本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Andrew Malec
PDF AnalysisWalking the VAD treeOpenCTIWhat is CTI/OpenCTI?Setting up OpenCTIContainer ManagementConfigure ConnectorsVulnerability ManagementSetting Up Nessus (Essentials)TroubleshootingPrivacyPowered By GitBookIdentifying UPX packed ELF, decompressing, fixing, and analysing Linux malwareWe'll take a look at analysing a piece of Linux malware. This sample is an ELF file, containing a UPX packed binary, capable of port scanning, SSH bruteforcing, deploying XMRig, and self replicating.Download the...
Any.Run
XWorm: Technical Analysis of a New Malware Version August 24, 2023 Add comment 1215 views 6 min read HomeMalware AnalysisXWorm: Technical Analysis of a New Malware Version Recent posts XWorm: Technical Analysis of a New Malware Version 1215 0 What is an Incident Response Plan: 6 Example Templates and Definition 987 0 Expert Q&A: Roberto Gonzalez on OSINT, Impact of AI, and More 1106 0 HomeMalware AnalysisXWorm: Technical Analysis of a New Malware Version In this article, we will take a look at t...
ASEC
Web servers are vulnerable to attacks because they are publicly accessible to a wide range of users for the purpose of delivering web services. This accessibility makes them a prime target for threat actors. AhnLab Security Emergency response Center (ASEC) is monitoring attacks targeting vulnerable web servers that have not been patched or are poorly managed. In this post, we have compiled APT attack cases where the web servers of Korean corporations were continuously targeted over the years. We...
AhnLab Security Emergency response Center (ASEC) has recently discovered cases of proxyjacking targeting poorly managed MS-SQL servers. Publicly accessible MS-SQL servers with simple passwords are one of the main attack vectors used when targeting Windows systems. Typically, threat actors target poorly managed MS-SQL servers and attempt to gain access through brute force or dictionary attacks. If successful, they install malware on the infected system. The threat actors have been installing Love...
Omar Santos at Cisco
August 24, 2023 Leave a Comment Security Akira Ransomware Targeting VPNs without Multi-Factor Authentication Omar Santos Cisco is aware of reports that Akira ransomware threat actors have been targeting Cisco VPNs that are not configured for multi-factor authentication to infiltrate organizations, and we have observed instances where threat actors appear to be targeting organizations that do not configure multi-factor authentication for their VPN users. This highlights the importance of enabling...
Dany at Digitella
Hello everyone!I did a challenge on Cyberdefenders.org that involved examining malware. In this blog, I will show you how I did so with the oledump and olevba tools. Oledump is a tool that lets you see OLE files to view the streams of data in the file. Whereas Olevba scans the macro source code and the obfuscated strings to find suspicious keywords, IOCs, and autoexecuteable macros. To do this task, I spun up a VM with Remnux, which is a Linux version that is used to analyze malware. Macros are ...
Doug Burks at Security Onion
Thanks to Brad Duncan for sharing this pcap!//www.malware-traffic-analysis.net/2023/07/11/index.htmlWe did a quick analysis of this pcap on the NEW Security Onion 2.4. If you'd like to follow along, you can install Security Onion 2.4 in a VM and import the pcap as shown here://docs.securityonion.net/en/2.4/first-time-users.htmlThe screenshots at the bottom of this post show some of the interesting NIDS alerts, metadata logs, and session transcripts.About Security OnionSecurity Onion is a versati...
Hex Rays
Posted on: 22 Aug 2023 By: Alex Petrov Categories: IDA Pro Programming Tags: IDA Pro plugin This is a guest entry written by Holger Unterbrink from Cisco Talos. His views and opinions are his own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the author. Adversaries are increasingly writing malware in programming languages such as Go, Rust, or Nim, likely because these languages present challenges to investigators using reverse engi...
Posted on: 25 Aug 2023 By: Igor Skochinsky Categories: Decompilation IDA Pro Tags: hexrays idapro idatips shortcuts UI When working with a binary in IDA, most of the time you probably use one of the main views: disassembly (IDA View) or decompilation (Pseudocode). If you need to switch between the two, you can use the Tab key – usually it jumps to the the same location in the other view. If you want to consult disassembly and pseudocode at the same time, copying pseudocode to disassembly is one ...
Nick Chalard at InQuest
Gaurav Yadav at K7 Labs
Posted byGaurav Yadav August 21, 2023August 24, 2023 CryptocurrencyStealer Trojan Crypto Stealing : Clip Bankers on the go By Gaurav YadavAugust 21, 2023 Go code related malwares are getting pretty common day by day because of multiple reasons like easy to code, a single codebase which can be used to generate samples for multiple OSes, difficult to reverse engineer, etc. We came across a campaign recently where attackers used Go based clip bankers to steal crypto on the go using a Telegram bot ....
