解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 26 – 2023 - MALWARE

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。

MALWARE

Any.Run

June 22, 2023 Add comment 943 views 15 min read HomeMalware AnalysisGh0stBins, Chinese RAT: Malware Analysis, Protocol Description, RDP Stream Recovery Recent posts Gh0stBins, Chinese RAT: Malware Analysis, Protocol Description, RDP Stream Recovery 943 0 Help Us Find New Malware by Submitting Threats and Samples 690 0 Malware Analysis News: May 2023 1751 0 HomeMalware AnalysisGh0stBins, Chinese RAT: Malware Analysis, Protocol Description, RDP Stream Recovery Electron Leading malware analyst at A...

ASEC

AhnLab, in collaboration with the National Cyber Security Center (NCSC) Joint Analysis and Consultation Council, has recently uncovered the attack of a hacking group that is supported by a certain government. The discovered malware disguised itself as a security update installer and was developed using the Inno Setup software. A brief description of the software is provided below in the table. Figure 1. Installer disguised as Security Upgrade Inno SetupA program developed by JrSoftware that serv...

AhnLab Security Emergency response Center (ASEC) has discovered instances of websites created by a certain Korean website development company being targeted by attacks and being used to distribute malware. This specific website development company has created websites for a wide range of companies including manufacturing, trade, electrical, electronics, education, construction, medical, and travel industries. The breached websites were used to distribute malware, and they were also used to perfo...

AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from June 4th, 2023 to June 10th, 2022 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social enginee...

Malware that are being distributed disguised as cracks are evolving. In the past, malware was simply distributed as the executable itself. However, there was a gradual shift towards also including normal files within a compressed file. More recently, there was a sample where a normal installer was downloaded and executed. If the malware is executed in an ordinary user environment, the encrypted malware file is downloaded from the threat actor’s server and executed. The malware in this instance i...

AhnLab Security Emergency response Center (ASEC) has recently discovered an attack campaign that consists of the Tsunami DDoS Bot being installed on inadequately managed Linux SSH servers. Not only did the threat actor install Tsunami, but they also installed various other malware such as ShellBot, XMRig CoinMiner, and Log Cleaner. When looking at the attack cases against poorly managed Linux SSH servers, most of them involve the installation of DDoS bots or CoinMiners. DDoS bot has been covered...

  1. Overview RedEyes (also known as APT37, ScarCruft, and Reaper) is a state-sponsored APT group that mainly carries out attacks against individuals such as North Korean defectors, human rights activists, and university professors. Their task is known to be monitoring the lives of specific individuals. In May 2023, AhnLab Security Emergency response Center (ASEC) discovered the RedEyes group distributing and using an Infostealer with wiretapping features that was previously unknown along with a b...

AhnLab Security Emergency response Center (ASEC) has continuously been tracking the Kimsuky group’s APT attacks. This post will cover the details confirmed during the past month of May. While the Kimsuky group often used document files for malware distribution, there have been many recent cases where CHM files were used in distribution. Also, unlike in the past when the document files contained North Korea-related topics, the group is now attempting to attack using a variety of subjects. (1) Cas...

AhnLab Security Emergency response Center (ASEC) has recently discovered the Mallox ransomware with the BAT file extension being distributed to poorly managed MS-SQL servers. Extensions of files distributed to poorly managed MS-SQL servers include not only EXE but also BAT, which is a fileless format. The files distributed with the BAT file extension that has been discovered so far are Remcos RAT and Mallox. The distributions include cases that use PowerShell and sqlps. The sqlps distribution wa...

Avertium

June 21, 2023 Executive Summary Threat actors continually innovate and adapt their tactics to deliver malware through phishing campaigns, often leveraging widely used software. Media coverage has highlighted the increased use of OneNote files as a first stage dropper to infect victim endpoints. Several threat families including IcedID, QakBot, AsyncRat, AgentTesla, have been observed abusing OneNote documents. To address this emerging infection vector, Avertium’s threat hunters have been studyin...

CISA Analysis Reports

MAR-10365227-3.v1 - Impacket 3 Release DateOctober 05, 2022 Alert CodeAR22-277C Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:CLEAR--Disclosure is not limited. Sources may use TLP:CLEAR when information carrie...

Release DateJune 15, 2023 Alert CodeAR23-166A Summary Description CISA received three files for analysis. The files included three webshells written in PHP: Hypertext Preprocessor (PHP), Active Server Pages Extended (ASPX), and .NET Dynamic-Link Library (DLL). The sample “sd.php” is highly obfuscated and uses rot13 algorithm, zlib for compression and base64 encoding for obfuscation. The “osker.aspx” webshell code was padded with junk code. The .NET DLL webshell is a .NET compiled version of oske...

MAR-10365227-2.v1 - Impacket 2 Release DateOctober 05, 2022 Alert CodeAR22-277B Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:CLEAR--Disclosure is not limited. Sources may use TLP:CLEAR when information carrie...

MAR-10365227-1.v1 - Impacket Release DateOctober 05, 2022 Alert CodeAR22-277A Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:CLEAR--Disclosure is not limited. Sources may use TLP:CLEAR when information carries ...

Release DateMarch 15, 2023 Alert CodeAR23-074A Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:CLEAR--Disclosure is not limited. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk ...

Release DateApril 20, 2023 Alert CodeAR23-110A Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:CLEAR--Disclosure is not limited. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk ...

