本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Abdallah Elshinbary
5 minute read On this page Writing the deobfuscation script Step 1 : Importing libs and loading the .NET file Step 2 : Finding suspected decryption methods Step 3 : Finding references to suspected methods Step 4 : Patching Step 5 : Saving Testing and final notes Welcome back! This is a short blog post about reverse engineering dotnet malware. When working with dotnet malware samples I always come around samples with obfuscated strings which makes analysis harder. My go to way to handle this situ...
ASEC
AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from May 28th, 2023 to June 3rd, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineer...
AhnLab Security Emergency response Center (ASEC) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from June 5th, 2023 (Monday) to June 11th, 2023 (Sunday). For the main category, Infostealer ranked top with 44.6%, followed by downloader with 43.9%, backdoor with 9.5%, and ransomware with 2.0%. Top 1 – Amadey This week, Amadey Bot ranked first place with 30.4%. Amadey is a downloader that can receive commands...
As covered before here on the ASEC Blog, the Lazarus threat group exploits the vulnerabilities of INISAFE CrossWeb EX and MagicLine4NX in their attacks. New Malware of Lazarus Threat Actor Group Exploiting INITECH Process (Apr 26, 2022) A Case of Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs With the BYOVD Technique (Oct 31, 2022) While monitoring the activities of the Lazarus threat group, AhnLab Security Emergency response Center (ASEC) recently discovered that ...
c3rb3ru5d3d53c
YouTube video
Hex Rays
InfoSec Write-ups
John B.·FollowPublished inInfoSec Write-ups·5 min read·May 14--ListenShareLetsDefend — Blue Team Training PlatformIntroductionIn this LetsDefend Dynamic Malware Analysis walkthrough part 2, we will use Wireshark, Process Hacker, AnyRun, and CyberChef to conduct dynamic malware analysis.What is Process Hacker?Process Hacker is a free and open-source process viewer and system monitoring utility for Windows operating systems. It provides users with advanced features and functionality to manage and ...
John B.·FollowPublished inInfoSec Write-ups·7 min read·May 12--ListenShareLetsDefend — Blue Team Training PlatformIntroductionIn this LetsDefend Dynamic Malware Analysis walkthrough, we will use tools like Wireshark and Process Monitor (Procmon) to conduct dynamic malware analysis.What is dynamic malware analysis?Dynamic malware analysis is the analysis and understanding of the behavior of malware. It involves executing the malware in a controlled environment, such as a virtual machine or a sand...
Shreya T·FollowPublished inInfoSec Write-ups·11 min read·Dec 29, 2022--1ListenShareMalware is the most serious concern to all organizations or individuals that can cause significant threats to server, host system, or network infrastructure. Types of malwares are Backdoor, Botnet, Downloaders, Information-stealer, Launcher, Rootkits, Scareware, Adwares and the list goes on and on.Now there are three types of plans to understand and investigate malwares :Static analysisDynamic analysisHybrid analy...
Darren Spruell, Chase Sims, and Brett Stone-Gross at InQuest
Posted on 2023-06-15 by Darren Spruell and Chase Sims, InQuest and Brett Stone-Gross, Zscaler Key Points Mystic Stealer is a new information stealer that was first advertised in April 2023Mystic steals credentials from nearly 40 web browsers and more than 70 browser extensionsThe malware also targets cryptocurrency wallets, Steam, and TelegramThe code is heavily obfuscated making use of polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constantsMystic imple...
Kyle Cucci at SecurityLiterate
Malvuln
YouTube video
Rintaro Koike at NTT Security Japan
Rintaro Koike June 12, 2023 //www.passle.net/Content/Images/passle_logo-186px.png Passle //passle.net Rintaro Koike 本記事は SOC アナリスト 小池 倫太郎 が執筆したものです。はじめに2023年2月にSteelCloverの攻撃が活発化していることを報告しました[1]が、2023年5月末から若干変則的な攻撃オペレーションが観測されており、それと連動するように2023年6月初頭から新たなマルウェアを観測し始めています。今回新たにSteelCloverが使い始めたマルウェアを、私達はPowerHarborと呼んでいます。PowerShell製のモジュール型マルウェアであり、私達はブラウザなどからクレデンシャルを窃取するモジュールを観測しています。私達はPowerHarborについてリサーチを行っていますが、本稿執筆時点では今回のSteelCloverの攻撃以外では痕跡を発見することができず、このマルウェアがSteelCloverオリジナルのものなのか、あるいは販売されてい...
