本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
0x70RVS
6 minute read On this page $tealer Scenario Basic analysis: Advanced Analysis: References: $tealer A sample from cyberdefender.org Link: //cyberdefenders.org/blueteam-ctf-challenges/85#nav-overview Scenario Your enterprise network is experiencing a malware infection, and your SOC L1 colleague escalated the case for you to investigate. As an experienced L2/L3 SOC analyst, analyze the malware sample, figure out what it does and extract C2 server and other important IOCs. I will try to perform a fu...
ASEC
AhnLab Security Emergency response Center (ASEC) confirmed that the RedEyes threat group (also known as APT37, ScarCruft), which distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month, has also recently distributed the RokRAT malware through LNK files. RokRAT is malware that is capable of collecting user credentials and downloading additional malware. The malware was once distributed through HWP and Word files. The LNK files that were discovered this time ...
The Tonto Team is a threat group that targets mainly Asian countries, and has been distributing Bisonal malware. AhnLab Security Emergency response Center (ASEC) has been tracking the Tonto Team’s attacks on Korean education, construction, diplomatic, and political institutions. Recent cases have revealed that the group is using a file related to anti-malware products to ultimately execute their malicious attacks. Figure 1. Overall operation process The Tonto Team’s involvement in the distributi...
AhnLab Security Emergency response Center (ASEC) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from April 17th, 2023 (Monday) to April 23rd, 2023 (Sunday). For the main category, downloader ranked top with 61.2%, followed by Infostealer with 30.8%, backdoor with 7.1%, and ransomware with 1.0%. Top 1 – Amadey This week, Amadey Bot ranked first place with 57.7%. Amadey is a downloader that can receive comma...
AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from April 9th, 2023 to April 15th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engin...
Bernardo.Quintero at VirusTotal
At the RSA Conference 2023 today, we are excited to unveil VirusTotal Code Insight, a cutting-edge feature that leverages artificial intelli... Deception at a scale Continuing our initiative of sharing VirusTotal’s visibility to help researchers, security practitioners and the general public better under... Blog Archive ▼ 2023 (9) ▼ April 2023 (3) Introducing VirusTotal Code Insight: Empowering th... APT43: An investigation into the North Korean grou... VirusTotal += Deep Instinct ► March 2023 (...
Dr Josh Stroschein
YouTube video
Eclypsium
Erik Hjelmvik at Netresec
I analyzed a PCAP file from a sandbox execution of the Evil Extractor stealer malware earlier today. This stealer collects credentials and files of interest from the victim’s computer and exfiltrates them to an FTP server. It is designed to autonomously collect and exfiltrate data rather than receiving commands from an operator through a command-and-control channel. The EvilExtractor creators market this feature as a “golden bullet”. Real hackers don’t use reverse shells right? If you have only ...
Hex Rays
Hussein Adel
less than 1 minute read On this page OOP in C# the content for this topic What is ‘OOP’? What is ‘class’? OOP in C# the content for this topic - What is ‘OOP’? - What is ‘Class’? - What is ‘Object’? What is ‘OOP’? OOP stands for Object-Oriented Programming. It’s an approach that is followed to organize the design and code by packaging together data states and functionality. It’s a technique (Approach, methodology, or way) but not technology. What is ‘class’? It’s a structure or a template that d...
Andrey Polkovnychenko and Malware Research at JFrog
By Andrey Polkovnychenko, Security Researcher Brian Moussalli, Malware Research Team Lead April 24, 2023 17 min read SHARE: The JFrog Security Research team recently discovered a new malware payload in the PyPI repository, written in C#. This is uncommon since PyPI is primarily a repository for Python packages, and its codebase consists mostly of Python code, or natively compiled libraries used by Python programs. This finding raised our concerns about the potential for cross-language malware at...
Mellvin S at K7 Labs
Posted byMellvin S April 24, 2023April 24, 2023 Advanced Persistent Threats Mustang Panda – PE Injection through Opera Mail By Mellvin SApril 24, 2023 We came across a tweet where Mustang Panda APT abuses an Opera Mail binary to sideload a malicious dll and then inject malicious code into an mshta.exe process. Initial vector for this infection chain is a .rar file named as lydwcb.rar1, which contains a crafted LNK file that is named “2023 03 26 Vonulásos gyűlés – Körjegyzék” which translates to ...
Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, and Justin Albrecht at Lookout
Skip NavigationBusinessPersonalCompanyPartnersResourcesLoginSupportLanguageLoginPersonalEnterprisePartnersSupportPersonal Support & FAQsEnterprise Support LoginEnterprise Support ProgramsENæ¥æ¬èªDeutschFrançaisItalianoBack To AllBack To BusinessBusinessLookout WorkSolutionsIndustriesResourcesSecure the future ofyour data, today.Explore how to unleash business innovation with easier and more effective data control.Watch the videoLookout Cloud Security PlatformThe Data-Centric Cloud Security P...
Malwarebytes Labs
Posted: April 24, 2023 by Pieter Arntz Malwarebytes' researchers have discovered a malvertising scheme that uses adult lures for clickjacking purposes. Malwarebytes’ researchers have found a malvertising scheme that leads to clickjacking. Clickjacking is a form of ad fraud which is also referred to as click fraud or click spam. It is a practice performed by certain dubious advertising networks, where they sometimes use automated programs—from simple to sophisticated bots and botnets—to interact ...
