解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 36 – 2023 - MALWARE

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。

MALWARE

ASEC

Contents1. Past attack cases…. 1.1. Cases of Innorix Agent abuse…….. 1.1.1. NukeSped variant – Volgmer…….. 1.1.2. Andardoor…….. 1.1.3. 1th Troy Reverse Shell…. 1.2. Cases of attacks against Korean corporations…….. 1.2.1. TigerRat…….. 1.2.2. Black RAT…….. 1.2.3. NukeSped variants2. Cases of recent attacks…. 2.1. Cases of Innorix Agent abuse…….. 2.1.1. Goat RAT…. 2.2. Cases of attacks against Korean corporations…….. 2.2.1. AndarLoader…….. 2.2.2. DurianBeacon3. Connections to recent attack cases4. ...

Australian Cyber Security Centre

Bitdefender

Yehuda Gelb at Checkmarx Security

An Ongoing Open Source Attack Reveals Roots Dating Back To 2021Yehuda Gelb·FollowPublished incheckmarx-security·4 min read·4 days ago--ListenShareIn an ongoing campaign, a threat actor is leveraging npm packages to target developers to steal source code and secrets.The actor behind this campaign is suspected to be related to malicious activity dated as early as 2021 undetected.In this report, we will share new packages and IOCs related to this attack.IntroDevelopers in the cryptocurrency sphere ...

CISA

Release DateAugust 31, 2023 Alert CodeAR23-243A Infamous Chisel–A collection of components associated with Sandworm designed to enable remote access and exfiltrate information from Android phones. Executive Summary Infamous Chisel is a collection of components targeting Android devices. This malware is associated with Sandworm activity. It performs periodic scanning of files and network information for exfiltration. System and application configuration files are exfiltrated from an infected devi...

Edmund Brumaghin at Cisco’s Talos

By Edmund Brumaghin Thursday, August 31, 2023 08:08 Threat Spotlight Infostealer SecureX SapphireStealer, an open-source information stealer, has been observed across public malware repositories with increasing frequency since its initial public release in December 2022.Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage the access for additional attacks, includi...

Cyber Geeks

Hendrik Eckardt at cyber.wtf

QakBot Takedown Payload Analysis In a recent international operation, law enforcement agencies from the US and EU have taken down the QakBot botnet (see Press Release by U.S. Department of Justice, or in German, Press Release by Bundeskriminalamt). QakBot is a notorious malware that was primarily distributed via malicious emails. Its main purpose was to gain initial access to a network. Once a foothold had been established and the victim looked like a promising target, the botnet operators will ...

Didier Stevens

Quickpost: PDF/ActiveMime Maldocs YARA RuleUpdate: zipdump.py Version 0.0.26 Categories .NET 010 Editor Announcement Arduino Bash Bunny Beta bpmtk Certification Didier Stevens Labs Eee PC Elec Encryption Entertainment Fellow Bloggers Forensics Hacking Hardware maldoc Malware My Software N800 Networking Nonsense nslu2 OSX PDF Personal Physical Security Poll Puzzle Quickpost Release Reverse Engineering RFID Shellcode smart card Spam technology UltraEdit Uncategorized Update video Vulnerabilities W...

Update: zipdump.py Version 0.0.26 Categories .NET 010 Editor Announcement Arduino Bash Bunny Beta bpmtk Certification Didier Stevens Labs Eee PC Elec Encryption Entertainment Fellow Bloggers Forensics Hacking Hardware maldoc Malware My Software N800 Networking Nonsense nslu2 OSX PDF Personal Physical Security Poll Puzzle Quickpost Release Reverse Engineering RFID Shellcode smart card Spam technology UltraEdit Uncategorized Update video Vulnerabilities WiFi Windows 7 Windows 8 Windows Vista Wires...

Ali Paşa Turhan at Docguard

Posted by Ali Paşa Turhan on 29 August 2023 | Featured Attackers can create files with a PDF signature by manipulating the file structure to bypass AVs. An MHT file created in Word and containing macros is embedded in a PDF file. Then, when this file is recognized as a PDF, the embedded Word file in the PDF is opened. When we open the malware, the Word application opens as follows. When we look at the header information of this file, we see a PDF signature. And when we open the file with the hex...

Doug Burks at Security Onion

Today, the FBI and DOJ announced an operation to dismantle Qakbot infrastructure://www.fbi.gov/news/stories/fbi-partners-dismantle-qakbot-infrastructure-in-multinational-cyber-takedown//www.justice.gov/usao-cdca/pr/qakbot-malware-disrupted-international-cyber-takedownLet's take a look at a recent Qakbot sample. Thanks to Brad Duncan for sharing this pcap://www.malware-traffic-analysis.net/2023/05/24/index.htmlWe did a quick analysis of this pcap on the NEW Security Onion 2.4. If you'd like to fo...

