4n6 Week 24 – 2023 - MALWARE
本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Any.Run
June 8, 2023 Add comment 838 views 6 min read HomeNewsMalware Analysis News: May 2023 Recent posts Malware Analysis News: May 2023 838 0 ANY.RUN Wins 2023 Fortress Cyber Security Awards 841 0 How to Create a Task in ANY.RUN:a Step-by-Step Guide 986 0 HomeNewsMalware Analysis News: May 2023 Welcome to the May 2023 edition of our monthly malware analysis news report. We’ve gathered some of the most important cybersecurity events that transpired over the past month. Read on to make sure you’re not ...
ASEC
AhnLab Security Emergency response Center (ASEC) has been uploading a summary of weekly malware statistics every week. //asec.ahnlab.com/en/53647/ This post will cover how EDR is used to detect, track, and respond to AgentTesla, an Infostealer continuously being distributed among the malware mentioned in the post above. AgentTesla is an Infostealer that steals user credentials saved in web browsers, emails, and FTP clients. AhnLab’s EDR products detect certain types of PE files accessing user ac...
AhnLab Security Emergency response Center (ASEC) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from May 22nd, 2023 (Monday) to May 28th, 2023 (Sunday). For the main category, Infostealer ranked top with 52.5%, followed by downloader with 38.1%, backdoor with 6.4%, ransomware with 2.5%, and CoinMiner with 0.4%. Top 1 – Amadey This week, Amadey Bot ranked first place with 29.7%. Amadey is a downloader that ...
On June 2nd, the Korean NIS (National Intelligence Service), NPA (National Police Agency), and MOFA (Ministry of Foreign Affairs) released a joint security advisory regarding the spear phishing attacks of North Korea’s Kimsuky group with the US FBI (Federal Bureau of Investigation), DoS (Department of State), and NSA (National Security Agency). The government agencies stated that the act was done to raise awareness of members of global think tanks, academic institutions, and media companies on C...
AhnLab Security Emergency response Center (ASEC) has identified that malware disguised as a job application letter is continuously being distributed. This malware is equipped with a feature that checks for the presence of various antivirus processes including a process with AhnLab’s product name (V3Lite.exe) and is being distributed through malicious URLs designed to resemble a Korean job-seeking website. Below are the discovered download URLs. hxxps://manage.albamon[.]info/download/20230201good...
In this report, we cover nation-led threat groups presumed to conduct cyber intelligence or destructive activities under the support of the governments of certain countries, referred to as “Advanced Persistent Threat (APT) groups” for the sake of convenience. Therefore, this report does not contain information on cyber criminal groups aiming to gain financial profits. We organized analyses related to APT groups disclosed by security companies and institutions during the previous month; however, ...
This trend report on the deep web and dark web of April 2023 is sectioned into Ransomware, Forums & Black Markets, and Threat Actor. We would like to state beforehand that some of the content has yet to be confirmed to be true. Ransomware ALPHV (BlackCat) Akira CipherLocker LockBit Money Message Forum & Black Market Closing of Genesis Market After the Closing of Breached Forums Threat Actor Bassterlord’s Retirement Hacktivist Group’s Activity ATIP_2023_Apr_Deep Web and Dark Web Threat Trend Repo...
This report provides statistics on new ransomware samples, attacked systems, and targeted businesses in April 2023, as well as notable ransomware issues in Korea and overseas. Other major issues and statistics for ransomware that are not mentioned in the report can be found by searching for the following keywords or via the Statistics menu at AhnLab Threat Intelligence Platform (ATIP). Ransomware Statistics by Type The number of ransomware samples and targeted systems are based on the detection ...
Following the recent abuse of vulnerabilities in various malware distributions and attacks, it is becoming more crucial to detect said information early on. Zero-day and other various vulnerabilities are typically spread faster through social networks. AhnLab provides the trend of current vulnerabilities through the ATIP service based on the information collected by the in-house infrastructure. Additionally, ATIP offers information on said vulnerabilities’ characteristics and countermeasures thr...
The Kimsuky group’s activities in April 2023 showed a decline in comparison to their activities in March, falling under half the number of the previous month. Korean domains were used for FlowerPower like before without major changes, and the RandomQuery type also remained the same. Lastly, we confirmed that the domain responsible for distributing AppleSeed has been spreading the Google Chrome Remote Desktop setup script. Also, the dropper file and AppleSeed file used different argument values, ...
AhnLab Security Emergency response Center (ASEC) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from May 29th, 2023 (Monday) to June 4th, 2023 (Sunday). For the main category, downloader ranked top with 40.1%, followed by Infostealer with 39.5%, backdoor with 13.6%, CoinMiner with 4.1%, and ransomware with 2.7%. Top 1 – AgentTesla AgentTesla is an Infostealer that ranked first place with 21.4%. It leaks us...
AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from May 21st, 2023 to May 27th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineer...
Ben Herzog Check Point
CTF导航
CobaltStrike分析-beacon 解析 渗透技巧 7天前 admin 59 0 0 本篇详细的分析了CS beacon payload的加载过程 一beacon loader 1.1 静态分析 IDA 逆向,在入口处很容易能够找到 main 函数的地址 修改前是403040。 重点关注sub_4017F8()。 基于一些特征随机利用格式化字符串生成了一个字符串buffer, 同时创建了一个新的线程,执行函数sub_4016E6。 直接看sub_401630。 以上面生成的buffer为名字创建了一个命名管道,然后进行判断,如果命名管道创建成功,ConnectNamedPipe函数将等待客户端连接到管道。如果成功连接到管道, 使用WriteFile函数将shellcode数据写入已连接的命名管道。如果写入成功,则更新指针lpBuffer和剩余要写入的字节数nNumberOfBytesToWrite。其中 lpbuffer是将要写入的数据指针,&dword_404020[5]。 返回sub_4017F8返回的是一个函数sub_4017A6(0i64)。 开辟了一块内存,然后等待s...
起底GoldenJackal APT组织 APT 7天前 admin 139 0 0 GoldenJackal是一家APT组织,自2019年开始活跃,通常针对中东和南亚的政府和外交机构。尽管他们早在几年前就开始了活动,但该组织似乎没有被详细介绍过。 卡巴斯基实验室的研究人员早在2020年中开始监测该组织,观察到这是一个极其专业的组织。该组织的主要开发.NET恶意软件、JackalControl、JackalWorm、JackalSteal、JackalPerInfo和JackalScreenWatcher等特定工具集,目的是: · 控制受害者计算机; · 在使用可移动驱动器的系统中传播; · 从受感染的系统中窃取某些文件; · 窃取凭据; · 收集有关本地系统的信息; · 收集有关用户网络活动的信息; · 截取桌面的屏幕截图; 根据工具集和攻击者的行为,研究人员认为GoldenJackal APT组织的主要动机是间谍活动。 攻击途径 研究人员发现攻击者假冒Skype安装程序,使用恶意Word文档。 另一个已知的攻击途径是一个恶意文档,它使用远程模板注入技术下载恶意HTML页面,该页面利...
站点推荐 blog 关于我们 网站提交 今日热榜 CTF平台 IOT安全 ICS安全 区块链安全 汽车安全 漏洞平台 SRC众测平台 乌云镜像 安全招聘 学习平台 网站提交 ChaMd5 blog 关于我们 网站提交 今日热榜 首页•渗透技巧•红队工具研究篇 - SliverC2 Stager研究(上) 红队工具研究篇 - SliverC2 Stager研究(上) 渗透技巧 6天前 admin 89 0 0 本文介绍 Sliver Stager ,由浅入深从原理概念、使用介绍再到三种自定义编写 Stager 的方法,此外还有执行效果演示、通信流量分析和两种免杀尝试的技术分享。 一、背景及概念 Stager 在这里指分阶段执行器,其核心作用在于从C2服务器上下载Sliver Shellcode,再上线Sliver C2。使用到分阶段执行器优势有二,其一为上传的文件较小,相较于Sliver原生Implant有10+MB,Stager一般只有几KB大小,另一个就是通过Stager传输的Sliver Shellcode直接运行在内存中,避免文件落地,静态查杀。相关内容的官方文档 - Stage...
APT-C-55(Kimsuky)组织假借“生日祝福”为诱饵分发Quasar RAT的攻击活动分析 APT 6天前 admin 169 0 0 APT-C-55 Kimsuky APT-C-55(Kimsuky)组织又名(Mystery Baby, Baby Coin, Smoke Screen, BabyShark, Cobra Venom)等,最早由Kaspersky在2013年披露,该组织长期针对于韩国的智囊团、政府外交、新闻组织、教育学术等机构进行攻击,在过去几年里,他们将攻击目标扩大到包括美国、俄罗斯和欧洲在内的国家,主要目的为窃取敏感信息等。 360高级威胁研究院最近监测到APT-C-55组织采用带有“生日祝福”诱饵信息的CHM类型文件实施攻击活动,并成功投递Quasar RAT,以获取用户的敏感信息。 Quasar RAT是一个开源的远程访问木马(RAT),使用.NET编写,主要针对Windows操作系统。具有强大的远程控制功能,包括远程桌面访问、文件和系统管理、键盘记录、密码恢复和远程Shell命令等。其高度的隐蔽性和强大的功能使其成为攻击者的常用工具。保护措施包括保持...
