本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
ASEC
AhnLab Security Emergency response Center (ASEC) has recently discovered XMRig CoinMiner being installed on poorly managed Linux SSH servers. The attacks have been happening with a distinct pattern since 2022: they involve the usage of malware developed with Shell Script Compiler (SHC) when installing the XMRig, as well as the creation of a backdoor SSH account. When looking at the attack cases against poorly managed Linux SSH servers, most of them involve the installation of DDoS Bot or CoinMin...
RecordBreaker is a new Infostealer that appeared in 2022 and is known as the new version of Raccoon Stealer. Similar to other Infostealers, such as CryptBot, RedLine, and Vidar, it is a major malware type that usually disguises itself as a software crack or installer. AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of RecordBreaker through a YouTube account that is assumed to have been recently hacked. 1. Previous Distribution Cases Search engines are one of the m...
AhnLab Security Emergency response Center (ASEC) has covered various distribution methods of Qakbot, and the method of distributing through OneNote was covered back in February. The distribution of Qakbot through OneNote has been confirmed again recently, and it was discovered that the Windows Help file (CHM) was used in this recent attack. Qakbot Being Distributed via OneNote Upon executing the OneNote file, it prompts users to click on the Open button along with a Microsoft Azure image, as sho...
AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from April 16th, 2023 to April 22nd, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engi...
Zeev Hananis at Checkmarx Security
ML Engine Detects PyPi Packages Containing “WhiteSnake” Malware Designed to Steal Your Personal DataThe SCS team has been closely monitoring a threat actor under the label PYTA31, in a recent attack detected by our ML power engine. PYTA31 was found distributing the “WhiteSnake” malware. This attack was also reported a few days ago by JFrog’s security researchers.In the past few days, our obfuscation detection engine successfully uncovered several additional packages linked to this threat actor. ...
Cyble
May 3, 2023 The Increasing Menace of Small Ransomware Syndicates In recent years, ransomware operations have emerged as highly profitable cybercrime schemes. Numerous companies have suffered immense financial, data, and reputation losses due to such attacks. Typically, cybersecurity researchers tend to concentrate on prominent ransomware groups that run extensive Ransomware-as-a-Service (RaaS) operations. These groups usually comprise highly skilled developers and cybercriminals, sometimes even ...
May 3, 2023 Stealer with Clipper Making Rounds in a Mass Campaign PyPI (Python Package Index) is a widely used repository for software packages for the Python programming language, utilized by developers worldwide for sharing and downloading Python code. Due to the widespread usage of PyPI, it has become a desirable target for Threat Actors (TAs) who aim to attack developers or their projects. Malicious packages are usually uploaded by disguising them as useful software or by imitating well-know...
May 5, 2023 Malware Evades Detection by Lurking in Windows Registry Phishing attacks pose an ongoing and widespread danger to both individuals and organizations. To trick users into divulging sensitive information like passwords and credit card details, Threat Actors (TAs) employ various tactics, including phishing websites. Attackers often use these fraudulent websites to distribute their malicious software, taking advantage of users’ trust in legitimate-looking sites. Recently, Cyble Research ...
Dr Josh Stroschein
YouTube video
Igor Skochinsky at Hex Rays
Lab52
May 03, 2023 AUKUS (Australia-United Kingdom-United States) is a strategic military alliance between these territories that became a reality in 2021, whose main objective is to build nuclear-powered submarines to counter the threat from China in the Indo-Pacific region. This agreement also includes the sharing of cyber capabilities and other submarine technologies. Some sources point out that this is not a security pact, but is rather intended to “elevate the intelligence and deterrence value of...
Mayank Malik
2 steps ahead like L, fatal like Kira Mayank Malik May 4, 2023 3 min read 1. Executive Summary A. Fingerprinting MD5: 459aad8cc95d9fe2bd1d3199966289f7 SHA256: eb22d542b3b6e69a98801ff7843fa6981b13ca8628a5382cfdc0f713cdb72cba VirusTotal Report: //www.virustotal.com/gui/file/eb22d542b3b6e69a98801ff7843fa6981b13ca8628a5382cfdc0f713cdb72cba B. Classification Infostealer, used to harvest stored credentials and session objects from browsers installed on the machine. C. Behavioral Summary The malware is...