Dr Josh Stroschein

YouTube video

YouTube video

Arda Büyükkaya at EclecticIQ

Decrypting Key Group Ransomware: Emerging Financially Motivated Cyber Crime Gang The Key Group ransomware family first appeared on January 6, 2023. EclecticIQ researchers assess with high confidence that the Key Group ransomware gang is primarily a Russian speaking, financially motivated threat group Arda Büyükkaya – August 31, 2023 Executive Summary The Key Group ransomware family was first revealed on January 6, 2023, continuing their operations since then. EclecticIQ researchers assess with h...

Emanuele De Lucia

Posted on August 30, 2023September 1, 2023 by INTRODUCTION The “Duck Hunt” operation refers to a specific operation called “Operation Duck Hunt” that disrupted the Qakbot botnet. The Qakbot botnet was a sophisticated network of compromised computers that was used to distribute malware, steal sensitive information, and carry out other malicious activities. The operation to disrupt the Qakbot botnet was carried out law enforcement agencies. It involved identifying and targeting the infrastructure ...

Igor Skochinsky at Hex Rays

Posted on: 02 Sep 2023 By: Igor Skochinsky Categories: Decompilation IDA Pro Tags: hexrays idapro idatips We’ve covered splitting expressions before, but there may be situations where it can’t be used. For example, consider following situation: The decompiler decided that the function returns a 64-bit integer and allocated a 64-bit stack varible for it. For example, the code may be manipulating a register pair commonly used for 64-bit variables (eax:edx) which triggers the heirustics for recover...

Jay Vadhaiya at InfoSec Write-ups

Reverse Engineering: Injection Series Part 4 — Blue Team LabsReverse engineer the given file and understand the behavior. You can use any disassembler you like to complete this challenge.Jay Vadhaiya·FollowPublished inInfoSec Write-ups·6 min read·Aug 15--ListenShareWelcome to another blog on reverse engineering. In today’s blog we are going to walkthrough a challenge called “Injection Series Part 4”, hosted on Blue Team Labs. Let’s get started.Scenario: Reverse Engineer the given file and unders...

Yuma Masubuchi at JPCERT/CC

JPCERT/CC Eyes JPCERT Coordination Center official Blog Language: 日本語 English Top < List of “Malware” < MalDoc in PDF - Detection bypass by embedding a malicious Word file into a PDF file – 増渕 維摩(Yuma Masubuchi) August 28, 2023 MalDoc in PDF - Detection bypass by embedding a malicious Word file into a PDF file – Email JPCERT/CC has confirmed that a new technique was used in an attack that occurred in July, which bypasses detection by embedding a malicious Word file into a PDF file. This blog art...

Preksha Saxena at McAfee Labs

Peeling Back the Layers of RemcosRat Malware McAfee Labs Aug 29, 2023 9 MIN READ Authored by Preksha Saxena McAfee labs observed a Remcos RAT campaign where malicious VBS files were delivered via phishing email. A phishing email contained a ZIP/RAR attachment. Inside this ZIP, was a heavily obfuscated VBS file. Remcos is a sophisticated RAT which provides an attacker with backdoor access to the infected system and collects a variety of sensitive information. Remcos incorporates different obfusca...

MDSec

Home < Knowledge Centre < Insights < Leveraging VSCode Extensions for Initial Access Introduction On a recent red team engagement, MDSec were tasked with crafting a phishing campaign for initial access. The catch was that the in-scope phishing targets were developers with technical skills above that of the average user. As a result, they were unlikely to fall for typical payloads and pre-texts. Rather than relying on traditional initial access payloads, why not use their own development tools to...

Nsfocus

APT34使用SideTwist变种木马开展新一轮网络钓鱼活动2023-08-30绿盟科技APT34,OilRig,SideTwist,DoD 阅读: 187 一、概述 近期,绿盟科技伏影实验室全球威胁狩猎系统捕获了一个新的APT34钓鱼攻击活动。在该活动中,APT34攻击者伪装成一个名为GGMS的市场营销服务公司,向企业目标发动攻击,最终投放一种SideTwist变种木马,实现对受害主机的长期控制。 二、组织信息 APT34,又名OilRig或Helix Kitten,是一个疑似来自伊朗的APT组织。该组织自2014年以来保持活跃,主要针对中东各国开展网络间谍和网络破坏行动,主要目标包括金融、政府、能源、化工和电信等多个行业。 APT34具备较高的攻击技术水平,能够针对不同类型的目标设计不同的入侵方式,并且具备供应链攻击能力。该组织的主要攻击工具曾在2019年的一次泄露事件中披露,此后该组织开始转向开发新型攻击工具,这些新工具包括RDAT、SideTwist、Saitama等。 三、诱饵信息 本次,APT34使用的诱饵文档名为“GGMS Overview.doc”,文档正文显示一家所...

OALABS Research

An open source travesty used to drop .NET stealers Aug 27, 2023 • 2 min read attack crypter downloader dotnet open source Overview Sample References Analysis Payload Decryption Decryption Yara Rule Overview AttackCrypt is an open source "crypter" project that can be used to "protect" binaries and "prevent" detection by AV. In the words of the developer... I don t know how much This will stay FUD but will be updating it always and adding New Injection and new Attacks to it This crypter has recent...