Sliver C2についての調査 渗透技巧 5天前 admin 197 0 0 はじめに 本記事では、Sliver C2の基本的な機能について調査し、Metasploit等の他ツールとの違いについて整理することを目的としています。 基本的な機能の紹介をした後、実際にSliverC2を使ってHack The Boxのマシンを解いてみようと思います。 概要 Sliver C2は、Bishop Foxによって作成されたC2フレームワークで、Cobalt Strikeや、Metasploitのような機能を提供するポストエクスプロイトツールです。 名前は、MTGのスリヴァーという種族?が由来みたいです。 リンク集 Bishop Fox社: //bishopfox.com/ SliverC2 GitHub: //github.com/BishopFox/sliver SliverC2 Wiki: //github.com/BishopFox/sliver/wiki/ SliverC2 release: //github.com/BishopFox/sliver/releases 環境について 構築...
站点推荐 blog 关于我们 网站提交 今日热榜 CTF平台 IOT安全 ICS安全 区块链安全 汽车安全 漏洞平台 SRC众测平台 乌云镜像 安全招聘 学习平台 网站提交 ChaMd5 blog 关于我们 网站提交 今日热榜 首页•逆向病毒分析•AgentTesla - Full Loader Analysis - Resolving API Hashes Using Conditional Breakpoints AgentTesla - Full Loader Analysis - Resolving API Hashes Using Conditional Breakpoints 逆向病毒分析 3天前 admin 42 0 0 Summary: This article covers the Analysis of a multi-stage AgentTesla loader. The loader utilizes a Nullsoft package to drop an exe-based loader and multiple encrypted files. We'...
APT-C-63(沙鹰)组织攻击检测工具发布 APT 2天前 admin 74 0 0 APT-C-63(沙鹰)是360高级威胁研究院在2022年捕获的全新未知APT组织(2022年报已提及),该组织一直处于持续监测分析阶段,细节尚未公开披露。近日,卡巴斯基实验室披露了一起名为“Triangulation”的APT攻击活动,未知攻击者利用了苹果零日漏洞针对大量移动设备实施了一系列复杂定向攻击活动,同时卡巴斯基在全球寻求更多的威胁情报线索。 为了促进业界在威胁情报方面的协作,更好应对日益复杂的APT攻击,我们对外同步此次APT攻击已掌握的更多信息: 我们注意到卡巴斯基实验室发现的“Triangulation”攻击活动与APT-C-63(沙鹰)组织存在关联。 攻击针对的平台不限于苹果iOS系统,我们在Windows侧捕获到了复杂的攻击行为。 鉴于此次APT攻击活动的复杂性,我们紧急开发上线了用于针对Windows终端攻击的检测工具。该检测工具可以帮助用户发现和消除潜在的APT后门隐患,用户可根据自身情况安装使用自检工具完成检测。对于政企用户来说,推荐在下载该检测工具的同时,也同步下载使用3...
Debugactiveprocess
[UPDATE] FantasyMW(v2) Android Banking Trojan ressurge com novos alvosmovq %rax,%rax·FollowPublished inOpenCTI.BR·4 min read·3 hours ago--ShareEm uma publicação anterior datalhamos o funcionamento e comportamento do FantasyMW, recentemente o Threat Actor realizou algumas alterações no modo de funcionamento e execução do overlay, abaixo, iremos detalhar as mudanças relevantes e outras funções importantes. Um dos principais pontos foram a quantidade de bancos alvos que cresceu de forma relevante, ...
Gi7w0rm
DynamicRAT — A full-fledged Java RatGi7w0rm·Follow10 min read·1 day ago--ListenShareHello everyone, welcome back to one of my sporadical blog posts. Due to some fortunate circumstances, I finally have the honor to name my very first malware family. Here is how it happened:On Tuesday, 06.06.2023, I was notified by one of my infosec colleagues, Fate, about a strange “.jar” file he had found in his network. While execution had been prevented through the AV, the file did stick out, because when look...
Yuma Masubuchi at JPCERT/CC
増渕 維摩(Yuma Masubuchi) June 6, 2023 How to Create F.L.I.R.T Signature Using Yara Rules for Static Analysis of ELF Malware Tool Email It has been observed that ELF malware removes symbol information during its build. This creates extra work in malware analysis to identify each function name because you do not know them. In addition, in IDA, an analysis tool, existing F.L.I.R.T signatures [1] (hereafter abbreviated as FLIRT signatures in this article) are often not applicable to ELF malware functio...