Posted: April 25, 2023 by Christopher Boyd We take a look at a GuLoader campaign which comes bundled with an Italian language fake shipment email. GuLoader, a perennial favourite of email-based malware campaigns since 2019, has been seen in the wild once again. GuLoader is a downloader with a chequered history, dating back to somewhere around 2011 in various forms. Two years ago it was one of our most seen malspam attachments. Most popular attachments by tags in Malwarebytes email telemetry We a...
Posted: April 27, 2023 by Jérôme Segura It's hard to put individuals at fault when the malicious copy is better than the original. This credit card skimmer was built to fool just about anyone. To ensnare new victims, criminals will often devise schemes that attempt to look as realistic as possible. Having said that, it is not every day that we see the fraudulent copy exceed the original piece. While following up on an ongoing Magecart credit card skimmer campaign, we were almost fooled by a paym...
Posted: April 27, 2023 by Bill Cozens Find threats camouflaging themselves in RAM. When you hear about malware, there’s a good chance you think of sketchy executables or files with extensions like .DOCX or .PDF that, once opened, execute malicious code. These are examples of file-based attacks—and while they can be bad, they’re nothing compared to their fileless cousins. As the name suggests, fileless attacks don’t rely on traditional executable files to get the job done but rather in-memory exe...
Muhammad Umair at Mandiant
Blog Magniber Ransomware Wants to Infect Only the Right PeopleMuhammad Umair Oct 19, 20175 min read | Last updated: Apr 28, 2023RansomwareThreat ResearchExploit kit (EK) use has been on the decline since late 2016; however, certain activity remains consistent. The Magnitude Exploit Kit is one such example that continues to affect users, particularly in the APAC region.In Figure 1, which is based on data gathered in March 2017, we can see the regions affected by Magnitude EK activity during the l...
Dexter Shin at McAfee Labs
HiddenAds Spread via Android Gaming Apps on Google Play McAfee Labs Apr 26, 2023 6 MIN READ Authored by Dexter Shin Minecraft is a popular video game that can be played on a desktop or mobile. This is a sandbox game developed by Mojang Studios. Players create and break apart various kinds of blocks in 3-dimensional worlds and they can select to enjoy Survivor Mode to survive in the wild or Creative Mode to focus on being creative. Minecraft’s popularity has led to many attempts to recreate simil...
Mohamed Adel
Mohamed Adel included in Malware Analysis 2023-04-23 4904 words 24 minutes views Contents Introduction Startup info Authentication method Server Authentication check Dynamic Key calculation Server Response Info Network emulation Anti-Debugging check License info and IP used Why network emulation doesn’t work well Main Functionality IP Geolocation database Bot state Clear old screenshots Command Receiver Main server functionality server start! TCP listener Main Client Handling incoming data Updat...
Gustavo Palazolo at Netskope
OALABS Research
Invalid Printer using CreateDXGIFactory graphics card g-checking sandboxes Apr 23, 2023 • 3 min read in2al5dp3in4er loader analysis sandbox invalid printer Overview References Samples Analysis Aurora Stealer Packer ID riid for CreateDXGIFactory call imports checks gfx whitelist ids Rule Unpacking Overview This new? loader was exposed by Morphisec. According to the post, the loader is compiled with Embarcadero RAD Studio and employs a graphics card check to ensure it is not running in a sandbox b...
Palo Alto Networks
13,888 people reacted 8 6 min. read Share By Unit 42 April 26, 2023 at 3:00 AM Category: Malware Tags: Advanced URL Filtering, Alloy Taurus, APT, China Chopper, Cortex XDR, Cortex XSIAM, Cortex XSOAR, DNS security, GALLIUM, next-generation firewall, PingPull, WildFire This post is also available in: 日本語 (Japanese)Executive Summary Unit 42 researchers recently identified a new variant of PingPull malware used by Alloy Taurus actors designed to target Linux systems. While following the infrastruct...
Lucija Valentić at ReversingLabs
What’s in a name? Here's how bad actors are pushing malware on the Python Package Index under the guise of legitimate yet abandoned open source modules. Blog Author Lucija Valentić, Software Threat Researcher, ReversingLabs. Read More... In the beginning of March, ReversingLabs researchers encountered a malicious package on the Python Package Index (PyPI) named termcolour, a three-stage downloader published in multiple versions. Finding this malicious payload wasn’t difficult, but what piqued ou...
Uptycs
RTM Locker Ransomware as a Service (RaaS) Now Suits Up for Linux Architecture Tags: Threat Intelligence, Endpoint Security, Threat Research, Cybersecurity Uptycs Threat Research April 26, 02023 Share: The Uptycs threat research team has discovered a new ransomware binary attributed to the RTM group, a known ransomware-as-a-service (RaaS) provider. This is the first time the group has created a Linux binary. Its locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by Ba...
Zhassulan Zhussupov
Malware development trick - part 27: WinAPI LoadLibrary implementation. Simple C++ example. 2 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! Today, I just want to focus my research on another malware development trick: it’s also helpful to AV evasion in some cases and scenarios. Like previous posts with GetModuleHandle and GetProcAddress implementations, what about my own LoadLibrary implementation? Let’s try to do it. LoadLibrary LoadLibrary is a Windows API function that all...
