本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Adepts of 0xCC
Mar 17, 2023 Adepts of 0xCC Mar 17, 2023 Adepts of 0xCC Dear Fellowlship, today’s homily is about bending the ungodly language of VBA to reduce traces when writing sacrilegious prayers. Please, take a seat and listen to the story. Dear Fellowlship, today’s homily is about bending the ungodly language of VBA to reduce traces when writing sacrilegious prayers. Please, take a seat and listen to the story. Prayers at the foot of the Altar a.k.a. disclaimer I promise my intention was to stay away fro...
Amr Ashraf
8 minute read On this page Mac OS Malware Analysis OverView File Structure Header Load Commands: Segmants Code Analysis Args Check Anti-VM Enum user Info Enumerating Privileges Anti-Debugging Persistence Actual capapilities C&C Collecting Host Info Stealing files Encrypting process Resources Mac OS Malware Analysis This won’t be just an analysis of the “EvilQuest” ransomware, I will be explaining in detail some internals and things that are done in different ways between Mac & windows Os. OverVi...
ASEC
AhnLab Security Emergency response Center (ASEC) has recently discovered a CHM malware which is assumed to have been created by the Kimsuky group. This malware type is the same as the one covered in the following ASEC blog posts and the analysis report on the malware distributed by the Kimsuky group, its goal being the exfiltration of user information. Analysis Report on Malware Distributed by the Kimsuky Group – Oct 20, 2022 APT Attack Being Distributed as Windows Help File (*.chm) – Mar 17, 20...
AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from February 26th, 2023 to March 4th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social enginee...
AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the Mallox ransomware during the team’s monitoring. As covered before, Mallox, which targets vulnerable MS-SQL servers, has historically been distributed at a consistently high rate based on AhnLab’s statistics. Figure 1. Ransomware statistics for Q4 2022 The malware disguised as a program related to DirectPlay is a file built in .NET which, as shown in Figure 3, connects to a certain address, downloads ...
In comparison to 2021, 2022 was a year filled with invisible activities, new attack types, Fully Qualified Domain Names (FQDN), and attack preparations. AhnLab identified a significantly higher number of these activities in comparison to 2021. One of these cases involved an incorrect configuration of C2 servers, causing the files within the said servers to be exposed and allowing AhnLab to procure samples, server information files, and variant samples that had never been known externally. The th...
A unique difference with the past cases was discovered during the analysis of the Kimsuky group’s spear phishing URLs. Until now, the group used Fully Qualified Domain Names (FQDN) disguised as famous Korean web portals. An analysis of the URLs collected during the past two months revealed multiple new FQDNs including keywords related to certain Korean banks, instead of the past FQDNs disguised as web portals. Unique characteristics of Kimsuky group’s spear phishing emails Categories:trend Tagge...
Background Currently, ransomware creators include individuals, cyber criminal gangs and state-supported groups. Out of these individuals and groups, cyber criminal gangs are the most proactive in ransomware development, while individuals and state-supported groups are less so. Privately developed ransomware is most often for research purposes with the intention of destroying data. Some state-sponsored threat groups also develop ransomware. The purpose of these cases is not for financial gain eit...
AhnLab Security response Center (ASEC) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from March 6th, 2023 (Monday) to March 12th, 2023 (Sunday). For the main category, Infostealer ranked top with 52.6%, followed by backdoor with 27.6%, downloader with 15.7%, ransomware with 3.0%, CoinMiner with 0.7%, and banking malware with 0.4%. Top 1 – AgentTesla AgentTesla is an infostealer that ranked first place wit...
AhnLab Security Emergency response Center (ASEC) has recently discovered the ShellBot malware being installed on poorly managed Linux SSH servers. ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server. ShellBot is an old malware that has been in steady use and is still being used today to launch attacks against Linux systems. 1. Attack Campaigns Against Linux SSH Servers Unlike desktop, which is the ma...
AhnLab Security Emergency response Center (ASEC) discovered a malware strain disguised as a password file and being distributed alongside a normal file within a compressed file last month. It is difficult for users to notice that this file is malicious because this type of malware is distributed together with a normal file. The recently discovered malware was in CHM and LNK file formats. In the case of the CHM file, it shares the same type as the malware covered in the below post and is assumed ...
Atomic Matryoshka
In today's blog post I'll be conducting some basic static analysis on Raccoon Stealer. Raccoon Stealer has been around for several years around e-crime forums, and is advertised as a credential stealer targeting Chromium-based browsers.File hash: a07c5c4122a2dff00a982499b7670fb48e63ba7fb70513f558c7190433c3da92Detect-It-EasyFirst I ran the sample through detect it easy to see if it seemed packed, and the results came back that the specimen was not, making our analysis that much easier:PEviewIn or...
Corey Ham at Black Hills Information Security
Corey Ham // Tl;dr Use a password manager instead of browser storage for passwords, credit card numbers, and other autofill items. Personal security: Do not save anything sensitive in your browser, especially credentials. This data will probably be spread further than you realize, and it can be accessed by malware. Consider deleting all credentials and autofills from your browser of choice. Enterprise security: Prevent users from both saving credentials in browser credential stores and consider ...
