4n6 Week 20 – 2023 - MALWARE
本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
0x70RVS
6 minute read On this page Why do we care about packing? What is the purpose of packing? Packers Anatomy How to recognize the packed files? References: Hello, here is my study notes for the packing topic, hope anyone finds it useful. I’ll put all resources that I took information from it in the references section, so, you can take a look at them also. Why do we care about packing? Today, most of the malware is packed, and it’s a good skill for a malware analyst to recognize if the PE file is pac...
Adam at Hexacorn
May 11, 2023 in Reversing, Windows 11 In my previous posts I have listed many PE sections present in different types of binaries. Today I am looking at win11 PE sections and am happy to report that the world of PE Sections has expanded a bit, again; here are some stats: 3176 b’.rsrc’3109 b’.text’3109 b’.reloc’3108 b’.data’3102 b’.pdata’2983 b’.rdata’2007 b’.a64xrm’ –< CHPEV2 section1958 b’.hexpthk’ –< possibly stands for Hybrid Executable Push Thunk1705 b’.didat’241 b’.00cfg’50 b’.orpc’39 b’?g_E...
May 11, 2023 in Windows 11 Windows 11’s advapi32.dll includes interesting export functions: ElfBackupEventLogFileAElfBackupEventLogFileWElfChangeNotifyElfClearEventLogFileAElfClearEventLogFileWElfCloseEventLogElfDeregisterEventSourceElfFlushEventLogElfNumberOfRecordsElfOldestRecordElfOpenBackupEventLogAElfOpenBackupEventLogWElfOpenEventLogAElfOpenEventLogWElfReadEventLogAElfReadEventLogWElfRegisterEventSourceAElfRegisterEventSourceWElfReportEventAElfReportEventAndSourceWElfReportEventW And I kno...
May 12, 2023 in Archaeology, DLL Analysis I love looking at clusters of files, because it’s the easiest way to find patterns. In the last part of this series I focused on Nullsoft installers (DLLs!) only, and today, I will use the very same idea to describe clusters of DLL families I have generated from a very large corpora of clean samples (collected over last decade, or so). What makes a summary like this interesting? Some malware families like to ’emulate’ real software. They imitate clean .e...
ASEC
AhnLab Security Emergency response Center (ASEC) has shared information regarding the RedEyes threat group (also known as APT37, ScarCruft), who distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month. RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft) The LNK file contains a PowerShell command and performs malicious behavior without the knowledge of the individual who uses the normal pdf file by creating and executing script files al...
Last March, 3CX supply chain breach cases were a global issue. AhnLab Security Emergency response Center (ASEC) has confirmed through the AhnLab Smart Defense (ASD) infrastructure that malware related to the 3CX supply chain were installed in Korea on March 9th and March 15th. Figure 1. ASD infrastructure log related to 3CX supply chain breach case The 3CX supply chain malware confirmed in this instance had loaded malicious DLLs disguised with the names of regular DLLs, ffmpeg.dll and d3dcompile...
AhnLab Security Emergency response Center (ASEC) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from April 24th, 2023 (Monday) to April 30th, 2023 (Sunday). For the main category, Infostealer ranked top with 54.9%, followed by downloader with 33.3%, backdoor with 10.5%, and ransomware and banking malware with 0.6% each. Top 1 – AgentTesla AgentTesla is an infostealer that ranked first place with 35.2%. It ...
AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from April 23rd, 2023 to April 29th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engi...
Erik Pistelli at Cerbero
We recently stumbled upon this tweet by @Cryptolaemus1 about a malicious OneNote document with an embedded ISO file. Because of our recently released ISO Format package, we thought it would be interesting to analyze this malware sample with Cerbero Suite. SHA256: 2B0B2A15F00C6EED533C70E89001248A0F2BA6FAE5102E1443D7451A59023516 The unidentified embedded object in the OneNote document is an ISO file. We load it as an embedded object and specify the ISO format (Ctrl+E). The ISO file contains only a...