Muhammad Hasan Ali at muha2xmad
18 minute read On this page Introduction Technical summary Password and Cookies Recovery Keylogging Recording Audio HRDP Enumerate processes, disks, and files File Manager Other features Terminate a process Uninstall the RAT Restart the system and check connectivity Take screenshot Configuration extractor Yara Commands IoCs MITRE ATT&CK Quote References بسم الله الرحمن الرحيم FreePalestine Introduction We will start analyzing Ave Maria known as WARZONE RAT. Ave Maria is a Remote Access Trojan (R...
Siddharth Sharma at Palo Alto Networks
991 people reacted 6 6 min. read Share By Siddharth Sharma August 24, 2023 at 6:00 AM Category: Malware Tags: Adept Libra, Advanced WildFire, Agent Serpens, API, API attacks, D-Bus, HackTool, Lazagne, Linux, Pidgin, Prying Libra, TeamTnT This post is also available in: 日本語 (Japanese)Executive Summary Attackers have increased targeted attacks on Linux systems, and the easy accessibility of hacktool utilities like LaZagne (a popular open-source password recovery tool) has made this increasingly co...
PhishLabs
Subscribe Get The Latest Insights Original Research from Fortra Reveals Pervasiveness, Types of Look-Alike Domains Targeting Brands By Jessica Ellis | August 24, 2023 In the ever-evolving landscape of cybercrime, look-alike domains remain a constant component in the vast majority of threats. Look-alike domains or, URLs that resemble those of a legitimate brand, can cause significant damage to brand reputation by way of fraudulent websites, phishing schemes, malware distribution, and more. Origin...
Phylum
Phylum routinely identifies malware and other software supply chain attacks targeting high-value, critical assets: an organization’s software developers. Most recently, we’ve reported on a flurry of sophisticated attacks targeting JavaScript developers, respawning malware on PyPI, and were the first to identify North Korean state actors publishing malicious packages to npm. With our fairly recent addition of Crates.io support, today we are detailing a thwarted software supply chain attack agains...
On the morning of August 24, Phylum's automated risk detection system identified a suspicious package published to npm called “emails-helper." A deeper investigation revealed that this package was part of an intricate attack involving Base64-encoded and encrypted binaries. The scheme fetches encryption keys from a DNS TXT record hosted on a remote server. Additionally, a hex-encoded URL is retrieved from this remote server and then passed to the spawned binaries. The end result is the deployment...
Sansec
22nd August 2023Web Skimming / Sansec Threat ResearchLearn about new eCommerce hacks?Receive an alert whenever we discover new hacks or vulnerabilities that may affect your online store.What isMagecart?Also known as digital skimming, this crime has surged since 2015. Criminals steal card data during online shopping. Who are behind these notorious hacks, how does it work, and how have Magecart attacks evolved over time?About MagecartAttackers are devising ingenious methods to prolong their skimmi...
Eduardo Ovalle and Francesco Figurelli at Securelist
Research 25 Aug 2023 minute read Table of Contents Who abused these builders and how?GERT’s approach to analyzing the builder and payloadEmbedded resourcesThe payload-embedded configurationStatistics of samples reported in our intelligence platforms Authors Eduardo Ovalle Francesco Figurelli Lockbit is one of the most prevalent ransomware strains. It comes with an affiliate ransomware-as-a-service (RaaS) program offering up to 80% of the ransom demand to participants, and includes a bug bounty p...
Jindrich Karasek and Jaromir Horejsi at Trend Micro
In this entry, we discuss how a threat actor abuses paid Facebook promotions featuring LLMs to spread malicious code, with the goal of installing a malicious browser add-on and stealing victims’ credentials. By: Jindrich Karasek, Jaromir Horejsi August 23, 2023 Read time: ( words) Save to Folio Subscribe Large language models (LLMs) are currently a hot topic nowadays, drawing much attention as the emergence of general artificial intelligence seems to near. Early adopters will have a strong compe...
Mallikarjun Piddannavar at ZScaler
THE ZSCALER EXPERIENCE THE ZSCALER EXPERIENCE Learn about: Your world, secured. Zero Trust Security Service Edge (SSE) Secure Access Service Edge (SASE) Zero Trust Network Access (ZTNA) Secure Web Gateway (SWG) Cloud Access Security Broker (CASB) Cloud Native Application Protection Platform (CNAPP) PRODUCTS & SOLUTIONS PRODUCTS & SOLUTIONS Secure Your Users Secure Your Workloads Secure Your IoT and OT Secure Internet Access (ZIA) Secure Private Access (ZPA) Data Protection (CASB/DLP) Digital Exp...