Check Point Software
G Data Security
03/16/2023 G DATA Blog The clamor and viral use of a very human-sounding, artificial technology chatbot named, ChatGPT gave rise to some new and interesting activities in the cybercrime world. To set things straight right off the bat, this article is not generated by any AI nor any natural-language processing system, such as ChatGPT. It is no secret that cyberthreat actors capitalize on prominent social events latest technology buzzwords to launch their attacks. And the curtain raiser for 2023 t...
Igor Skochinsky at Hex Rays
Tzlil Amar at Intezer
Written by Tzlil Amar - 13 March 2023 CountryUnited StatesCanadaAfghanistanAlbaniaAlgeriaAndorraAngolaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBoliviaBosnia and HerzegovinaBotswanaBrazilBruneiBulgariaBurkina FasoBurundiCambodiaCameroonCape VerdeCayman IslandsCentral African RepublicChadChileChinaColombiaComorosDemocratic Republic of the Congo (Kinshasa)Congo, Republic of(Brazzaville)Costa RicaCroatiaCu...
Lab52
March 15, 2023 Last February a Blackberry report alluded to one of APT-C-36 campaigns (Blind Eagle). The APT-C-36 group has many similarities in terms of tactics, techniques and procedures (TTPs) with the group Hagga / Aggah, as we have been able to observe at Lab52. Particularly, this article describes one of the campaigns that has been linked to APT-C-36, where the artefacts used are noticeable Hagga artefacts. This group’s campaigns during the last quarter are summarised in the following imag...
Malwarebytes Labs
Posted: March 16, 2023 by Threat Intelligence Team Emotet finally got the memo and added Microsoft OneNote lures. Last week, Emotet returned after a three month absence when the botnet Epoch 4 started sending out malicious emails with malicious Office macros. While the extracted attachments were inflated to several hundred megabytes, it was surprising to see that Emotet persisted in using the same attack format. Indeed, Microsoft has been rolling out its initiative of auto-blocking macros from d...
Matt Muir at Cado Security
OALABS Research
Lol what is up with these trash .NET stealers Mar 12, 2023 • 3 min read QvoidStealer yara dotnet stealer Overview Samples References Analysis Yara Rules Config Extractor Notes Discord De-Anonymization Telegram De-Anonymization Overview This is an open source stealer (lol) that is being dropped along side Redline. We are going to take a quick look and build some yara rules and maybe a config extractor. Samples ef7bb2464a2b430aa98bd65a1a40b851b57cb909ac0aea3e53729c0ff900fa42 UnpacMe Analysis Refer...
Simple .NET hack tool used to kill AV Mar 15, 2023 • 1 min read healer avkiller dotnet TrustedInstaller Overview Samples Analysis Windows Defender Targets Overview This small .NET hacking tool is often deployed along side Redline Stealer and is used to disable antivirus. Samples 976ba54ff3f8ab4c1d6fe5629460b1fc42106495ddb3151b52951030069b6d47 UnpacMe Analysis 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 UnpacMe Analysis a4f91172441b827b1e0cc6d7fb58d904fb5dd3bca64f08be24c431db...
Another C++ bot Mar 16, 2023 • 6 min read cryptbot botnet yara config Overview Samples References Analysis Yara Rule Config Overview This is another C++ bot! According to Malpedia... A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. Samples Samples available on UnpacMe- Packed 7ccda59528c0151bc9f11b7f25f...
Frank Lee and Scott Roland at Palo Alto Networks
7,639 people reacted 16 18 min. read Share By Frank Lee and Scott Roland March 16, 2023 at 6:00 AM Category: Ransomware Tags: ALPHV, BlackCat ransomware, Cortex XDR, CryLock, next-generation firewall, Prisma Cloud, Trigona, WildFire This post is also available in: 日本語 (Japanese)Executive Summary Trigona ransomware is a relatively new strain that security researchers first discovered in late October 2022. By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, as well ...
S2W Lab
Author: BLKSMTH | S2W TALONLast Modified: Mar 17, 2023Photo by Ed Hardie on UnsplashExecutive SummaryWe have confirmed that the Kimsuky group is distributing malware using a malicious OneNote (.ONE) file, which cybercriminals have widely used.When viewed, the ONE file displays an image of the Institute for Peace and Democracy at Korea University and asks the target to fill out a privacy agreement document in order to pay them for participating in a survey.The HWP file is a simple image, not a re...
Sonatype
March 16, 2023 By Sonatype Developer Relations 13 minute read time SHARE: Python Package Index (PyPI) is the official repository of Python software packages. It is a widely used third-party resource for Python developers to find and install useful libraries and tools for their projects. However, as with any software repository, including GitHub, npm, and RubyGems, PyPI is not immune to attacks from bad actors. We’ve previously selected the top 8 malicious packages found on the npm registry. In a...
Nicholas Lang at Sysdig
Ian Kenefick at Trend Micro
Subscribe Content added to Folio Folio (0) close Malware Emotet Returns, Now Adopts Binary Padding for Evasion Following a three-month hiatus, Emotet spam activities resumed in March 2023, when a botnet known as Epoch 4 began delivering malicious documents embedded in Zip files that were attached to the emails. By: Ian Kenefick March 13, 2023 Read time: ( words) Save to Folio Subscribe Overview Following a three-month hiatus, Emotet spam activities resumed in March 2023, when a botnet known as E...
