解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 28 – 2023 - MALWARE

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。 一部の記事は Google Bard を使い要約しています。4n6 は こちら からご確認いただけます。

MALWARE

0day in {REA_TEAM}

(1) [QuickNote] Techniques for decrypting BazarLoader strings (1) [QuickNote] VidarStealer Analysis (1) [Write-up] Chal6 {Flareon4} (1) [Write-up] Chal7 {Flareon4} (1) [Z2A] Custom sample 1 challenge write-up (1) [Z2A]Bimonthly malware challege – Emotet (1) Đánh cờ vi diệu … (1) {note}-phan-tich-powershell-dược-nen-trong-mal-doc (1) OllyDbg Tutorials (48) OllyDbg tut_1 (1) OllyDbg tut_10 (1) OllyDbg tut_11 (1) OllyDbg tut_12 (1) OllyDbg tut_13 (1) OllyDbg tut_14 (1) OllyDbg tut_15 (1) OllyDbg tu...

Any.Run

July 5, 2023 Add comment 424 views 8 min read HomeNewsMalware Analysis News: June 2023 Recent posts Malware Analysis News: June 2023 424 0 Monthly Updates: New Detection Rules, Increased Threat Coverage, and More 918 0 Hide Traces of Sandbox Usage from Your Traffic with Residential Proxy 1023 0 HomeNewsMalware Analysis News: June 2023 This is the June 2023 edition of ANY.RUN’s monthly malware analysis report, where we share key cybersecurity incidents from the last 30 days. In June, cybercrimina...

Arch Cloud Labs

Debugging with gdb - Fixing a NULL Pointer Dereference in dhcpcd About the Project Several tutorials exist on how to leverage the GNU Debugger (GDB) to debug misbehaving applications. However, a majority of these blogs just show commands to run that poke at memory addresses, and don’t show the process of resolving said bug. This blog post will walk through how I recently identified, tried to fix, and ultimately reported a bug in dhcpcd 10.0.1 via gdb. Identifying The Issue The command line utili...

ASEC

AhnLab Security Emergency response Center (ASEC) has recently discovered that the Crysis ransomware’s threat actor is also using the Venus ransomware in the attacks. Crysis and Venus are both major ransomware types known to target externally exposed remote desktop services. [1] Actual logs from the AhnLab Smart Defense (ASD) infrastructure also show attacks being launched through RDP. Aside from Crysis and Venus, the threat actor also installed a variety of other tools such as Port Scanner and M...

This trend report on the deep web and dark web of May 2023 is sectioned into Ransomware, Forums & Black Markets, and Threat Actor. We would like to state beforehand that some of the content has yet to be confirmed to be true. Ransomware – ALPHV (BlackCat) – Akira – BianLian – RA Group – Royal Forum & Black Market – Drug-related Criminals Apprehended Through Information Collected Following the Shutdown of Monopoly Market – RaidForums’s Database Leaked Threat Actor – Wazawaka on the Wanted List AT...

This report provides statistics on new ransomware samples, attacked systems, and targeted businesses in May 2023, as well as notable ransomware issues in Korea and other countries. Other major issues and statistics for ransomware that are not mentioned in the report can be found by searching for the following keywords or via the Statistics menu at AhnLab Threat Intelligence Platform (ATIP). – Ransomware – Statistics by Type The number of ransomware samples and targeted systems are based on the d...

NetSupport RAT is being used by various threat actors. These are distributed through spam emails and phishing pages disguised as documents such as Invoices, shipment documents, and PO (purchase orders). Distribution via phishing pages has been covered on this Blog in the past. [1] AhnLab Security Emergency response Center(ASEC) discovered NetSupport RAT being distributed via a spear phishing email that has recently been in circulation. This post will cover the action flow from its distribution v...

The cases of major APT groups for May 2023 gathered from materials made public by security companies and institutions are as follows. – Agrius – Andariel – APT28 – APT29 – APT-C-36 (Blind Eagle) – Camaro Dragon – CloudWizard – Earth Longzhi (APT41) – GoldenJackal – Kimsuky – Lazarus – Lancefly – OilAlpha – Red Eyes (APT37, ScarCruft) – SideCopy – SideWinder – Transparent Tribe (APT36) – Volt Typhoon (Bronze Silhouette) ATIP_2023_May_Threat Trend Report on APT Groups_20230609 Categories:trend Tag...

