本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。 一部の記事は Google Bard を使い要約しています。4n6 は こちら からご確認いただけます。
MALWARE
Abdallah Elshinbary
10 minute read On this page Initial Triage String Decryption Anti Checks (or is it..?) Checking username Checking foreground window Checking desktop files Checking locale and keyboard layout Dropped Binary C2 Communications First C2 Second C2 Third C2 Forth C2 Config Extraction Hunting Urlscan Yara References Howdy! I’m finally back with another malware deep dive report. This time we are digging into GCleaner. GCleaner is a Pay-Per-Install (PPI) loader first discovered in early 2019, it has been...
Any.Run
July 13, 2023 Add comment 2269 views 3 min read HomeCybersecurity LifehacksMalware Trends Report: Q2, 2023 Recent posts Malware Trends Report: Q2, 2023 2269 0 Malware Analysis News: June 2023 874 1 Monthly Updates: New Detection Rules, Increased Threat Coverage, and More 1311 0 HomeCybersecurity LifehacksMalware Trends Report: Q2, 2023 Welcome to ANY.RUN’s Q2 2023 malware trends report. We’re continuing to share quarterly breakdowns of the most popular malware types, families, and TTPs. Summary ...
ASEC
Rekoobe is a backdoor known to be used by APT31, a threat group based in China. AhnLab Security Emergency Response Center (ASEC) has been receiving reports of the Rekoobe malware from tenants in Korea for several years, and will hereby share its brief analysis. Additionally, the Rekoobe variants will be categorized along with a summary of the ones used to target Korean companies. 1. Overview Rekoobe is a backdoor that targets Linux environments. It was first discovered in 2015, [1] and there is ...
AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of malware in the form of a batch file (*.bat). This malware is designed to download various scripts based on the anti-malware process, including AhnLab products, installed in the user’s environment. Based on the function names used by the malware and the downloaded URL parameters, it is suspected to have been distributed by the Kimsuky group. Although the exact distribution path of the malware has not been confirmed...
c3rb3ru5d3d53c
YouTube video
Fatih Yilmaz
13 Jul 2023 What is Unpacking? One of the primary goals of malware developers is to make it difficult to analyze and, for the reasons that arise, to detect. More than one technique is used for this purpose. The subject of this article will be the “packing” technique, which is perhaps the most important of these techniques. First of all, we will look for answers to the questions “What is the ‘packing’ of a piece of software?” and “How can we get the original software by reversing the packing algo...
13 Jul 2023 Unpacking Nedir? Zararlı yazılım geliştiricilerinin öncelikli amaçlarından biri analiz ve bundan kaynaklı sebeplerden dolayı tespitini zorlaştırmaktır. Bu amaçla birden fazla teknik kullanılmaktadır. Bu yazının konusu bu tekniklerin belki de en başında gelen “paketleme” tekniği olacaktır. Öncelikle “Bir yazılımın ‘paketlenmesi’ nedir?” ve “Paketleme algoritmasını tersine çevirerek nasıl orjinal yazılımı elde edebiliriz?” sorularına cevap arayacağız. Bir yazılımın paketlenmesini basit...
Igor Skochinsky at Hex Rays
Roei Kriger at InfoSec Write-ups
Roei Kriger·FollowPublished inInfoSec Write-ups·7 min read·1 day ago--ListenShareA Tutorial About Dealing With an Obfuscated CodePhoto by Markus Spiske on UnsplashSecurity researchers face numerous challenges in their work, and malware writers consistently attempt to compound these existing challenges with additional obstacles.Therefore, when researchers examine a script, code, or file, it often exhibits lengthy and vague variable names, occasionally encrypted using methods like Base64 or subjec...
Lab52
July 07, 2023 Introduction Lab52 has detected a different maldoc samples of a potential malicious campaign. The initial access is through a Chinese phishing. The maldoc seems to be a campaign against Chinese speaking users as the content of the maldoc is written in Chinese. The social engineering technique applied into the maldoc’s content is to pretend to be a Curriculum Vitae of a 28 years old professional who is specialized in finance, concretely into the software development for banking syst...
