4n6 Week 14 – 2023 - MALWARE
本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
0x70RVS
4 minute read On this page SikoMode Objective File Exploring: Basic Static: Basic Dynamic: Advanced Analysis: Challenge Questions: SikoMode SikoMode is a malware sample from TCM Malware Analysis and Teriage Course. I will make a full analysis and also answer the challenge questions. Objective Perform static and dynamic analysis on this malware sample and extract facts about the malware’s behavior. Use all tools and skills in your arsenal! Be sure to include a limited amount of debugging and deco...
Amr Ashraf
4 minute read On this page OverView Sample Capability Replicate FireWall bypass persistence C2 Connection establish Keylooging Yara rule Yara Testing Configuration Extractor Configuration Extractor Testing OverView Here I am looking at NjRAT Malware that is seen quite often these days I am performing an analysis of the capabilities of the malware and writing our own yara rule for detection and building a static configuration extractor for the malware. Sample I like always to perform my analysis ...
3 minute read On this page OverView Initial Analysis Behavioral Analysis Code Analysis Initial sample Chrome Driver Browser Extension OverView In the morning I was serving Facebook until this ad appeared on my timeline. This will catch the eyes of any security analyst due to the obvious fake domain and the intended wrong spelling of important words and also the general way of writing it especially this “400 trials” part. So I went into this page and found things that made me more suspicious, her...
Any.Run
March 28, 2023 Add comment 1971 views 6 min read HomeMalware AnalysisLimeRAT Malware Analysis: Extracting the Config Recent posts LimeRAT Malware Analysis: Extracting the Config 1971 0 ANY.RUN at GISEC 2023 1288 1 Will AI Be the Start of Super Malware? 1576 0 HomeMalware AnalysisLimeRAT Malware Analysis: Extracting the Config In today’s article, we’re going to look under the hood of a modular RAT — LimeRAT. Let’s get right into it! What is LimeRat LimeRAT is a Remote Access Trojan (RAT) that’s b...
ASEC
AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of Emotet being distributed via OneNote. A spear phishing email as below attached with a OneNote file prompts the reader to open the attachment which contains a malicious script file (JS file). Figure 1. Phishing email attached with a malicious OneNote file Upon running the OneNote file, it directs the user to click the button to connect to the cloud to open the document. This ‘Next’ button is inserted with...
AhnLab Security Emergency response Center (ASEC) has shared an APT attack case that has recently used CHM (Compiled HTML Help File). Malware Distributed Disguised as a Password File CHM is a Help screen that is in an HTML format. Threat actors are able to input malicious scrip codes in HTMLs with the inclusion of CHM. The inserted script is executed through hh.exe which is a default OS application. MITRE ATT&CK refers to this technique where a threat actor uses a signed program or a program inst...
A new Infostealer called “LummaC2” is being distributed disguised as illegal programs such as cracks and keygens. Other malware such as CryptBot, RedLine, Vidar, and RecordBreaker (Raccoon V2) are distributed in a similar manner and have been covered here on ASEC Blog. Modified CryptBot Infostealer Being Distributed New Info-stealer Disguised as Crack Being Distributed A Dropper-Type Malware Bomb Being Distributed Again in the Disguise of Cracks It appears that the LummaC2 Stealer has been avail...
Vulnerable Software and Overview MagicLine4NX is a non-ActiveX joint certificate program developed by the Korean company, Dream Security. Users can use MagicLine4NX to perform logins with a joint certificate and digitally sign transactions. This program is registered as a Startup Program and will be relaunched by a certain service (MagicLine4NXServices.exe) even if it is terminated. It remains constantly active as a process once it is installed, so it can be exposed to vulnerability attacks. Thu...
On March 20, Korea’s National Intelligence Service (NIS) and Germany’s Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz, BfV) released a joint security advisory related to the Kimsuky hacker group. According to the joint security advisory, the Kimsuky hacker group exploited the extension feature of Chromium browsers and the app developer support feature for Android in an attack campaign to steal account credentials. Although their primary targets are Korean ...
AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of a malicious Word file disguised as a profile template from emails impersonating a certain professor. ‘[Attachment] Profile Template.doc’ is the filename of the password-protected Word file that was discovered, with the password itself being included in the body of the email. Figure 1. Original email Figure 2. Part of the Word file contents Figure 3. File properties A malicious VBA macro is contained within the Wor...
AhnLab Security Emergency response Center (ASEC) has discovered that the Kimsuky group is using Alternate Data Stream (ADS) to hide their malware. This malware is an Infostealer that collects data by starting the VBScript included inside an HTML file. It can be characterized by its tendency to add the actual code between numerous dummy codes. Figure 1. Part of the initially executed script The following commands are executed in the terminal to collect and transmit data. hostname systeminfo net u...
AhnLab Security Emergency response Center (ASEC) recently published a notice about a Microsoft Office Outlook vulnerability. Warning for Microsoft Office Outlook Privilege Escalation Vulnerability (CVE-2023-23397) CVE-2023-23397 is a vulnerability that leaks a user’s account credentials upon receiving an email and triggering a notification. The stolen information includes the ‘NTLM’ hash value, which contains the password hashing information for the logged-in account. Threat actors can exploit t...
AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from March 12th, 2023 to March 18th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engi...
AhnLab Security Emergency response Center (ASEC) released an analysis report on an Infostealer that is being distributed through YouTube. Infostealer Being Distributed via YouTube As mentioned in the report, an Infostealer is being distributed through various platforms, and the leaked information is causing both direct and indirect harm to users. Understanding what information has been stolen and where it is being sent is crucial in order to minimize the damage caused by an Infostealer infection...
AhnLab Security response Center (ASEC) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from March 20th, 2023 (Monday) to March 26th, 2023 (Sunday). For the main category, backdoor ranked top with 41.7%, followed by downloader with 31.9%, Infostealer with 24.7%, ransomware with 1.1%, backing with 0.3%, and CoinMiner with 0.3%. Top 1 – Redline RedLine ranked first place with 35.6%. The malware steals various ...
Erik Pistelli at Cerbero
In this post we’re going to analyze a multi-stage PowerShell malware, which gives us an opportunity to use our commercial PowerShell Beautifier package and its capability to replace variables. Sample SHA2-256: 2840D561ED4F949D7D1DADD626E594B9430DEEB399DB5FF53FC0BB1AD30552AA Interestingly, the malicious script is detected by only 6 out of 58 engines on VirusTotal. We open the script in Cerbero Suite, decode its content and set the language to PowerShell. We can observe that the code is obfuscated...
Check Point Research
Dr Josh Stroschein
YouTube video
YouTube video
ExaTrack
Toggle navigation Menu Qui sommes nous ? Recherche de compromission Réponse sur incident Threat Intelligence Blog Contact Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts 28.03.2023 00:00 We recently discovered an novel undetected implant family targeting Linux servers, which we dubbed Mélofée. We linked with high confidence this malware to chinese state sponsored APT groups, in particular the notorious Winnti group. In this blogpost we will first analyze the capabi...
Fortinet
By Jin Lee and Ian Liu | March 27, 2023 By monitoring an open-source ecosystem, the FortiGuard Labs team discovered over 60 zero-day attacks embedded in PyPI packages (Python Package Index) between early February and mid-March of 2023. In this blog, we cover all the packages that were found, grouping them into similar attacks or behaviors. 1. The packages in this set were found to be similar: py-hydraurlstudy (version 2.37) tptoolpywgui (version 10.56) libgetrandram (version 7.78) esqultraultrap...
Moobot Strikes Again - Targeting Cacti And RealTek Vulnerabilities By Cara Lin | March 29, 2023 Affected platforms: Windows, Linux Impacted parties: Any organization Impact: Remote attackers gain control of the vulnerable systems Severity level: Critical FortiGuard Labs observed several attacking bursts targeting Cacti and Realtek vulnerabilities in January and March of this year and then spreading ShellBot and Moobot malware. (Figure 1 shows trigger counts from our IPS signatures of the CVE-202...
