本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。 一部の記事は Google Bard を使い要約しています。4n6 は こちら からご確認いただけます。
MALWARE
Any.Run
July 18, 2023 Add comment 417 views 4 min read HomeService UpdatesIdentify Suspicious or Tampered Files Faster with Digital Signatures Recent posts Analyzing a New .NET variant of LaplasClipper: retrieving the config 2793 0 Identify Suspicious or Tampered Files Faster with Digital Signatures 417 0 Malware Trends Report: Q2, 2023 2874 0 HomeService UpdatesIdentify Suspicious or Tampered Files Faster with Digital Signatures Speed is one of the biggest advantages of the ANY.RUN sandbox. You can oft...
July 20, 2023 Add comment 2793 views 8 min read HomeMalware AnalysisAnalyzing a New .NET variant of LaplasClipper: retrieving the config Recent posts Analyzing a New .NET variant of LaplasClipper: retrieving the config 2793 0 Identify Suspicious or Tampered Files Faster with Digital Signatures 417 0 Malware Trends Report: Q2, 2023 2874 0 HomeMalware AnalysisAnalyzing a New .NET variant of LaplasClipper: retrieving the config Recently, we’ve discovered an interesting LaplasClipper sample here at ...
Martin a Milánek at Avast Threat Labs
Ayedaemon
Some things about process and stack memoryMay 1, 2023 · 15 min · ayedaemon | Suggest ChangesTable of ContentsMemory layout of a processText segment (Code Segment)Initialized data segment (Data Segment)Uninitialized data segment (BSS Segment)HeapStackMore about stack (practical)When an operating system (OS) runs a program, the program is first loaded into main memory. Memory is utilized for both program’s machine instructions and program’s data…this includes parameters, dynamic variables, (un)ini...
Task 7 for Eudyptula challengeMay 1, 2023 · 9 min · ayedaemon | Suggest ChangesTable of ContentsWhat is Linux??Big picture of linux developmentNext treesWorking with linux-nextInitial setupRegular trackingResourcesThis is Task 07 of the Eudyptula Challenge ------------------------------------------ Great work with that misc device driver. Isn't that a nice and simple way to write a character driver? Just when you think this challenge is all about writing kernel code, this task is a throwback to ...
Tom Hudson at Bishop Fox
By: Tom Hudson, Senior Security Analyst Share A sluice box is a box lined with riffles or ridges. When you put a sluice box in flowing water that contains little bits of gold, the heavy gold gets stuck in the riffles for you to easily collect, without having to manually sift through tons of dirt and silt. This is what jsluice attempts to do for JavaScript - run megabytes of mostly junk though it and get just the interesting bits spat back out at you. There are four modes in jsluice: urls, secret...
By: Tom Hudson, Senior Security Analyst Share JavaScript. Depending on who you are it's a word that can instil fear, joy, or curiosity. Regardless of your opinions on Brendan Eich's polarising creation, it's hard to deny its influence on the web. Once a simple HTML salad garnished with gifs, the modern web is a bubbling cauldron of complexity with JavaScript as its thickening agent. jsluice is an attempt to make it a little easier to find some of the tasty morsels bobbing around in that cauldron...
c3rb3ru5d3d53c
YouTube video
YouTube video
Cleafy
Published:18/7/23Download the PDF version Download your PDF⨠guide to TeaBotGet your free copy to your inbox nowDownload PDF VersionFinal ChapterHere we go to the final chapter of this series. So far, we have discussed the malspam campaign that started spreading sLoad. Then, we discovered that sLoad is a dropper for Ramnit, now representing one of the most prominent threats to corporate banking and its customers. After that, we also described Ramnitâs capabilities, focusing mainly on its inj...
Arnab Mandal at K7 Labs
Posted byArnab Mandal July 20, 2023July 20, 2023 ExploitsRansomwareVulnerability CVE-2023-34362 : MOVEit Transfer Exploitation Analysis By Arnab MandalJuly 20, 2023 On May 31st, 2023, Progress released a security advisory about a critical SQL injection vulnerability in their MOVEit Transfer and Cloud software’s web application. This vulnerability could allow an adversary to gain administrative access, exfiltrate data and execute arbitrary code. This vulnerability, CVE-2023-34362, has been exploi...
Kyle Cucci at SecurityLiterate
Jérôme Segura at Malwarebytes Labs
FakeSG enters the 'FakeUpdates' arena to deliver NetSupport RAT Posted: July 18, 2023 by Jérôme Segura A new campaign leveraging compromised WordPress sites emerges with another fake browser update. Over 5 years ago, we began tracking a new campaign that we called FakeUpdates (also known as SocGholish) that used compromised websites to trick users into running a fake browser update. Instead, victims would end up infecting their computers with the NetSupport RAT, allowing threat actors to gain re...
Yukihiro Okutomi at McAfee Labs
Android SpyNote attacks electric and water public utility users in Japan McAfee Labs Jul 21, 2023 5 MIN READ Authored by Yukihiro Okutomi McAfee’s Mobile team observed a smishing campaign against Japanese Android users posing as a power and water infrastructure company in early June 2023. This campaign ran for a short time from June 7. The SMS message alerts about payment problems to lure victims to a phishing website to infect the target devices with a remote-controlled SpyNote malware. In the ...