This malware gives us a chance to see the recently introduced Silicon Shellcode Emulator in action. SHA256: 8CF1E49C74FB05DE954A6B70281F47E3CBD021108B0EE11F4A59667FF28BFEE9 The PowerShell code is not obfuscated: it decodes a base64 encoded string, decrypts the result with a xor operation, allocates memory with VirtualAlloc, copies the shellcode to the allocated memory and then executes it. If ([IntPtr]::size -eq 8) { [Byte[]]$var_code = [System.Convert]::FromBase64String('32ugx9PL6yMjI2JyYnNxcnV...
Michał Praszmo at CERT Polska
Malspam campaign delivering PowerDash â a tiny PowerShell backdoor 09 May 2023 | MichaÅ Praszmo | #malware, #powershell, #analysis In late April we observed a malspam campaign delivering a previously unseen PowerShell malware. We decided to provide an overview of the campaign and some of the malware capabilities. We're also dubbing this malware family as "PowerDash" because of the "/dash" path on C2 server, used as a gateway for bots. Execution graph Click on an element to navigate to the cor...
CISA
Last RevisedMay 09, 2023 Alert CodeAA23-129A SUMMARY The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to...
Cofense
Cyble
May 10, 2023 Emerging Ransomware Strain Quickly Expanding its List of Victims Ransomware is a grave cybersecurity threat and is currently one of the most effective cybercrimes causing organizational problems. It has proven to be highly profitable for cybercriminals, resulting in severe consequences such as financial loss, data loss, and damage to the reputation of the targeted entities. Over time, Cyble Research and Intelligence Labs (CRIL) has continuously examined and shared information regard...
May 11, 2023 Threat Actor Leveraging Vice Society’s Codebase for Greater Impact Custom-branded ransomware has recently seen a surge in development. We have observed Threat Actors (TAs) utilizing leaked source codes of a particular ransomware family to create new variants by modifying the existing code. This approach allows for the creation of ransomware that can be tailored to target specific industries, organizations, or geographic regions, increasing the effectiveness of ransomware variants wh...
May 12, 2023 New Ransomware Targets VMware ESXi servers Cyble Research and Intelligence Labs (CRIL) observed an increase in the number of ransomware groups launching Linux variants, such as Cylance and Royal ransomware. This can be attributed to the fact that Linux is extensively utilized as an operating system across various sectors, including enterprise environments and cloud computing platforms. The widespread use of Linux makes it an appealing target for ransomware groups, as a single attack...
Matthew at Embee Research
Embee Research Home Content About Sign in Subscribe AgentTesla Featured AgentTesla - Full Loader Analysis - Resolving API Hashes Using Conditional Breakpoints Analysis of a Multi-Stage Loader for AgentTesla. Covering Ghidra, Dnspy, X32dbg, API Hashing and more! Matthew May 7, 2023 • 29 min read Summary:This article covers the Analysis of a multi-stage AgentTesla loader. The loader utilizes a Nullsoft package to drop an exe-based loader and multiple encrypted files. We'll follow the loader as it ...
A curated list of the best malware blogs and resources that I have found over the years. Matthew May 10, 2023 • 2 min read A curated list of high-quality technical blogs and resources for learning malware analysis. Even if not immediately understandable (some are very advanced), each post provides a list of topics and keywords that can be used for further research and learning. This list will be updated over time as I find and remember new stuff :) This post is for subscribers only Subscribe now...
Fatih Yilmaz
08 May 2023 Yamalama(Patching) Nedir? 2000’li yıllarda bilgisayar kullanıp bir şekilde “Ben bu paralı yazılımı nasıl bedava kullanırım acaba?” diye düşünmüş herkesin bildiği bir kavram; Yamalama. O zamanlar bize havalı gelen cracker abiler/ablalar vardı, genel olarak bu kasanın içinde neler dönüyor bilmediğimiz için bize son derece gizemli gelen davranışlardı bunlar. Bu yazıda “Bir yazılımı nasıl kırarız?” sorusunun cevabı olmayacak, çünkü bu konu artık çok daha derinlemesine analiz gerektirmekt...