Kimsuky Threat Group Using Chrome Remote Desktop AhnLab Security Emergency response Center (ASEC) has recently discovered the Kimsuky threat group using Chrome Remote Desktop. The Kimsuky threat group uses not only their privately developed AppleSeed malware, but also remote control malware such as Meterpreter to gain control over infected systems. [1] Logs of the group using customized VNC or using remote control tools such as RDP Wrapper also continue to be detected. [2] This post will summari...

Following the recent abuse of vulnerabilities in various malware distributions and attacks, it is becoming more crucial to detect said information early on. Zero-day and other various vulnerabilities are typically spread faster through social networks. Based on the information collected through in-house infrastructure, trends on vulnerabilities currently in the spotlight are provided through ATIP services. Additionally, ATIP offers information on said vulnerabilities’ characteristics and counter...

The Kimsuky group’s activities in May 2023 had increased slightly in comparison to their activities in April. Also, new top-level domains (TLDs) have begun to be detected, and there were small changes to the codes. Figure 1. FQDN statistics by attack type in the last 3 months (Unit: each) ATIP_2023_May_Threat Trend Report on Kimsuky Group Categories:trend Tagged as:AppleSeed,flowerpower,Kimsuky,RandomQuery Distribution of NetSupport Malware Using Email Threat Trend Report on Ransomware – May 202...

c3rb3ru5d3d53c

YouTube video

Cryptax

Eyes on Android/S.O.V.A botnet sample@cryptax·Follow4 min read·1 day ago--ListenShareSummarySample c1642ac3f729701223043b16ac2c6c5f64adc7080f474c181067b0f1335218f2Poses as a Minecraft appMalicious Android/S.O.V.A botnet clientPackedImplemented in KotlinUses Retrofit2 for communication with C2The C2 is down currentlyAn excellent analysis here.I try to highlight different aspects:How to unpack with MedusaHow the malware sets up on first launchHow to reverse Retrofit2 communicationsSupport for encr...

Gi7w0rm

CloudEyE — From .lnk to ShellcodeGi7w0rm·Follow12 min read·Just now--ListenShareHello and welcome back to another blog post. Today, we will look at the infection chain of a well-known malware loader called CloudEye (GuLoader). In recent years, this shellcode-based downloader has become a challenging piece of code to analyze. In fact, during conversations I had with several acknowledged reverse engineers, many of them pointed out that GuLoader is under active development to this day and that ever...

Igor Skochinsky at Hex Rays

InfoSec Write-ups

Demystifying PyInstaller | A Journey into Decompiling Python ExecutablesSerj N·FollowPublished inInfoSec Write-ups·4 min read·5 hours ago--ListenShareIntroductionPyInstaller is a popular tool used by developers to package Python applications into standalone executables. It simplifies the distribution of Python programs by bundling all the necessary dependencies and creating an executable file that can run independently on different systems.While it streamlines the distribution process, the natur...

Cybertech Maven·FollowPublished inInfoSec Write-ups·7 min read·Jun 29--ListenShareIntroductionMalware, short for malicious software, encompasses many harmful programs designed to exploit vulnerabilities and compromise systems and sensitive information. Understanding the various forms of malware is crucial to establish robust cybersecurity measures and safeguard against any possible threats.This article explores ten common types of malware, shedding light on their characteristics, modes of operat...

OALABS Research

Walking the delivery chain from VBS to PS to DOTNET Jul 2, 2023 • 6 min read delivery triage powershell vbs dotnet Overview Samples Analysis Stage 1 - VBS Script Stage 2 - PS Script Stage 3 PS Script 1 - Kill Windows Defender PS Script 2 - Bypass AMSI AMSI Bypass .NET Injector Overview We are going to analyze a multi-stage delivery chain that ends up delivering AsyncRAT. This delivery chain has multiple stages that are responsible for preparing the target host for the delivery of the malware suc...

Is this new stealer a fork of something we have seen before Jul 6, 2023 • 3 min read status recorder stealer config triage Overview Panel Hunt Samples Prior Research Analysis Panel Analysis Logo Overlap Coincidence Malware Identification C2 Traffic PDB Path Hunting Yara Rule Overview The name of this stealer is currently unknown but the C2 hosts a panel that is titled Status Recorder. We first became aware of this from a tweet by @Jane_0sint tweet UnkStealer🤷‍♀️ There is TitanStealer activity on...

