本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
0x70RVS
7 minute read On this page Scenario: Basic Analysis: Advanced Analysis: References: Challenge Link: //cyberdefenders.org/blueteam-ctf-challenges/85#nav-questions Scenario: Your enterprise network is experiencing a malware infection, and your SOC L1 colleague escalated the case for you to investigate. As an experienced L2/L3 SOC analyst, analyze the malware sample, figure out what it does and extract C2 server and other important IOCs. I will try to make a full analysis first and then answer the ...
1 minute read On this page Chapter 18 challenges the walkthrough Lab16-1.exe Chapter 18 challenges the walkthrough This chapter discussed packing and unpacking techniques. Lab16-1.exe Packing identification: With tools like Detect it Easy we can see that the entropy of this is very high 7.50329 and DIE identifies that the packer is UPX. Also with PEview, we can see that in .text the virtual size and size of raw data are very different. And also this sample has UPX section and this is an indicato...
Any.Run
May 17, 2023 Add comment 1820 views 14 min read HomeMalware AnalysisDeobfuscating the Latest GuLoader: Automating Analysis with Ghidra Scripting Recent posts Deobfuscating the Latest GuLoader: Automating Analysis with Ghidra Scripting 1820 0 Malware Analysis Digest: April 2023 1198 0 Celebrate ANY.RUN’s 7th Cyberbirthday With Special Deals 1363 0 HomeMalware AnalysisDeobfuscating the Latest GuLoader: Automating Analysis with Ghidra Scripting In this article by ANY.RUN analysts, we’ll discuss the...
ASEC
AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from April 30th, 2023 to May 6th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social enginee...
AhnLab Security Emergency response Center(ASEC) has confirmed the distribution of the LokiLocker ransomware in Korea. This ransomware is almost identical to the BlackBit ransomware and their common traits have been mentioned before in a previous blog post. A summary of these similarities is as follows. Similarities Between LokiLocker and BlackBit Disguised as svchost.exe Same obfuscation tool used (.NET Reactor) Registered to the task scheduler and registry (persistence of malware) Ransom note a...
Recently, there have been frequent cases of attacks targeting vulnerable servers that are accessible externally, such as SQL servers or IIS web servers. The team has confirmed two affected companies in this case. One being a company for semiconductors, and the other being a smart manufacturing company which utilizes artificial intelligence. It is assumed that the threat group that carried out the hacking attack is a Chinese hacker group like Xiaoqiying and Dalbit, as a Chinese text file containi...
The RecordBreaker Stealer is one of the main malware distributed disguised as the download of illegal programs such as cracks and keygens. It first appeared last year and has since been actively distributed to normal users. It is also referred to as Raccoon Stealer V2 and is being distributed through various channels, including websites and YouTube. CryptBot, which had been actively distributed in the same manner, had completely disappeared since February of this year, and the Vidar malware some...
AhnLab Security Emergency response Center (ASEC) has recently discovered SparkRAT being distributed within the installer of a certain VPN program. SparkRAT is a Remote Administration Tool (RAT) developed with GoLang. When installed on a user’s system, it can perform a variety of malicious behaviors, such as executing commands remotely, controlling files and processes, downloading additional payloads, and collecting information from the infected system like by taking screenshots. 1. Case of Distr...
AhnLab Security Emergency response Center (ASEC) has recently discovered Infostealers disguised as an adult game being distributed to Japanese users. Although the distribution route has not been confirmed as of yet, it can be assumed that the Infostealers are being distributed via torrent or illegal file-sharing websites since it is being disguised as an adult game. The method of distributing malware by disguising it as an adult game is often employed here in Korea as well. Instead of using know...
AhnLab Security Emergency response Center (ASEC) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from May 8th, 2023 (Monday) to May 14th, 2023 (Sunday). For the main category, Infostealer ranked top with 49.8%, followed by downloader with 37.3%, backdoor with 11.0%, ransomware with 1.4%, and CoinMiner with 0.5%. Top 1 – Amadey This week, Amadey Bot ranked first place with 25.8%. Amadey is a downloader that ...