NVISO Labs
Moritz Thomas Adversary Emulation, Red Team July 17, 2023July 18, 2023 7 Minutes This entry is part 2 in the series Introducing CS2BR - Teaching Badgers new Tricks Introduction In the previous post of this series we showed why Brute Ratel C4 (BRC4) isn’t able to execute most BOFs that use the de-facto BOF API standard by Cobalt Strike (CS): BRC4 implements their own BOF API which isn’t compatible with the CS BOF API. Then we also outlined an approach to solve this issue: by injecting a custom co...
Nicholas Dhaeyer Forensics, Windows, Blue Team July 20, 2023July 18, 2023 2 Minutes This entry is part 1 in the series The SOC Toolbox One day, a long time ago, whilst handling my daily tasks, an alert was generated for an unknown executable that was flagged as malicious by Microsoft cloud app security. When I downloaded the file through Microsoft security center, I immediately noticed that it might be an AutoHotKey script. Namely, by looking at the Icon, which is the AutoHotKey logo. As with ma...
OALABS Research
Lobshot a basic hVNC bot Jul 16, 2023 • 3 min read lobshot bot hvnc triage Background References Samples Analysis DarkVNC Overlap C2 Request Config Extractor Notes Background LOBSHOT is the internal name given to an hVNC based bot by the Elastic Security Labs team. The public name of this malware is currently unknown. The primary capability of the malware is acting as both a stealer and hidden VNC. References Elastic Security Labs discovers the LOBSHOT malware Samples e4ea88887753a936eaf3361dcc0...
Taking a look at this free GO stealer Jul 20, 2023 • 1 min read RootTeam stealer triage Overview bandit #stealer has been busy... References Sample Delivery Stage 1 - Setup.zip Stage 2 - Shellcode UPX Payload Analysis Overview Identified by @g0njxa, RootTeam is a GO stealer that can be built via a Telegram channel :]//t[.]me/rootteam_bot. It has been confused with Bandit Stealer another GO stealer with similar functionality. The sample we are triaging came from @James_inthe_box twitter post with...
Palo Alto Networks
3,792 people reacted 8 11 min. read Share By William Gamazo and Nathaniel Quist July 19, 2023 at 10:00 AM Category: Cloud Tags: Advanced Threat Prevention, Advanced URL Filtering, Cloud Security, Cloud-Delivered Security Services, container security, Cortex, Cortex XDR, Cortex XSIAM, next-generation firewall, p2p, Worm This post is also available in: 日本語 (Japanese)Executive Summary On July 11, 2023, Unit 42 cloud researchers discovered a new peer-to-peer (P2P) worm we call P2PInfect. Written in ...
2,354 people reacted 9 10 min. read Share By Lior Rochberger and Shimi Cohen July 20, 2023 at 10:15 AM Category: Ransomware, Threat Advisory/Analysis, Threat Briefs and Assessments Tags: Advanced URL Filtering, Cortex XDR, Cortex XDR Pro, Cortex XSIAM, DNS security, double extortion, Mallox ransomware, OWASSRF, ProxyLogon, ProxyShell, WildFire This post is also available in: 日本語 (Japanese)Executive Summary Mallox (aka TargetCompany, FARGO and Tohnichi) is a ransomware strain that targets Microso...
Francesco Figurelli and Eduardo Ovalle at Securelist
Research 19 Jul 2023 minute read Table of Contents The CVE-2023-23397 vulnerabilityThe vulnerability fixThe WebDAV protocolThe samplesSample listInitial attack IOCsThreat verificationA note about attacker infrastructure Authors Francesco Figurelli Eduardo Ovalle On March 14, 2023, Microsoft published a blogpost describing an Outlook Client Elevation of Privilege Vulnerability (CVSS: 9.8 CRITICAL). The publication generated a lot of activity among white, grey and black hat researchers, as well as...
SentinelOne
July 17, 2023 by Millie Nym PDF In partnership with vx-underground, SentinelOne recently ran its first Malware Research Challenge, in which we asked researchers across the cybersecurity community to submit their research to showcase their talents and bring their insights to a wider audience. In today’s post, Millie Nym (@dr4k0nia) demonstrates a problem-solving approach to reverse engineering a malware sample, highlighting not just the practical steps taken but also the logical reasoning conduct...
Ax Sharma at Sonatype
Skip Navigation Back Platform Platform overview Automate your software supply chain security Sonatype Repository Firewall Block malicious open source at the door Sonatype Nexus Repository Build fast with centralized components Sonatype Lifecycle Control open source risk across your SDLC Why Sonatype Power every innovation with quality data Integrations Work in the tools, languages, and packages you already use Pricing Simple and predictable pricing model that fits your company Solutions Integrat...
Jason Reaves, Jonathan McCay and Joshua Platt at Walmart
NemesisProjectJason Reaves·FollowPublished inWalmart Global Tech Blog·8 min read·4 days ago--ListenShareBy: Jason Reaves, Jonathan McCay and Joshua PlattNemesisProject has been seen being utilized at least partially by FIN7[1] recently where it was seen being delivered through Tirion (aka Lizar, DiceLoader). The project itself comes as a backdoor framework with plugin components:BotLoaderStarterBot ModuleCMD ModulePowershell ModulePrintScreen ModuleStealer ModuleIt appears to be in active develo...
Zhassulan Zhussupov
Malware development: persistence - part 22. Windows Setup. Simple C++ example. 3 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! This post is based on my own research into one of the more interesting malware persistence tricks: via Windows Setup script. setup script C:\WINDOWS\system32\oobe\Setup.exe is an executable file on the Windows operating system. The oobe directory stands for “Out Of Box Experience,” which is part of the process users go through when they are setting up...
