4n6 Week 16 – 2023 - MALWARE
本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
0x70RVS
3 minute read On this page PuTTY.exe Scenario Overview Analysis: PuTTY.exe Scenario Hello Analyst, The help desk has received a few calls from different IT admins regarding the attached program. They say that they’ve been using this program with no problems until recently. Now, it’s crashing randomly and popping up blue windows when it’s run. I don’t like the sound of that. Do your thing! IR Team Overview pyTTY is an SSH and telnet client, developed originally for the Windows platform. PuTTY is ...
Alexandre Borges at ‘Exploit Reversing’
Exploiting Reversing (ER) series: article 01 Alexandre Borges #malwareanalysis, #windows, reverseengineering April 11, 2023April 11, 2023 1 Minute The first article (109 pages) in the Exploiting Reversing (ER) series is available for reading on: (PDF): //exploitreversing.files.wordpress.com/2023/04/exploit_reversing_01-1.pdf I hope readers like it. Have an excellent day and keep reversing! Alexandre Borges Share this:TwitterFacebookLike this:Like Loading... Related Taggedcybersecurityidaproinfos...
Apophis
Hello cybermen, I’m about to present a repo about the Medusa lockerMedusaLocker ransomware has been active since September 2019. MedusaLocker actors typically access victims’ networks by exploiting vulnerabilities in Remote Desktop Protocol (RDP).Once Threat Actors (TAs) access the network, they encrypt the victim’s data and leave a ransom note with instructions on how victims can communicate with the TAs in every folder while encrypting files. The ransom note tells victims to make a ransom paym...
ASEC
On March 29, 2023, CrowdStrike announced that a threat group based in North Korea launched a supply chain attack through 3CX DesktopApp. [1] With this app, the threat actor installed an Infostealer in the target system. AhnLab Security Emergency response Center (ASEC) previously announced a 3CX DesktopApp supply chain attack in the following blog post alongside mitigation measures. [2] This post will provide an analysis of the malware used in the attacks and logs of their infection in Korea coll...
AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from March 26th, 2023 to April 1st, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engin...
AhnLab Security Emergency response Center (ASEC) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from April 3rd, 2023 (Monday) to April 9th, 2023 (Sunday). For the main category, backdoor ranked top with 61.1%, followed by Infostealer with 20.8%, downloader with 16.9%, and ransomware with 1.1%. Top 1 – RedLine RedLine ranked first place with 52.2%. The malware steals various information such as web browsers...
AhnLab Security Emergency response Center (ASEC) has identified circumstances of Qakbot being distributed via malicious PDF files attached to forwarded or replies to existing emails. Qakbot banking malware is one of those that are continuously being distributed through various media. ASEC has covered the distribution trends of Qakbot over the years. As shown below, the distributed email has the form of a hijacked normal email where a reply is sent to the target user with a malicious file attache...
The Bitter (T-APT-17) group is a threat group that usually targets South Asian government organizations, using Microsoft Office programs to distribute malware such as Word or Excel. AhnLab Security Emergency response Center (ASEC) has identified multiple circumstances of the group distributing CHM malware to certain Chinese organizations. CHM files have been used by various threat groups in APT attacks since earlier this year and covered multiple times in ASEC blog posts. The files used in the r...
Axelarator
2023-04-11 Discovered in 2019, Mozi is a P2P botnet using the DHT protocol that spreads via Telnet with weak passwords and known exploits. Evolved from the source code of several known malware families; Gafgyt, Mirai and IoT Reaper, Mozi is capable of DDoS attacks, data exfiltration and command or payload execution. The malware targets IoT devices, predominantly routers and DVRs that are either unpatched or have weak telnet passwords. In a report from IBM, Mozi accounted for 90% of IoT network t...
Matt Muir at Cado Security
CQURE Academy
Cyble
April 13, 2023 Banking Trojan targeting mobile users in Australia and Poland Cyble Research & Intelligence Labs (CRIL) has identified a novel Android Banking Trojan, which we are referring to as “Chameleon,” based on the commands used by the malware primarily due to the fact that the malware appears to be a new strain and seems unrelated to any known Trojan families. The Trojan has been active since January 2023 and is specifically observed targeting users in Australia and Poland. The Chameleon ...