Brad Duncan at Palo Alto Networks

474 people reacted 5 11 min. read Share By Brad Duncan September 1, 2023 at 6:00 AM Category: Tutorial Tags: Advanced Threat Prevention, Cloud-Delivered Security Services, Cortex XDR, next-generation firewall, pcap, RedLine infostealer, WildFire, Wireshark, Wireshark Tutorial This post is also available in: 日本語 (Japanese)Executive Summary Earlier this month, our quiz Crossing the Line: Unit 42 Wireshark Quiz for RedLine Stealer introduced a packet capture (pcap) from July 2023 with a RedLine Ste...

Phylum

Phylum’s expertise lies in its ability to detect software supply chain attacks. Every day, our automated platform alerts us to new campaigns targeting the developer community. Just last week, we shed light on the publication of malicious email validation packages. We've also actively intervened in a typosquatting campaign targeting Rust developers, thereby stopping the campaign before it had a chance to get off the ground. --cta-- Fast forward to August 28, 2023, our state-of-the-art supply chai...

On the afternoon of September 1, 2023 Phylum's automated risk detection platform flagged two new publications of the //app.phylum.io/package/npm/hardhat-gas-report/1.1.17 package. It turns out these updates included a stealthy clipboard monitor with a persistence mechanism attempting to exfiltrate Ethereum private keys to a remote server. This attack is particularly interesting, however, because this package was benign and untouched for 8 months before receiving the malicious update. Join us as ...

Digvijay Mane at Quick Heal

By Digvijay Mane 30 August 2023 7 min read 0 Comments In the age of instant finance at our fingertips, loan apps have reshaped how we access funds. But beneath the convenience lies a concerning trend – malicious apps that are being linked to tragic outcomes. In this blog, we will shed light on the alarming rise of these ‘death-traps,’ unravel the mechanics of these apps, and discuss solutions. We’ll also dive into Google Play’s new policies and the Government’s measures in face of this threat. T...

Karlo Zanki at ReversingLabs

ReversingLabs researchers discovered more packages that are part of the previously identified VMConnect campaign, as well as evidence linking the campaign to North Korea's Lazarus Group. Blog Author Karlo Zanki, Reverse Engineer at ReversingLabs. Read More... In early August, ReversingLabs identified a malicious supply chain campaign that the research team dubbed “VMConnect.” That campaign consisted of two dozen malicious Python packages posted to the Python Package Index (PyPI) open-source repo...

Phil Stokes at SentinelOne

Phil Stokes / August 29, 2023 It wasn’t so long ago that malware authors, much like software developers, were concerned about the size of their code, aiming to keep it as small and compact as possible. Small binaries are less noticeable and can be slipped inside other files or shipped in benign code, attachments and even images. Smaller executables take up less space on disk, are faster to transfer over the wire, and – if they’re written efficiently – can execute their malicious instructions wit...

Ben Martin at Sucuri

VMRay

Jason Reaves and Joshua Platt at Walmart

Gazavat / Expiro DMSniff connection and DGA analysisJason Reaves·FollowPublished inWalmart Global Tech Blog·8 min read·3 days ago--ListenShareBy: Jason Reaves and Joshua PlattGazavat, also known at least partially as Expiro, is a multi-functional backdoor that has code overlaps with the POS malware DMSniff[1]. Functionality includes:Loading other executablesLoad hash cracking pluginLoad DMSniff pluginPerform webinjection and webfakesForm grabbingCommand executionDownload file from infected syste...

Zach Reichert

Public Notifications Fork 0 Star 0 Tools for analyzing Crytox 0 stars 0 forks Activity Star Notifications Code Issues 0 Pull requests 0 Actions Projects 0 Security Insights More Code Issues Pull requests Actions Projects Security Insights w3tmo/CrytoxTools This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. main Switch branches/tags Branches Tags View all branches View all tags Name already in use A tag already exists with the provide...

Zhassulan Zhussupov

13 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! This post is the result of my own research on try to evasion AV engines via encrypting payload with another algorithm: Skipjack. As usual, exploring various crypto algorithms, I decided to check what would happen if we apply this to encrypt/decrypt the payload. skipjack Skipjack is a symmetric key block cipher encryption algorithm designed primarily for government use, with a focus on strong security while being computationally...

بانک اطلاعات تهدیدات بدافزاری پادویش

Trojan.Android.Wroba.Roamingmantis 2023-08-28 شرح کلی نوع: تروجان (Trojan) درجه تخریب: متوسط میزان شیوع: متوسط اسامی بدافزار: Padvish) Trojan.Android.Wroba.Roamingmantis) Kaspersky) HEUR:Trojan-Dropper.AndroidOS.Wroba.o) Avira) ANDROID/Drop.Wroba.monhn) تروجان چیست؟ تروجان‌ها نوعی از بدافزارها محسوب می‌شوند که خود را در قالب نرم‌افزاری سالم و قانونی جلوه می‌دهند و بسیار شبیه نرم‌افزارهای مفید و کاربردی رفتار می‌کنند. اما هنگامی ‌که اجرا می‌شوند، خرابی‌های زیادی را برای سیستم ایجاد می‌کنند. از جم...