本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
0day in {REA_TEAM}
[QuickNote] Decrypting the C2 configuration of Warzone RAT[QuickNote] Another nice PlugX sample[Flare-On7] Chal9-crackinstaller write-upREVERSING WITH IDA FROM SCRATCH (P2)Tutorial #1 : What is Reverse EngineeringREVERSING WITH IDA FROM SCRATCH (P1)REVERSING WITH IDA FROM SCRATCH (P5)Diving into a PlugX sample of Mustang Panda groupREVERSING WITH IDA FROM SCRATCH (P3)Các bài đã đăng April 2023 (1) March 2023 (1) January 2023 (1) December 2022 (3) September 2022 (1) June 2022 (2) April 2022 (1) M...
0xToxin Labs
Powered By GitBookLummaC2 BreakDownIn this blogpost I will go through some of the functionality of the Lumma Stealer.This blog will be a bit different from my usual blogs, it will mainly contain scripts and some research I've spent on finding some of the things you'll read through the blog. I've tried to cover things that weren't covered in previous blogs that can be found on Lumma Stealer Malpedia entryThe PhishThe phishing email pretends to be from Walmart and targets sellers on the Walmart M...
Ann Fam
Source: Stealer’s Telegram channelThe .NET stealer was first advertised on the Russian-speaking forum in March 2023 at a very affordable price:Lifetime access — 38$6-month access — 23$One month access — 10$ 1-monthEach additional generated build is 3$ more.PSWSTEALER advertisementThe encrypted strings are decrypted through six decryption routines, but there are only two decryption algorithms, and the second decryption algorithm is repeated four times but with different hardcoded ‘num’ values; th...
ASEC
AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from March 19th, 2023 to March 25th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engi...
Overview Details about how supply chains were attacked through the 3CX DesktopApp were published. [1] This software provides users with various communication functions, such as voice calls and video conferences, and can be operated on both Windows and MAC operating systems. Currently, the 3CX company is preparing to issue a new certificate, and until then, they are instructing users to use an alternative software. Description Regarding this, the distributed malware are confirmed to include modul...
Overview A security update to patch the vulnerability of Initech’s INISAFE CrossWeb EX V3 has been announced. INISAFE CrossWeb EX V3 is a software program used for electronic financial transactions and financial security certification in the public sector. It is used by various companies and individuals for Internet banking, so it is essential for most users to check if the program is installed on their PC and update it to the latest version following the guide below. Description AhnLab Security...
AhnLab Security Emergency response Center (ASEC) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from March 27th, 2023 (Monday) to April 2nd, 2023 (Sunday). For the main category, backdoor ranked top with 54.9%, followed by downloader with 22.9%, Infostealer with 20.6%, ransomware with 1.3%, and CoinMiner with 0.3%. Top 1 – RedLine RedLine ranked first place with 47.4%. The malware steals various informatio...
Cameron Cartier at Black Hills Information Security
Cameron Cartier // Every Android application has a “manifest.xml” file located in the root directory of the APK. (Remember APKs are just zip files.) The manifest file is like a guide to the application. It describes all of the components of the app, the application permissions, and the required hardware/software features. Developer misconfigurations to this file — for example, marking an activity as exported — can have serious effects on the application’s security. Many static analysis tools (i....
Jiri Vinopal, Dennis Yarizadeh and Gil Gekker at Check Point Research
Edmund Brumaghin at Cisco’s Talos
By Edmund Brumaghin Tuesday, April 4, 2023 08:04 Threat Spotlight SecureX Threats The developer of the Typhon Reborn information stealer released version 2 (V2) in January, which included significant updates to its codebase and improved capabilities.Most notably, the new version features additional anti-analysis and anti-virtual machine (VM) capabilities to evade detection and make analysis more difficult.We assess Typhon Reborn 2 will likely appear in future attacks, as we have already observed...
Flashpoint
On the one-year anniversary of Hydra’s seizure, Flashpoint explores how threat actors have adapted to fill the market’s void and fuel their illicit aims—from narcotics transactions to money laundering. SHARE THIS: Flashpoint Team April 5, 2023 Table Of ContentsTable of ContentsDown goes HydraOverviewMixers, exchanges, and new marketsMega, Blacksprut, Solaris, Kraken and OMG!OMG!Cyber warfare among darknet marketsCryptocurrency cash-out services on the new marketsVolume of cash-out services on ot...
The takedown of Genesis Market by the FBI and its partners signals the active targeting of illicit online marketplaces and criminal activities on the dark web by law enforcement. SHARE THIS: Flashpoint Team April 5, 2023 Table Of ContentsTable of ContentsThe fall of GenesisGenesis users seeing doubleThe future of illicit marketplaces without GenesisProtect your organization with Flashpoint The fall of Genesis On April 4, 2023, the FBI, alongside multiple international partners, reportedly seized...
Genesis Market offered access to data stolen from over 1.5M compromised computers worldwide and was a key enabler of ransomware. SHARE THIS: Flashpoint Team April 6, 2023 “The Justice Department announced today a coordinated international operation against Genesis Market, a criminal online marketplace that advertised and sold packages of account access credentials – such as usernames and passwords for email, bank accounts, and social media – that had been stolen from malware-infected computers a...