By Shunichi Imano and Geri Revay | March 30, 2023 On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This latest edition of the Ransomware Roundup covers the Dark Power and PayME100USD ransomware. Affected platf...
Hasherezade’s 1001 nights
Magniber ransomware analysis: Tiny Tracer in action Posted on March 30, 2023 by hasherezade Intro Magniber is a ransomware that was initially targeting South Korea. My first report on this malware was written for Malwarebytes in 2017 (here). Since then, the ransomware was completely rewritten, and turned into a much more complex beast. The articles showing the timeline of the evolution of Magniber ransomware are available here: Magniber at Malpedia. In this writeup we will have a deep dive in a ...
Igor Skochinsky at Hex Rays
Asher Langton at Juniper Networks
Home / Threat Research / Using ChatGPT to Generate Native Code Malware Using ChatGPT to Generate Native Code Malware March 31, 2023 by Asher Langton The capabilities of OpenAI’s large language model have astounded, delighted and (at times) horrified those who have tried it. Much ink has been spilled speculating which professions will be replaced by an AI chatbot that can pass standardized tests, generate entire articles and term papers and write sophisticated code in response to natural language...
Lathashree K at K7 Labs
Posted byLathashree K March 30, 2023March 30, 2023 AndroidBanking MalwareRemote Access Trojan GoatRAT Attacks Automated Payment Systems By Lathashree KMarch 30, 2023 Recently, we came across a detection in our telemetry report named “com.goatmw” which gained our attention. We decided to investigate further and the malware was found to be a banking trojan. GoatRAT banking trojan is an Android Remote Administration Tool to gain access and control targeted devices which carries out fraudulent money...
L M
Executive SummaryOur insights into a recent NullMixer malware operation revealed Italy and France are the favorite European countries from the opportunistic attackers’ perspective.In thirty days, the operation we monitored was capable to establish initial access to over 8 thousand endpoints and steal sensitive data that are now reaching the underground black markets.Most of the victims mount Windows 10 Professional and Enterprise operating systems, including several Datacenter versions of Window...
Anandeshwar Unnikrishnan,Sakshi Jaiswal, and Anuradha M at McAfee Labs
The Rising Trend of OneNote Documents for Malware delivery McAfee Labs Mar 30, 2023 11 MIN READ Authored By Anandeshwar Unnikrishnan,Sakshi Jaiswal,Anuradha M McAfee Labs has recently observed a new Malware campaign which used malicious OneNote documents to entice users to click on an embedded file to download and execute the Qakbot trojan. OneNote is a Microsoft digital notebook application that can be downloaded for free. It is a note-taking app that allows collaboration across organizations w...
Alvin Gitonga at Moran Cybersecurity Group
top of pageThis site was designed with the .com website builder. Create your website today.Start NowMORANCybersecurity GroupHomeVideosAdvertiseContactThe Great Cyber warMoreUse tab to navigate through the menu items.Log InAll PostsCybersecurity NewsHacking TutorialsSearchalvin gitonga5 days ago3 min read🎓BlackHats🏴☠️ -- 😈Let's build a Ransomware😏CyberMorans🤗Today you will taste the dark side😈The Colonial Pipeline in the US was shutdown for nearly a week before paying a $5 million ransom 😤 demon...
Nicholas Dhaeyer at NVISO Labs
Nicholas Dhaeyer Cyber Threats, Maldoc, phishing, Malware, SOC, Threat Hunting, Blue Team, Qbot, OneNote March 27, 2023March 26, 2023 5 Minutes This entry is part 2 in the series OneNote as a Malware delivery platform In my previous blogpost I described how OneNote is being abused in order to deliver a malicious URL. In response to this attack, helpnetsecurity recently reported that Microsoft is planning to release a fix for the issue in April this year. Currently, it’s still unknown what this f...
Phylum
Phylum identifies software supply chain attackers subtly modifying a fork of a popular Javascript package and distributing it as a minified version on NPM Published on Mar 29, 2023 Written by The Phylum Research Team Category Malware Share Join us on Discord for more malware hunting! Phylum has recently discovered that a package called mathjs-min ⚠️ Check Package, which was uploaded to NPM by user rizzman on March 26, contains a Discord token grabber. This package is actually a modified version ...