08 May 2023 What is Patching? It is a concept known to everyone who used a computer in the 2000s and somehow thought, “How can I use this software for free?”; Patching. There were cracker brothers/sisters who were cool to us back then, behaviors that seemed extremely mysterious to us because we didn’t know what was going on inside this machine in general. This article will not answer the question “How do we break a piece of software?” because it now requires much more in-depth analysis. The more...
Fortinet
By Cara Lin | May 08, 2023 Affected platforms: Linux Impacted parties: Any organization Impact: Remote attackers gain control of vulnerable systems Severity level: Critical In April, FortiGuard Labs observed a unique botnet based on the SOCKS protocol distributed through the Ruckus vulnerability (CVE-2023-25717). This botnet, known as AndoryuBot, first appeared in February 2023. It contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOC...
By Joie Salvio and Roy Tay | May 09, 2023 Affected Platforms: Linux Impacted Users: Any organization Impact: Remote attackers gain control of the vulnerable systems Severity Level: Critical FortiGuard Labs has encountered new samples of the RapperBot campaign active since January 2023. RapperBot is a malware family primarily targeting IoT devices. It has been observed in the wild since June 2022. FortiGuard Labs reported on its previous campaigns in August 2022 and December 2022. Those campaigns...
Jacob Pimental at GoggleHeadedHacker
11 May 2023 By Jacob Pimental OneNote documents are the latest trend for malware because they do not require macros to run the malware and very few tools can accurately parse the file format. This trend has been seen in distribution of Qakbot and Redline Stealer. While malware laced OneNote files may seem to only benefit criminals, there are a few benefits to the unique file format from a forensics perspective as well. This article will walk through analyzing basic OneNote malware using the pyOn...
Hex Rays
Matthew Brennan at Huntress
Previous Post Next Post Share on Twitter Share on LinkedIn Share on Facebook Share on Reddit The Huntress ThreatOps team encountered and investigated an infection involving a malicious malware loader on a Huntress-protected host. This investigation was initiated via persistence monitoring, which triggered on a suspicious visual basic (.vbs) script persisting via a scheduled task. The script was highly obfuscated and required manual analysis and decoding to investigate. Today we’ll demonstrate ou...
Sarang S at InfoSec Write-ups
Using Python for Malware Analysis — A Beginners GuideSarang S·FollowPublished inInfoSec Write-ups·7 min read·May 7--ListenShareOverviewMalware refers to malicious software which is intended to harm computer systems and networks, by stealing or misusing confidential information without authorization, or saturating the network bandwidth. The danger of Malware has been constantly increasing and can have an impact from an individual level to an organizational level as well. To prevent such software ...
Jai Minton
CyberRaiju 📗 Browse 📙 Categories ❓ About Me/Privacy ☕ Buy me a coffee Toggle search Toggle menu Home / Reverse engineering / Remcos RAT - Malware Analysis Lab Jai Minton Information and Cyber Security Professional. All thoughts and opinions expressed here are my own, and may not be representative of my employer, or any other entity unless I am specifically quoting someone. Content is licensed under the Creative Commons Attribution 4.0 International License. Follow Australia Hack The Box Open Bug...
Baran S at K7 Labs
Posted byBaran S May 10, 2023May 10, 2023 AndroidDeceptive AppsRemote Access TrojanWhatsApp SpyNote targets IRCTC users By Baran SMay 10, 2023 We at K7 Labs, recently came across an email message as shown in Figure 1, from Indian Railway Catering and Tourism Corporation (IRCTC) about SpyNote, an Android RAT targeting IRCTC users. This spyware is not only used to steal users’ sensitive information but can also spy on a user’s location or remotely control the victims’ device. Figure 1: Email Notif...
Lab52
May 05, 2023 In the last post, Lab52 covered the new Mustang Panda’s campaing against Australia. Now is time to talk about the malware used by the APT group Mustang Panda in said campaing. Indeed, the malware used to commit the attack is not enterely new; there are previous reports from TrendMicro and Talos where similar tactics and procedures are detailed. However, some parts highlighted below differ and should be known in order to prepare our detection systems. Summarizing, this post covers th...