Erik Pistelli at Cerbero
We recently stumbled upon an old article by Daisuke Mutaguchi explaining an extreme technique for PowerShell obfuscation. The article is in Japanese, so you may have to use Google translate. Here’s the final example provided by the author of the article: ${;}=+$();${=}=${;};${+}=++${;};${@}=++${;};${.}=++${;};${[}=++${;}; ${]}=++${;};${(}=++${;};${)}=++${;};${&}=++${;};${|}=++${;}; ${"}="["+"$(@{})"[${)}]+"$(@{})"["${+}${|}"]+"$(@{})"["${@}${=}"]+"$?"[${+}]+"]"; ${;}="".("$(@{})"["${+}${[}"]+"$(...
CTF导航
Cobalt Strike的DLL Stager分析 渗透技巧 2天前 admin 35 0 0 分析过程 cs生成分阶段的dll x64位,丢进IDA分析DllMain函数:CreateThread启动线程调用sub_6BAC16B0函数调用sub_6BAC15B2函数sub_6BAC16B0函数:将WInMain函数的dll句柄传入到sub_6BAC1605函数执行sub_6BAC1605函数:系统启动以来经过的毫秒数*0x26AA拼接获取管道名 -< .pipeMSSE-%d-server (例如:.pipeMSSE-1234-server)。该管道的格式是有据可查的“钴罢工”危害指标3.CreateThread启动线程调用调用StartAddress函数StartAddress函数:调用sub_6BAC1440函数,传入一个指针和nNumberOfBytesToRead变量sub_6BAC1440函数:CreateNamedPipeA创建管道ConnectNamedPipe连接管道连接成功,WriteFile管道写入shellcodeCloseHandle关闭句柄(一旦将she...
Embee Research
Quasar Rat Analysis - Identification of 64 Quasar Servers Using Shodan and Censys Extraction of Quasar C2 configuration via Dnspy, and using this information to pivot to additional servers utilising Shodan and Censys. Matthew May 15, 2023 • 8 min read This analysis will cover the extraction of Quasar configuration via Dnspy. We'll then use this information to pivot to additional servers utilising Shodan and Censys. In total, 64 additional servers will be identified. A full list of the 64 Quasar ...
Using Shodan Identifying Amadey Bot Servers Using Shodan. Matthew May 19, 2023 • 8 min read Analysing a suspicious ip address found in my previous post on Amadey Bot Malware. Utilising Shodan and Censys to pivot to additional Amadey infrastructure.Here you'll see how to use a known c2 to craft additional queries based on html content and certificate information. In total, 12 unique servers will be identified. Original sample can be found here and original post here. (If you're just here for the ...
Embee Research Home Reversing Threat Intel Index About Sign in Subscribe intel Identifying Laplas Infrastructure Using Shodan and Censys Quick identification of Laplas infrastructure by utilising Shodan and Censys. Matthew May 18, 2023 • 2 min read Various queries for locating potential Laplas Infrastructure. Based on an IP found in a Laplas sample from Malware Bazaar.The full list can be found at the end of post. Link to SampleSHA256: 825b0080782dee075f8aac11c3a682f86c5d3aa5462bd16be0ed511a181d...
Fortinet
By Jin Lee | May 15, 2023 The FortiGuard Labs team discovered over 30 new zero-day attacks in PyPI packages (Python Package Index). These were found between late March and late April by monitoring an open-source ecosystem. In this blog, we will cover all the packages that were found, grouping them into similar attacks or behavior. Some of these sets may have been shown in a previous blog. 1. The packages in the following set were found to be similar: tls-bypass (version 1.0) zproxy (version 1.0)...
Igor Skochinsky at Hex Rays
Igal lytzki at Toxin Labs
Skip links Skip to primary navigation Skip to content Skip to footer Toxin Labs Malware Analysis Threat Breakdown All Categories All Tags Toggle search Toggle menu Kraken - The Deep Sea Lurker Part 1 Part 1 of analyzing the KrakenKeylogger Malware 5 minute read 0xToxin Threat Analyst & IR team leader - Malware Analysis - Blue Team Follow Israel Email Twitter GitHub LinkedIn On This Blog Intro The Phish LNK Analysis LEcmd Tool PowerShell Script se1.hta .NET Loader Stage 1 Stage 2 Kraken Payload K...
John Hammond
YouTube video
Mellvin S at K7 Labs
Posted byMellvin S May 15, 2023May 15, 2023 mac malwareStealer Trojan AMOS (MacOS Stealer) By Mellvin SMay 15, 2023 In the last week of April 2023, it was reported on twitter, that through a telegram channel a new malware was being offered as “Atomic MacOS Stealer”. Many samples of this malware were found on the internet. Figure 1 – Atomic MacOS Stealer Most of these samples were masquerading as an installer of various applications like Tor browser, Photoshop CC, Notion, FL studio. Figure 2 – Am...