OALABS Research
Config Extractor for PrivateLoader Jun 15, 2023 • 14 min read risepro stealer config triage Overview References Sample Analysis Yara Rule C2 String Decryption X-Junior IDA Script Andre Tavares Python Script XorStr Library String Extraction Samples Decryption Algorithm Overview According to FlashPoint “RisePro” is a newly identified stealer written in C++ that appears to possess similar functionality to the stealer malware “Vidar.” RisePro targets potentially sensitive information on infected mac...
Lee Wei Yeong, Xingjiali Zhang, Yang Ji, Wenjun Hu and Royce Lu at Palo Alto Networks
13,626 people reacted 511 9 min. read Share By Lee Wei Yeong, Xingjiali Zhang, Yang Ji, Wenjun Hu and Royce Lu June 15, 2023 at 6:00 AM Category: Malware Tags: Advanced URL Filtering, Android, ChatGPT, Cortex XDR, DNS security, Meterpreter, next-generation firewall, Scams, WildFire This post is also available in: 日本語 (Japanese)Executive Summary Unit 42 researchers have observed a surge of malware written for the Android platform that is attempting to impersonate the popular ChatGPT application. ...
Securelist
Malware reports 12 Jun 2023 minute read Table of Contents IntroductionDoubleFinger stage 1DoubleFinger stage 2DoubleFinger stage 3DoubleFinger stage 4DoubleFinger stage 5GreetingGhoul & RemcosVictims & AttributionConclusionIndicators of compromise Authors GReAT Sergey Lozhkin Introduction Stealing cryptocurrencies is nothing new. For example, the Mt. Gox exchange was robbed of many bitcoins back in the beginning of 2010s. Attackers such as those behind the Coinvault ransomware were after your Bi...
SOC, TI and IR posts 15 Jun 2023 minute read Table of Contents Results of the researchMaaS terminology and operating pattern Authors Kaspersky Security Services Alexander Zabrovsky Money is the root of all evil, including cybercrime. Thus, it was inevitable that malware creators would one day begin not only to distribute malicious programs themselves, but also to sell them to less technically proficient attackers, thereby lowering the threshold for entering the cybercriminal community. The Malwa...
Todyl
Detection & Response Team | 2023-06-15 | 5 min read Quick Facts on XWorm 4 What is XWorm? XWorm is feature-rich, commodity malware available on the dark web. A "Swiss Army Knife" malware strain, XWorm can perform clipper, DDoS, and ransomware operations. It can be spread via USB and drop additional malware. What did Todyl find? Todyl recently uncovered an attack leveraging XWorm 4, the latest known version of the malware. A 3rd party EDR was used with Todyl’s MXDR service, so we're uncertain of ...
Trellix
By Ernesto Fernández Provecho · June 13, 2023 In May 2023, the Trellix Advanced Research Center discovered a new Golang stealer, known as Skuld, that compromised systems worldwide, something that security researchers had also noticed. The usage of Golang, also known as Go, in malware development is still rare compared to other programming languages. But it has gained significant popularity in recent years due to simplicity, efficiency, and cross-platform compatibility, which lets malware creator...
VMRay
Lukas Stefanko at WeLiveSecurity
ESET researchers analyzed an updated version of Android GravityRAT spyware that steals WhatsApp backup files and can receive commands to delete files Lukas Stefanko 15 Jun 2023 - 11:30AM Share ESET researchers analyzed an updated version of Android GravityRAT spyware that steals WhatsApp backup files and can receive commands to delete files ESET researchers have identified an updated version of Android GravityRAT spyware being distributed as the messaging apps BingeChat and Chatico. GravityRAT i...