Matthew at Embee Research
Embee Research Home About Sign in Subscribe dnspy Featured Dcrat Deobfuscation - How to Manually Decode a 3-Stage .NET Malware Manual analysis and deobfuscation of a .NET based Dcrat. Touching on Custom Python Scripts, Cyberchef and .NET analysis with Dnspy. Matthew Apr 8, 2023 • 12 min read Analysis of a 3-stage malware sample resulting in a dcrat infection. The initial sample contains 2 payloads which are hidden by obfuscation. This analysis will demonstrate methods for manually uncovering bot...
Redline Stealer - Static Analysis and C2 Extraction Deep dive analysis of a redline stealer sample. I will use manual analysis to extract C2 information using a combination of Ghidra and x32dbg Matthew Apr 10, 2023 • 22 min read Deep-dive analysis of a packed Redline Stealer sample. Utilising manual analysis and semi-automated string decryption to extract C2 information and ultimately identify the malware. In this write-up, I intentionally try to touch on as many concepts as possible in order to...
Fortinet
Malware Disguised as Document from Ukraine's Energoatom Delivers Havoc Demon Backdoor By FortiGuard Labs | April 11, 2023 Affected platforms: Microsoft Windows Impacted parties: Targeted Windows users Impact: Compromised machines are under the control of the threat actor Severity level: Medium As part of our ongoing research on malware being used in the Russian-Ukrainian conflict, FortiGuard Labs has encountered a malicious spoofed document pretending to be from the Ukrainian company, Energoatom...
By Hossein Jazi | April 12, 2023 Affected platforms: Windows Impacted parties: Windows Users Impact: Potential to deploy additional malware for additional purposes Severity level: Medium In early February of 2022, Microsoft announced that Internet Macros would be blocked by default to improve the security of Microsoft Office. According to their blog published in late Feb 2023, this change began rolling out in some update channels in April 2022. Other channels followed in July and October 2022, w...
By Shunichi Imano | April 14, 2023 On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This latest edition of the Ransomware Roundup covers the Kadavro Vector ransomware. Affected platforms: Microsoft Windows Imp...
Igor Skochinsky at Hex Rays
SaiKrishna K at InfoSec Write-ups
Wanna cry is a self propagating malware which is classified as crypto-ransomware affecting more than 200K computers in 2017. A Crypto ransomware is a harmful computer program that encrypts user’s files for money extortion purposes(Ransom). This malware has worm capability which can propagate to other computers through computer networks.Wanna CryWanna cry malware exploits the vulnerability that is in Server message Block(SMB) Protocol of the windows implementation. SMB is a Transport protocol use...
Ori Hollander at JFrog
Part two of series "First NuGet malicious packages campaign" By Ori Hollander, JFrog Security Research April 10, 2023 9 min read SHARE: Analyzing Impala Stealer – Payload of the first NuGet attack campaign In this blog post, we’ll provide a detailed analysis of a malicious payload we’ve dubbed “Impala Stealer”, a custom crypto stealer which was used as the payload for the NuGet malicious packages campaign we’ve exposed in our previous post. The sophisticated campaign targeted .NET developers via...
John Hammond
YouTube video
YouTube video
SangRyol Ryu at McAfee Labs
Goldoson: Privacy-invasive and Clicker Android Adware found in popular apps in South Korea McAfee Labs Apr 12, 2023 8 MIN READ Authored by SangRyol Ryu McAfee’s Mobile Research Team discovered a software library we’ve named Goldoson, which collects lists of applications installed, and a history of Wi-Fi and Bluetooth devices information, including nearby GPS locations. Moreover, the library is armed with the functionality to perform ad fraud by clicking advertisements in the background without t...
Mohamed Adel
Mohamed Adel included in Malware Analysis 2023-04-12 2414 words 12 minutes views Contents Introduction Basic information Binary Identification Code Analysis Calling Conventions in GO Strings in GO Connect To server Collect victim information File grabber Browser data Crypto Screenshot Capture Telegram Data Steam data send To server Network Analysis Conclusion IOCs: Yara Rule References Introduction Aurora Stealer is an information stealer Written in GO. It is a commercial stealer that costs arou...
Rintaro Koike at NTT Security Japan
Ryu Hiyoshi April 14, 2023 //www.passle.net/Content/Images/passle_logo-186px.png Passle //passle.net Ryu Hiyoshi This article is English version of “改ざんされたWebサイトからGoogle Chromeの偽エラー画面を使ってマルウェアを配布する攻撃キャンペーンについて” translated by Hisayo Enomoto, NTTSH SOC analyst.---This article is authored by our SOC analyst, Rintaro Koike.IntroductionOur SOC has observed an attack campaign distributing malware from a web page disguised as a Google Chrome error message since around November 2022. It has become activ...