Karlo Licudine at AccidentalRebel
May 20, 2023 in packers malware machine_learning ml update vgl4nt TLDR: Packed malware machine learning classifier can only previously identify 10 packers Solution was a customized version of model ensembling, which is to train multiple models and resolve their results It works with a slight caveat of more extended training and processing, which I could happily live with I recently presented VGL4NT, my tool that uses machine learning to classify packed malware, at the Blackhat Middle East and Af...
Kyle Cucci at SecurityLiterate
Lucija Valentić at ReversingLabs
ReversingLabs researchers discovered two malicious packages that contained TurkoRat, an open source infostealer that lurked on npm for two months before being detected. Blog Author Lucija Valentić, Software Threat Researcher, ReversingLabs. Read More... While regularly combing through packages available on public repositories such as npm and PyPI, ReversingLabs researchers encounter packages with different combinations of behaviors and characteristics. These behaviors and characteristics might n...
S2W Lab
Detailed Analysis of AlphaSeed, a new version of Kimsuky’s AppleSeed written in GolangS2W·FollowPublished inS2W BLOG·19 min read·2 days ago--ShareAuthor: BLKSMTH | S2W TALONLast Modified: May 17, 2023Photo by Chinmay B on UnsplashExecutive Summary2023년 5월 경, S2W의 위협 연구 및 인텔리전스 센터 Talon은 Kimsuky 그룹의 새로운 악성코드로 추정되는 샘플을 VirusTotal에서 헌팅하여 분석을 진행함헌팅된 악성코드는 네이버 로그인에 필요한 Cookie 값이 악성코드에 삽입되어있으며, Chrome Devtools 프로토콜을 사용하도록 서포팅하는 클라이언트 프로그램인 ChromeDP로 로그인을 수행S2W Talon은 해당 악성코드 내 “E:/Go_Project/src/alpha...
Leonid Bezvershenko, Georgy Kucherin, and Igor Kuznetsov at Securelist
APT reports 19 May 2023 minute read Table of Contents Initial findingsDigging into the orchestratorEncryption and communicationModule arsenalBack to 2017Attribution magicSo what?Indicators of compromise Authors Leonid Bezvershenko Georgy Kucherin Igor Kuznetsov In March 2023, we uncovered a previously unknown APT campaign in the region of the Russo-Ukrainian conflict that involved the use of PowerMagic and CommonMagic implants. However, at the time it was not clear which threat actor was behind ...
Trend Micro
Water Orthrus’s interests, from personal information to cryptocurrency, and now targeting credit card information. A proactive approach on security can help organizations protect their devices against these types of threats. Trend Micro Apex One™ employs a variety of threat detection capabilities, notably behavioral analysis that protects against malicious scripts, injection, ransomware, and memory and browser attacks related to fileless threats. Additionally, the Apex One Endpoint Sensor provid...
We observed the threat actor group known as “8220 Gang” employing new strategies for their respective campaigns, including exploits for the Linux utility “lwp-download” and CVE-2017-3506, an Oracle WebLogic vulnerability. By: Sunil Bharti May 16, 2023 Read time: ( words) Save to Folio Subscribe 8220 Gang (also known as “8220 Mining Group,” derived from their use of port 8220 for command and control or C&C communications exchange) has been active since 2017 and continues to scan for vulnerable ap...
An overview of the Lemon Group’s use of preinfected mobile devices, and how this scheme is potentially being developed and expanded to other internet of things (IoT) devices. This research was presented in full at the Black Hat Asia 2023 Conference in Singapore in May 2023. By: Fyodor Yarochkin, Zhengyu Dong, Paul Pajares May 17, 2023 Read time: ( words) Save to Folio Subscribe Following a report of mobile devices being used for a fraud campaign, we analyzed one of the devices preloaded with two...
This is the first part of our security analysis of an information stealer targeting GitHub Codespaces (CS) that discusses how attackers can abuse these cloud services for a variety of malicious activities. By: Nitesh Surana, Jaromir Horejsi May 19, 2023 Read time: ( words) Save to Folio Subscribe Cloud-based developer environments allow developers to virtually code from anywhere and start right from their smartphones, tablets, or any device with a browser and an internet connection. GitHub Codes...