Cryptax

Inside KangaPack: the Kangaroo packer with native decryption@cryptax·Follow6 min read·2 days ago--ListenShareIn this blog post, we unpack a malicious sample sha256: 2c05efa757744cb01346fe6b39e9ef8ea2582d27481a441eb885c5c4dcd2b65b . The core decryption of the payload is implemented at native level. I named the packer KangaPack (you’ll understand why when reading this article), it also goes under the name Packed.57103, I am unaware of any other name.Teaser: from decompiled code, we’ll see exactly ...

Shaul Vilkomir-Preisman and Mark Vaitzman at Deep Instinct

Shaul Vilkomir-PreismanThreat Intelligence ResearcherMark VaitzmanThreat Lab Team LeaderDeep Instinct Threat LabDeep Instinct’s Threat Research Lab recently noticed a new strain of a JavaScript-based dropper that is delivering Bumblebee and IcedID. The dropper contains comments in Russian and employs the unique user-agent string “PindOS”, which may be a reference to current (and past) anti-American sentiment in Russia.Bumblebee is a malware loader first discovered in March 2022. It was associate...

Matthew at Embee Research

Embee Research Home Reversing Threat Intel Index About Sign in Subscribe Analysis SmokeLoader - Malware Analysis and Decoding With Procmon Decoding malware loaders using Procmon and Cyberchef. Utilising Powershell to retrieve additional payloads and free online tooling to identify the malware family. Matthew Jun 24, 2023 • 8 min read This post will show you how to manually decode a SmokeLoader visual basic (.vbs) script using Procmon. From here you will see how to retrieve additional stages usin...

Fortinet

By Axelle Apvrille | June 21, 2023 Android/Fluhorse is a recently discovered malware family that emerged in May 2023. What sets this malware apart is its utilization of Flutter, an open-source SDK (software development kit) renowned among developers for its ability to build applications compatible with Android, iOS, Linux, and Windows platforms using a single codebase. While previous instances of threat actors using Flutter for malware exist, such as MoneyMonger, they actually used Flutter for i...

Ransomware Roundup - Black Basta By James Slaughter and Shunichi Imano | June 22, 2023 On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This latest edition of the Ransomware Roundup covers the Black Basta rans...

Igor Skochinsky at Hex Rays

Aaron Hoffmann at ReversingLabs

Blog Author Aaron Hoffmann, SOAR Architect at ReversingLabs. Read More... Integrating threat intelligence into a security operations center (SOC) investigation process can be challenging. Teams unfamiliar with incorporating threat intelligence into their systems often employ indicators of compromise as mere checklists. While this is acceptable, a wealth of additional context could prove valuable during the investigation process. Teams utilizing Microsoft Sentinel as their Security Information an...

Securelist

Malware descriptions 21 Jun 2023 minute read Table of Contents Meet TriangleDBC2 communicationsTriangleDB commandsOdd findingsTo be continuedTriangleDB indicators of compromise Authors Georgy Kucherin Leonid Bezvershenko Igor Kuznetsov Over the years, there have been multiple cases when iOS devices were infected with targeted spyware such as Pegasus, Predator, Reign and others. Often, the process of infecting a device involves launching a chain of different exploits, e.g. for escaping the iMessa...

Malware reports 22 Jun 2023 minute read Table of Contents IntroductionPhishing and a kitLockBit GreenMulti-platform LockBitConclusion Authors GReAT Introduction In recent months, we published private reports on a broad range of subjects. We wrote about malware targeting Brazil, about CEO fraud attempts, Andariel, LockBit and others. For this post, we selected three private reports, namely those related to LockBit and phishing campaigns targeting businesses, and prepared excerpts from these. If y...

SentinelOne

Phil Stokes / June 21, 2023 In the previous post in this series, we looked at powering up radare2 with aliases and macros to make our work more productive, but sometimes we need the ability to automate more complex tasks, extend our analyses by bringing in other tools, or process files in batches. Most reverse engineering platforms have some kind of scripting engine to help achieve this kind of heavy lifting and radare2 does, too. In this post, we’ll learn how to drive radare2 with r2pipe and ta...

Ax Sharma at Sonatype

June 22, 2023 By Ax Sharma 3 minute read time SHARE: This month, Sonatype’s automated malicious open source and malware detection systems flagged hundreds of malicious packages, 10 of which we have analyzed in this blog post. From packages employing obfuscation seen before, to those named after the well-known npm “colors” library but dropping trojans – our findings from this month comprise a variety of open source threats. The malicious packages named after npm library “colors,” are ironically P...

Ben Martin at Sucuri

Zhassulan Zhussupov

Malware AV/VM evasion - part 17: bypass UAC via fodhelper.exe. Simple C++ example. 4 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! This post appeared as an intermediate result of one of my research projects in which I am going to bypass the antivirus by depriving it of the right to scan, so this is the result of my own research on the first step, one of the interesting UAC bypass trick: via foodhelper.exe with registry modification. registry modification The process of modify...

Shatak Jain and Gurkirat Singh at ZScaler

THE ZSCALER EXPERIENCE THE ZSCALER EXPERIENCE Learn about: Your world, secured. Zero Trust Security Service Edge (SSE) Secure Access Service Edge (SASE) Zero Trust Network Access (ZTNA) Secure Web Gateway (SWG) Cloud Access Security Broker (CASB) Cloud Native Application Protection Platform (CNAPP) PRODUCTS & SOLUTIONS PRODUCTS & SOLUTIONS Secure Your Users Secure Your Workloads Secure Your IoT and OT Secure Internet Access (ZIA) Secure Private Access (ZPA) Data Protection (CASB/DLP) Digital Exp...