Paolo

Malware configuration extraction from memoryPaolo·Follow6 min read·4 days ago--ListenShareEvery infrastructure for delivering content has its costs, so system engineers and their managers are constantly involved in searching a costs saving approaches for keeping the infrastructures up and running within their budget.The same concept is valid also for malware developers and threat actors in general: basically, they spend time and resources for building up a Malware Delivery Network exploiting tru...

Lucija Valentić at ReversingLabs

“Write once, infect everywhere” might be the new cybercrime motto, with newly discovered campaigns showing malicious npm packages powering phishing kits and supply chain attacks. Blog Author Lucija Valentić, Software Threat Researcher, ReversingLabs. Read More... Executive Summary ReversingLabs researchers recently discovered more than a dozen malicious packages published to the npm open source repository that appear to target application end users while also supporting email phishing campaigns ...

RussianPanda

r RussianPanda in stealer whitesnake malware analysis .NET Case Study WhiteSnake Stealer first appeared on hacking forums at the beginning of February 2022. The stealer collects data from various browsers such as Firefox, Chrome, Chromium, Edge, Brave, Vivaldi, CocCoc, and CentBrowser. Besides browsing data, it also collects data from Thunderbird, OBS-Studio, FileZilla, Snowflake-SSH, Steam, Signal, Telegram, Discord, Pidgin, Authy, WinAuth, Outlook, Foxmail, The Bat!, CoreFTP, WinSCP, AzireVPN,...

Ieriz Nicolle Gonzalez, Katherine Casona, Sarah Pearl Camiling at Trend Micro

We analyze the technical details of a new ransomware family named Big Head. In this entry, we discuss the Big Head ransomware’s similarities and distinct markers that add more technical details to initial reports on the ransomware. By: Ieriz Nicolle Gonzalez, Katherine Casona, Sarah Pearl Camiling July 07, 2023 Read time: ( words) Save to Folio Subscribe Reports of a new ransomware family and its variant named Big Head emerged in May, with at least two variants of this family being documented. U...

White Knight Labs

Kleiton Kurti July 6, 2023 Share This Post Developing Winsock Communication in Malware Winsock is an API (Application Programming Interface) that provides a standardized interface for network programming in the Windows operating system. It enables applications to establish network connections and send and receive data over various protocols such as TCP/IP, UDP, and more. The flexibility and wide adoption of Winsock makes it an attractive choice for malware authors seeking to establish covert com...

Kyle Avery July 6, 2023 Share This Post Mockingjay Memory Allocation Primitive A new post from Security Joes brought attention to a process injection technique previously underutilized in offensive security. The RWX injection primitive, now dubbed “Mockingjay,” offers attackers an advantage to evade unbacked executable memory detection. The core idea behind this technique, reusing RWX regions from legitimate modules, is a valuable alternative to existing memory allocation and protection primitiv...

Avigayil Mechtinger at Wiz

July 5, 2023How to get rid of AWS access keys – Part 2: Reducing Privileges June 29, 2023Featured eventBlack Hat USALas Vegas, NVAugust 5, 2023Customer stories Learn how some of the world's most forward-thinking companies protect their cloudCustomer reviews See what people who use Wiz have to say about itBridgewater Associates unifies its hybrid and multi-cloud security posture with the Wiz Security GraphReal-time data platform Redis gets total multi-cloud visibility with WizPriceline shifts lef...

Zhassulan Zhussupov

Malware development trick - part 34: Find PID via WTSEnumerateProcesses. Simple C++ example. 5 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! Today, I just want to focus my research on another malware development trick: enum processes and find PID via WTSEnumerateProcesses. It is a common technique that can be used by malware for AV evasion also. WTSEnumerateProcessesA win api The WTSEnumerateProcessesA function is a Windows API function that retrieves information about the ac...

Niraj Shivtarkar and Preet Kamal at ZScaler

THE ZSCALER EXPERIENCE THE ZSCALER EXPERIENCE Learn about: Your world, secured. Zero Trust Security Service Edge (SSE) Secure Access Service Edge (SASE) Zero Trust Network Access (ZTNA) Secure Web Gateway (SWG) Cloud Access Security Broker (CASB) Cloud Native Application Protection Platform (CNAPP) PRODUCTS & SOLUTIONS PRODUCTS & SOLUTIONS Secure Your Users Secure Your Workloads Secure Your IoT and OT Secure Internet Access (ZIA) Secure Private Access (ZPA) Data Protection (CASB/DLP) Digital Exp...