OALABS Research
Open Source Ransomware Meets Open Source RAT Apr 13, 2023 • 1 min read Quasar Chaos RAT Ransomware Overview Samples Chaos Builder Quasar RAT Analysis Overview This sample appears to be a Chaos Ransomware builder but it is actually bound with Quasar RAT!! Binder: Celesty Binder PDB path: C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb Chaos Ransomware malpedia Samples 141056b82cd0a20495822cd2bcd5fae5c989c6d24dac5a5e3c3916f1b406bdb9 UnpacMe Chaos Builder Chaos Ransomware builder i...
Matthew Green at Rapid7
Apr 14, 2023 6 min read Matthew Green Last updated at Tue, 18 Apr 2023 07:06:24 GMT This is a technical post covering practical methodology to extract configuration data from recent Qakbot samples. In this blog, I will provide some background on Qakbot, then walk through decode themes in an easy to visualize manner. I will then share a Velociraptor artifact to detect and automate the decode process at scale.Qak!Qakbot or QBot, is a modular malware first observed in 2007 that has been historicall...
Sonatype
Malware Monthly - March 2023 April 11, 2023 By Sonatype Developer Relations 12 minute read time SHARE: Welcome to a new issue of Malware Monthly, where we collaborate with our team of security researchers to provide an in-depth look at the different types of malware we’ve detected and how they can impact your system. This month, we'll dive deep into a series of malicious packages uploaded to the PyPI registry identified as information stealers, some of them copies of the popular W4SP stealer we’...
Bill Marczak, John Scott-Railton, Astrid Perry, Noura Al-Jizawi, Siena Anstis, Zoe Panday, Emma Lyon1, Bahr Abdul Razzak, and Ron Deibert at The Citizen Lab
Key Findings Based on an analysis of samples shared with us by Microsoft Threat Intelligence, we developed indicators that enabled us to identify at least five civil society victims of QuaDream’s spyware and exploits in North America, Central Asia, Southeast Asia, Europe, and the Middle East. Victims include journalists, political opposition figures, and an NGO worker. We are not naming the victims at this time. We also identify traces of a suspected iOS 14 zero-click exploit used to deploy QuaD...
Uptycs
Zaraza Bot Credential Stealer Targets Browser Passwords Written by: Uptycs Threat Research The Uptycs threat research team has identified a new variant of credential stealing malware, dubbed Zaraza bot, that uses telegram as its command and control. Zaraza is the Russian word for infection. Zaraza bot targets a large number of web browsers and is being actively distributed on a Russian Telegram hacker channel popular with threat actors. Once the malware infects a victim's computer, it retrieves ...
Yoroi
04/13/2023 Introduction Ransomware attacks have emerged as a predominant menace in recent years, with the strategies employed by malicious actors constantly evolving. Among the most effective and worrisome tactics is the "double extortion" model, which has rapidly gained popularity as a preferred business model for threat actors. Financially motivated perpetrators particularly favor the double extortion model, as it enables them to optimize their profits and bolster the likelihood of victims acq...
Zhassulan Zhussupov
Malware AV/VM evasion - part 15: WinAPI GetModuleHandle implementation. Simple C++ example. 5 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! This post is the result of my own research on try to evasion AV engines via another popular trick: WinAPI GetModuleHandle implementation. GetModuleHandle GetModuleHandle is a Windows API (also known as WinAPI) function that retrieves a handle to a loaded module in the address space of the calling process. It can be used to obtain identifi...
Brett Stone-Gross at ZScaler
THE ZSCALER EXPERIENCE THE ZSCALER EXPERIENCE Learn about: Zero Trust Security Service Edge (SSE) Secure Access Service Edge (SASE) Zero Trust Network Access (ZTNA) Secure Web Gateway (SWG) Cloud Access Security Broker (CASB) Cloud Native Application Protection Platform (CNAPP) PRODUCTS & SOLUTIONS PRODUCTS & SOLUTIONS Secure Your Users Secure Your Workloads Secure Your IoT and OT Secure Internet Access (ZIA) Secure Private Access (ZPA) Digital Experience (ZDX) Posture Control Partner Integratio...