July 12, 2023 Last month of May we were talking about the new APT29 campaign that we called “Information”. Recently, just a week ago, an unknown actor used similar techniques to APT29. This time APT29 is once again the focus after new techniques were identified in their operations. This post details the new techniques observed, in particular: SVG DropperDLL used for infectionC2 behaviour Infection chain Stage0: SVG Dropper The input vector for this campaign has been the email. The phishing email...
Malware Hell
c3rb3ru5d3d53c included in Malware 2023-07-15 544 words 3 minutes Contents SituationKey PointsInfection ChainMalspam EmailNullSoft InstallerNullSoft Installer ScriptIndicators of CompromiseMitre Attack TTPsReferencesSituationPlaceholderKey PointsPlaceholderPlaceholderPlaceholderPlaceholderInfection ChainMalspam EmailThe infection chain starts with an email purporting to be from Dr. S. Susan (PHD) University of Trento, a university recognized for its significant accomplishments in teaching, resea...
Jérôme Segura at Malwarebytes Labs
Criminals target businesses with malicious extension for Meta's Ads Manager and accidentally leak stolen accounts Posted: July 12, 2023 by Jérôme Segura A group of criminals is actively targeting Facebook business users to gain access to their advertising accounts via malicious Chrome extensions. But we spotted that they made a mistake... Like all social media platforms, Facebook constantly has to deal with fake accounts, scams and malware. We have written about scams targeting consumers that re...
OALABS Research
Truely a simple malware leading to ransomware Jul 13, 2023 • 1 min read truebot config triage Overview References Samples Analysis Overview Truebot (aka Silence) is primarily a downloader associated with the threat actor group TA505. Recently there was a CISA alert Increased Truebot Activity Infects U.S. and Canada Based Networks which described ransomware/extortion activity associated with the use of Truebot. References Increased Truebot Activity Infects U.S. and Canada Based Networks TrueBot A...
Robert Giczewski
TrueBot Analysis Part IV - Config Extraction13 Jul 2023 » malware_analysis, reverse_engineering, config_extraction In the last post of the TrueBot series, I described some of TrueBotâs capabilities in more detail. In this post we will use this information to write a config extractor and extract the two RC4 keys, the mutex and the C2 IPs/domains.Like in all config extractors, we need to somehow find the relevant things we want to extract.Usually, I use YARA to navigate within the binary but thi...
Sekoia
Puja Srivastava at Sucuri
Tony Lambert
Post CancelFaster Malware Triage with YARA Posted Jul 14, 2023 Updated Jul 14, 2023 By Tony Lambert 5 min readAs folks get into malware analysis they naturally develop their own personal style of triage process based on data that is usually important to them. For example, I go through a process to determine what kind of file I have in front of me and what identifying hashes come from that file that I can use in services like VirusTotal and MalwareBazaar to find details about the sample or simila...
Nischay Hegde and Siddartha Malladi at Uptycs
Products Unified CNAPP and XDR Platform Reduce risk and prioritize responses to threats, vulnerabilities, and misconfigurations—all from a single UI and data model. CNAPP Overview CWPP CSPM CIEM CDR XDR Overview Solutions By Attack Surface AWS Azure Google Cloud Containers and Kubernetes Endpoints By Use Case Detection and Response Threat Hunting CSIRT Vulnerability Scanning Compliance Services Services Discover how to empower your team with professional services, expert support, security educat...
WeLiveSecurity
A story of how an analysis of a supposed game cheat turned into the discovery of a powerful UEFI threat ESET Research 12 Jul 2023 - 11:30AM Share A story of how an analysis of a supposed game cheat turned into the discovery of a powerful UEFI threat Towards the end of 2022 an unknown threat actor boasted on an underground forum that they’d created a new and powerful UEFI bootkit called BlackLotus. Its most distinctive feature? It could bypass UEFI Secure Boot – a feature built into all modern co...
