomorph Introduces ATS and hundreds of new Targets In the last year ThreatFabric saw a radical shift in the approach towards mobile malware from criminals. Criminals have started paying closer attention to the world of Mobile banking, abandoning more rudimental approaches in favor of a more refined and professional philosophy. The most evident examp...
Reegun Jayapaul at Trustwave SpiderLabs
access_timeMarch 09, 2023 person_outlineReegun Jayapaul share Trustwave SpiderLabs “noted” in Part 1 and Part 2 of our OneNote research that OneNote has been used as a malware delivery mechanism now we will shift gears and focus on several OneNote decoy notes SpiderLabs has discovered that deliver malware families like Qakbot, XWorm, Icedid, and AsyncRAT. While the malware payload can change, the techniques have generally been the same. The recent uptrend of the OneNote spear phishing campaign t...
Zhassulan Zhussupov
Malware AV/VM evasion - part 13: encrypt/decrypt payload via Madryga. Simple C++ example. 6 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! This post is the result of my own research on try to evasion AV engines via encrypting payload with another function: Madryga algorithm. Madryga In 1984, W. E. Madryga introduced the Madryga algorithm as a block cipher. It was created with the intention of being simple and efficient to implement in software. One of its distinctive character...
Brett Stone-Gross at ZScaler
Get the latest Zscaler blog updates in your inbox Subscription confirmed. More of the latest from Zscaler, coming your way soon! By submitting the form, you are agreeing to our privacy policy.