Vaibhav Billade at Quick Heal
By Vaibhav Billade 29 March 2023 5 min read 0 Comments The rise of ransomware and malware variants has been a growing concern for individuals and organizations alike. With new strains of malicious software emerging every day, the threat landscape has become increasingly complex and dangerous. Let’s delve into the world of ransomware and explore how we can protect ourselves against this ever-evolving threat. Introduction The Royal Ransomware was first observed in mid-2022. It is a type of ransomw...
Robert Giczewski
TrueBot Analysis Part III - Capabilities31 Mar 2023 » malware_analysis, reverse_engineering After we have dealt with TrueBotâs packer in Part I and Part II, we can now finally analyze its core and see if we find something useful to extract in the next part.Every unpacked sample Iâve seen so far looks pretty much identical. In this case, weâll analyze c042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb87ef3545c.At the beginning there is a lot of stuff going on that I havenât analyzed ...
Pedro Tavares at Segurança Informática
Alex Delamotte at SentinelLabs
Alex Delamotte / March 30, 2023 Executive Summary SentinelLabs analyzed several iterations of “AlienFox,” a comprehensive toolset for harvesting credentials for multiple cloud service providers. Attackers use AlienFox to harvest API keys & secrets from popular services including AWS SES & Microsoft Office 365. AlienFox is a modular toolset primarily distributed on Telegram in the form of source code archives. Some modules are available on GitHub for any would-be attacker to adopt. The spread of ...
Splunk
Share: By Splunk Threat Research Team March 27, 2023 In January 2019 AsyncRAT was released as an open source remote administration tool project on GitHub. AsyncRAT is a popular malware commodity and tools used by attackers and APT groups. Threat actors and adversaries used several interesting script loaders and spear phishing attachments to deliver AsyncRAT to targeted hosts or networks in different campaigns. One prevalent campaign in the wild with this remote access trojan is the use of a Micr...
Threatmon
Trend Micro
Subscribe Content added to Folio Folio (0) close Malware New OpcJacker Malware Distributed via Fake VPN Malvertising We discovered a new malware, which we named “OpcJacker” (due to its opcode configuration design and its cryptocurrency hijacking ability), that has been distributed in the wild since the second half of 2022. By: Jaromir Horejsi, Joseph C Chen March 29, 2023 Read time: ( words) Save to Folio Subscribe We discovered a new malware, which we named “OpcJacker” (due to its opcode config...
Subscribe Content added to Folio Folio (0) close Malware Mac Malware MacStealer Spreads as Fake P2E Apps We detected Mac malware MacStealer spreading via websites, social media, and messaging platforms Twitter, Discord, and Telegram. Cybercriminals lure victims to download it by plagiarizing legitimate play-to-earn (P2E) apps’ images and offering jobs as beta testers. By: Qi Sun, Luis Magisa March 30, 2023 Read time: ( words) Save to Folio Subscribe We analyzed a Mac malware called MacStealer (d...
Joshua St. Hilaire at Vectra AI
ByJoshua St. Hilaire AND|April 26, 2021Share On: ï¡ ï ï ï ïThis is the second installment in our command and control (C2) Evasion Technique series, where I talk about malleable C2 profiles. Check out my first blog where I examine a method known as JA3 signature randomization. Part 2: Malleable C2 ProfilesMalleable C2 profiles have been widely adopted and used by Cobalt Strike, a popular framework used by pen-testers and Advanced Persistent Threat (APT)Â groups. It is worth noting that wh...
ZScaler
Get the latest Zscaler blog updates in your inbox Subscription confirmed. More of the latest from Zscaler, coming your way soon! By submitting the form, you are agreeing to our privacy policy.
Get the latest Zscaler blog updates in your inbox Subscription confirmed. More of the latest from Zscaler, coming your way soon! By submitting the form, you are agreeing to our privacy policy.