Yashvi Shah at McAfee Labs
Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution McAfee Labs May 05, 2023 17 MIN READ Authored by By Yashvi Shah McAfee Labs have identified an increase in Wextract.exe samples, that drop a malware payload at multiple stages. Wextract.exe is a Windows executable file that is used to extract files from a cabinet (.cab) file. Cabinet files are compressed archives that are used to package and distribute software, drivers, and other files. It is a legitimate file that is pa...
Michael Maltsev
Microsoft eXtended Flow Guard (XFG) is a control-flow integrity (CFI) technique that extends CFG with function call signatures. It was presented by Microsoft in 2019, and it’s an interesting mitigation, but this blog post isn’t going to discuss its security implications. Instead, I’m going to show how XFG can be used to help with reverse engineering. At first glance, just a nuisance The idea of XFG is to add a signature before each function that can be invoked indirectly, and to verify that the ...
Moath Maharmeh at C99.sh
posted in Cryptography, Red Team on May 1, 2023 by Moath Maharmeh SHARE Tweet Introduction Table of Contents IntroductionWhat is Morse Code?The Morse CodeLetters –Numbers –Punctuation –Entropy analysisHow does Entropy analysis apply to intrusion detection?Reducing Entropy level using Morse CodeCalculating the Entropy ScoreThe Morse Code EncoderSummaryInteresting readsReferences This article demonstrates reducing the Entropy score with a goal of evading the static detection by encoding characters...
Gustavo Palazolo at Netskope
OALABS Research
Taking a look at this loader associated with NullMixer Apr 30, 2023 • 2 min read satacom legionloader loader NullMixer Overview References Samples String Decryption (hex strings) Binary Refinery Decrypt String Decryption (base64 strings) Dumpulator Decrypt Packer IDA Python NOP Patch Packer ID Overview This loader is strongly associated with the NullMixer pay-per-install service which uses SEO poisoning to place it's loader in high ranked Google searches. According to a Kaspersky post about Null...
Mark Lim, Daniel Raygoza and Bob Jung at Palo Alto Networks
7,675 people reacted 3 9 min. read Share By Mark Lim, Daniel Raygoza and Bob Jung May 3, 2023 at 6:00 AM Category: Malware Tags: Advanced WildFire, IcedID, memory detection, WildFire Executive Summary Configuration data that changes across each instance of deployed malware can be a gold mine of information about what the bad guys are up to. The problem is that configuration data in malware is usually difficult to parse statically from the file, by design. Malware authors know the intelligence va...
Charles Coggins at Phylum
Lockfiles are great. They can also be hard to review and a source of malicious code injection. The Phylum Research Team has reported on emerging threat campaigns and on novel techniques threat actors are using when writing malware hosted on open source package repositories. No matter how unique these attacks appear, they still only work if they can get a victim to run the code. More times than not, that comes back to simple techniques like typosquatting or dependency confusion. It might even jus...
Dmitry Kalinin at Securelist
Malware descriptions 04 May 2023 minute read Table of Contents Fleckpe technical descriptionVictimsConclusionIOCs Authors Dmitry Kalinin Every once in a while, someone will come across malicious apps on Google Play that seem harmless at first. Some of the trickiest of these are subscription Trojans, which often go unnoticed until the user finds they have been charged for services they never intended to buy. This kind of malware often finds its way into the official marketplace for Android apps. ...
Lee Dale at System Weakness
When analysing a malware sample, and interesting function call to look for is the functionSetWindowsHookEx()From the Microsoft documentation it says:Installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling threadSo we can use this function to monitor for certain system events which sounds pe...
Ted Lee and Hara Hiroaki at Trend Micro
Subscribe Content added to Folio Folio (0) close APT & Targeted Attacks Attack on Security Titans: Earth Longzhi Returns With New Tricks After months of dormancy, Earth Longzhi, a subgroup of advanced persistent threat (APT) group APT41, has reemerged using new techniques in its infection routine. This blog entry forewarns readers of Earth Longzhi’s resilience as a noteworthy threat. By: Ted Lee, Hara Hiroaki May 02, 2023 Read time: ( words) Save to Folio Subscribe We discovered a new campaign b...