Mandiant
IRONGATE ICS Malware: Nothing to See Here...Masking Malicious Activity on SCADA Systems Blog IRONGATE ICS Malware: Nothing to See Here...Masking Malicious Activity on SCADA SystemsMandiant Intelligence Jun 02, 20168 min read | Last updated: May 09, 2023Threat ResearchThreat IntelligenceICSMalwareIn the latter half of 2015, the FLARE team identified several versions of an ICS-focused malware crafted to manipulate a specific industrial process running within a simulated Siemens control system envi...
Max Kersten at Trellix
By Max Kersten · May 11, 2023 On the 11th of August 2022, the initial public version of DotDumper was released. A brief refresh: DotDumper is an open-source automatic unpacker for DotNet Framework targeting files. This blog marks a public update which supports unmanaged hooks to successfully log process injection, a GUI-based log viewer, as well as improved command-line interface argument handling. These updates upgrade DotDumper’s capabilities to hook (and thus log) more data, along with more c...
McAfee Labs
New Wave of SHTML Phishing Attacks McAfee Labs May 08, 2023 5 MIN READ Authored By Anuradha McAfee Labs has recently observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML (SHTML) files. The SHTML files are commonly associated with web servers redirecting users to malicious, credential-stealing websites or display phishing forms locally within the browser to harvest user-sensitive information. SHTML Campaign in the field: Figure 1. shows the geolo...
GULoader Campaigns: A Deep Dive Analysis of a highly evasive Shellcode based loader McAfee Labs May 09, 2023 22 MIN READ Authored by: Anandeshwar Unnikrishnan Stage 1: GULoader Shellcode Deployment In recent GULoader campaigns, we are seeing a rise in NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system. The NSIS scriptable installer is a highly efficient software packaging utility. The installer behavior is dictated by ...
OALABS Research
Under the radar email credential stealer in development May 7, 2023 • 3 min read strelastealer stealer Overview References Samples Analysis Sample - November 2022 String Decryption IDA String Decrypt C2 Comms Decoy Sample - April 2023 Updates C2 Decoy PDB Tracking Malware in Development C2 Tracking Overview This is an email stealer that has been in operation since at least November 2022. The stealer is simple, it collects emails from the target and uploads them to a hard coded C2. Recent version...
DGAs and obfuscation as malware goes meta May 11, 2023 • 2 min read metatealer stealer DGA obfuscation Overview References Sample Analysis Yara Rule String Decryption DGA Overview This is a stealer that has been in operation since atleast May 2022. Recent versions have added a DGA! References MetaStealer: String Decryption and DGA overview Metastealer – filling the Racoon void IOCs from Unit42 Sample 6cf8bfba1b221effcb1eccec0c91fb0906d0b8996932167f654680cb3ac53aacUnpacMe Analysis This sample has...
Sansec
9th May 2023Web Skimming / Sansec Threat ResearchLearn about new eCommerce hacks?Receive an alert whenever we discover new hacks or vulnerabilities that may affect your online store.What isMagecart?Also known as digital skimming, this crime has surged since 2015. Criminals steal card data during online shopping. Who are behind these notorious hacks, how does it work, and how have Magecart attacks evolved over time?About MagecartThe domain gtag-analytics.com has recently emerged as a threat, empl...
Alex Delamotte at SentinelOne
Alex Delamotte / May 11, 2023 Executive Summary SentinelLabs identified 10 ransomware families using VMware ESXi lockers based on the 2021 Babuk source code leaks. These variants emerged through H2 2022 and H1 2023, which shows an increasing trend of Babuk source code adoption. Leaked source code enables actors to target Linux systems when they may otherwise lack expertise to build a working program. Source code leaks further complicate attribution, as more actors will adopt the tools. Backgroun...
Stairwell
Denis Sinegubko at Sucuri
Zhassulan Zhussupov
Malware development trick - part 28: Dump lsass.exe. Simple C++ example. 4 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! Today, I want to show how we can dumping Lsass without Mimikatz: via MiniDumpWriteDump API. Since mimikatz is a very famous tool and easy to detect, hackers find new tricks to reimplement some features from it’s logic. practical example So, how we can write a simple lsass.exe process dumper? We use MiniDumpWriteDump: BOOL MiniDumpWriteDump( [in] HANDLE hPro...