Łukasz
Dismantling spyware disinformation campaignslessons from the chaosŁukasz·Follow10 min read·3 days ago--ListenShareIn early 2022, just as the pandemic was beginning to get a bit more manageable and we could all see the light at the end of the tunnel, I spotted a Twitter user sharing misguided information on Pegasus — a mercenary spyware developed by a company called NSO. Since then I found myself in the centre of a disinformation storm, trying to juggle dealing with personal attacks and providing...
Haim Zigel and Oleg Kupreev at Securelist
Malware descriptions 05 Jun 2023 minute read Table of Contents Satacom technical analysisThe payload: malicious browser extensionMalicious extension analysisVictimsConclusionsAppendix I – Indicators of CompromiseAppendix II – MITRE ATT&CK Mapping Authors Haim Zigel Oleg Kupreev Satacom downloader, also known as LegionLoader, is a renowned malware family that emerged in 2019. It is known to use the technique of querying DNS servers to obtain the base64-encoded URL in order to receive the next sta...
Priyadharshini Balaji at Security Investigation
Wireshark Filters for Security Analyst How to Perform Static Code Analysis on Packed Malware ? How to Detect Malware Hijacking Digital signatures Densityscout – Entropy Analyzer for Threat Hunting and Incident Response IOC Phishing Scam Alert: Fraudulent Emails Requesting to Clear Email Storage Space… Vidar Infostealer Malware Returns with new TTPS – Detection & Response New WhiskerSpy Backdoor via Watering Hole Attack -Detection & Response RedLine Stealer returns with New TTPS – Detection & Res...
Squiblydoo
Understanding PE Bloat with Malcat Posted bysquiblydooJune 5, 2023Posted inUncategorizedTags:analysis, malware, VM, PowerShell, Solarmarker, deepdive, registry, backdoor, infostealer, Polazert, malcat I recently released a tool called Debloat. The purpose of Debloat is to remove junk bytes from bloated executables. … If you are unfamiliar: there is a trend where many threat actors add 100 – 900 MB (or even up to 3 GB) of junk bytes to their malware to prevent analysis. This junk, or bloat as I c...
Peter Girnus and Aliakbar Zahravi at Trend Micro
We look into BatCloak engine, its modular integration into modern malware, proliferation mechanisms, and interoperability implications as malicious actors take advantage of its fully undetectable (FUD) capabilities. By: Peter Girnus, Aliakbar Zahravi June 09, 2023 Read time: ( words) Save to Folio Subscribe In our recent investigation, we discovered the use of heavily obfuscated batch files utilizing the advanced BatCloak engine to deploy various malware families at different instances. Running ...
Wladimir Palant at ‘Almost Secure’
2023-06-05 security/privacy/add-ons/google 17 mins 0 comments It isnât news that the overwhelming majority of ad blockers in Chrome Web Store is either outright malicious or waiting to accumulate users before turning malicious. So it wasnât a surprise that the very first ad blocker I chose semi-randomly (Adblock Web with 700,000 users) turned out malicious. Starting from it, I found another malicious extension (Ad-Blocker, 700,000 users) and two more that have been removed from Chrome Web St...
2023-06-08 security/privacy/add-ons/google 21 mins 3 comments Weâve already seen Chrome extensions containing obfuscated malicious code. Weâve also seen PCVARKâs malicious ad blockers. When looking for more PCVARK extensions, I stumbled upon an inconspicuous extension called âTranslator - Select to Translate.â The only unusual thing about it were its reviews, lots of raving positive reviews mixed with usability complains. That, and the permissions: why does a translator extension need ...
Zhassulan Zhussupov
Malware development trick - part 31: Run shellcode via SetTimer. Simple C++ example. 3 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! This article is the result of my own research into the next interesting trick: run shellcode via SetTimer function. SetTimer The SetTimer function is a part of the Windows API. It is used to create a timer with a specified time-out value. Here is its basic syntax: UINT_PTR SetTimer( HWND hWnd, UINT_PTR nIDEvent, UINT uElapse, TIMERPROC lpTimerFu...
Malware development trick - part 32. Syscalls - part 1. Simple C++ example. 5 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! This post is the result of my own research and the start of a series of articles about one of the most interesting tricks: Windows system calls. syscalls Windows system calls or syscalls provide an interface for programs to interact with the operating system, allowing them to request specific services such as reading or writing to a file, creating a new ...
Malware development trick - part 33. Syscalls - part 2. Simple C++ example. 5 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! This post is the result of my own research and the second post in a series of articles about windows system calls. userland hooking Security software often implements a technique known as API hooking on system calls, which allows these tools to inspect and monitor the behavior of applications while they are running. This capability can provide vital insi...