Igor Skochinsky at Hex Rays
Itai Tevet at Intezer
Written by Itai Tevet - 5 April 2023 CountryUnited StatesCanadaAfghanistanAlbaniaAlgeriaAndorraAngolaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBoliviaBosnia and HerzegovinaBotswanaBrazilBruneiBulgariaBurkina FasoBurundiCambodiaCameroonCape VerdeCayman IslandsCentral African RepublicChadChileChinaColombiaComorosDemocratic Republic of the Congo (Kinshasa)Congo, Republic of(Brazzaville)Costa RicaCroatiaCub...
Faishol Hakim at MII Cyber Security
Malicious Excel files have been a popular vector for delivering malware, phishing, and other types of cyberattacks. Excel files are commonly used for sharing data and macros, which makes them a popular target for cybercriminals. In this article, we will discuss how to investigate a malicious Excel file and identify any potential security threats. In this moment I’m using ms excel sample file.Identifyidentify the Excel file The first step in investigating a potentially malicious Excel file is to ...
Suraj Malhotra
OALABS Research
Taking a closer look at this new loader Apr 2, 2023 • 3 min read ares aresloader loader Overview References Samples Panels Note From The Developers Analysis Stage 2 Stage 3 Overview AresLoader is a new malware downloader that has been advertised on some underground forums. References New loader on the bloc - AresLoader Private Malware for Sale: A Closer Look at AresLoader Samples 7572b5b6b1f0ea8e857de568898cf97139c4e5237b835c61fea7d91a6f1155fb UnpacMe Panels The following were live panels at the...
Taking a closer look at this ICEDID loader Apr 6, 2023 • 5 min read icedid bokbot photoloader config Overview References Samples Analysis Rule Config Extractor Overview Photoloader is the initial loader stage used to load ICEDID, ICEDID was originally used for banking credential theft with a later pivot as a reconnaissance tool for pre-ransomware intrusions. The webinjects used for credential theft are still active though this malware is most often associated with ransomware incidents. According...
Patrick Wardle at Objective-See
Analyzing UpdateAgent, the 2nd-stage macOS payload of the 3CX supply chain attack by: Patrick Wardle / April 1, 2023 Objective-See's research, tools, and writing, are supported by the "Friends of Objective-See" such as: Jamf Mosyle Kandji CleanMyMac X Kolide Fleet Palo Alto Networks Sophos 📝 👾 Want to play along? As “Sharing is Caring” I’ve uploaded the malicious binary UpdateAgent to our public macOS malware collection. The password is: infect3d ...please though, don't infect yourself! Backgrou...
Akshat Pradhan at Qualys
Georgy Kucherin, Vasily Berdnikov, Vilen Kamalov at Securelist
APT reports 03 Apr 2023 minute read Authors Georgy Kucherin Vasily Berdnikov Vilen Kamalov On March 29, Crowdstrike published a report about a supply chain attack conducted via 3CXDesktopApp, a popular VoIP program. Since then, the security community has started analyzing the attack and sharing their findings. The following has been discovered so far: The infection is spread via 3CXDesktopApp MSI installers. An installer for macOS has also been trojanized. The malicious installation package cont...
Security Intelligence
The days when email was the main vector for phishing attacks are long gone. Now, phishing attacks occur on SMS, voice, social media and messaging apps. They also hide behind trusted services like Azure and AWS. And with the expansion of cloud computing, even more Software-as-a-Service (SaaS) based phishing schemes are possible. Phishing tactics have evolved faster than ever, and the variety of attacks continues to grow. Security pros need to be aware. SaaS to SaaS Phishing Instead of building ph...
The hacker group Lapsus$ (sometimes referred to as LAPSUS$ or simply Lapsus) is a relatively newer organization in the cyber arena. The group began to garner public attention in December 2021 after some successful attacks on major corporations, where even the Department of Homeland Security felt it necessary to spend more time researching this group through the Cyber Safety Review Board (CSRB). For reference, Lapsus$ is sometimes also referred to as the criminal organization DEV-0537 and appears...
Priyadharshini Balaji at Security Investigation
How to Detect Malware Hijacking Digital signatures Densityscout – Entropy Analyzer for Threat Hunting and Incident Response Malicious JQuery & JavaScript – Threat Detection & Incident Response Free Ransomware Decryption tool -No More Ransom IOC Phishing Scam Alert: Fraudulent Emails Requesting to Clear Email Storage Space… Vidar Infostealer Malware Returns with new TTPS – Detection & Response New WhiskerSpy Backdoor via Watering Hole Attack -Detection & Response RedLine Stealer returns with New ...
Uptycs
3CX Supply Chain Cyber Attack: An Analysis of Windows and macOS Malicious Libraries Written by: Uptycs Threat Research Research by: Tejaswini Sandapolla, Pratik Jeware and Karthickkumar K Supply chain attacks have increased in recent years. A watershed incident occurred in December 2020 when SolarWinds customers were infiltrated through malicious code snuck into the software. The 3CX desktop apps for Windows and macOS—used for voice and video conferencing—are the targets of a recent similar atta...
