本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Amged Wageh
Pillars of Analyzing Malicious MS Office Documents — Part 1–3: Unveiling Document Format StructuresAmged Wageh·Follow9 min read·Aug 3--ListenShareMicrosoft Office suite has been standing tall as a pillar of productivity and convenience for decades. From crafting presentations in PowerPoint to crunching numbers in Excel, and composing memos in Word, millions of users rely on these tools daily. I can’t imagine a standing business without MS Office documents, can you? Yet, beneath this veneer of no...
Amr Ashraf
8 minute read On this page Sample Info First Stage Amadey Behavioural Analysis Code Analysis & Capabilities Resources Sample Info I decided to look at Amadey Sample as a result of seeing it very active these days So I picked up a sample from Malware bazzar SHA256 : 06b1023ac65f1ee535c45bd46e93551822df8f9dcd64389a9e5388dd532c6b29 with a small look at the sample It Seems to be compiled with the Flat Assembler and only has a .text section. Just by the first look, I realized that an old friend is he...
ASEC
In the past, AhnLab Security Emergency response Center (ASEC) had shared the “SparkRAT Being Distributed Within a Korean VPN Installer” [1] case post and the “Analysis of Attack Cases: From Korean VPN Installations to MeshAgent Infections” [2] case post which covered the SparkRAT malware being distributed through a Korean VPN service provider’s installer. ASEC has recently identified similar malware strains being distributed while being disguised as setup files for Korean VPN service providers a...
Reptile is an open-source kernel module rootkit that targets Linux systems and is publicly available on GitHub. [1] Rootkits are malware that possess the capability to conceal themselves or other malware. They primarily target files, processes, and network communications for their concealment. Reptile’s concealment capabilities include not only its own kernel module but also files, directories, file contents, processes, and network traffic. Unlike other rootkit malware that typically only provid...
Cleafy
Published:31/7/23Download the PDF version Download your PDF⨠guide to TeaBotGet your free copy to your inbox nowDownload PDF VersionKey pointsStarting from the end of 2022, an Android Spyware called SpyNote was observed to carry out bank fraud due to its many features.SpyNote abuses Accessibility services and other Android permissions in order to:- Collects SMS messages and contacts list;- Record audio and screen;- Keylogging activities;- Bypass 2FA;- Tracking GPS locations.The spyware is dist...
d01a
Mohamed Adel included in Malware Analysis 2023-07-31 3884 words 19 minutes Contents Introduction Analysis First stage: JS & PowerShell Second stage: Pikabot Loader String decryption Dynamic API resolving Anti Analysis Unpacking Core module Third stage: Pikabot Core module System language check Anti Analysis Hardcoded Mutex! Collect victim info. C2 server communication C2 commands task balancer and init Another Variants Yara Rule IoCs References Introduction Pikabot is a new malware first seen in...
Esentire
BY eSentire Threat Response Unit (TRU) August 1, 2023 | 6 MINS READ Attacks/Breaches Threat Intelligence Threat Response Unit TRU Positive/Bulletin Want to learn more on how to achieve Cyber Resilience? TALK TO AN EXPERT Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes. We have discovered some of the most dangerous threats and nation state attacks ...
BY eSentire Threat Response Unit (TRU) August 3, 2023 | 6 MINS READ Attacks/Breaches Threat Intelligence Threat Response Unit TRU Positive/Bulletin Want to learn more on how to achieve Cyber Resilience? TALK TO AN EXPERT Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes. We have discovered some of the most dangerous threats and nation state attacks ...
BY eSentire Threat Response Unit (TRU) August 3, 2023 | 14 MINS READ Attacks/Breaches Threat Intelligence Threat Response Unit TRU Positive/Bulletin Want to learn more on how to achieve Cyber Resilience? TALK TO AN EXPERT IN THIS POST Key Takeaways Case Study Raccoon Stealer 2.0 Raccoon Stealer 2.1 Analysis C2 Communication Recommendations from eSentire's Threat Response Unit (TRU) Yara rule MITRE ATT&CK References In August 2022, the eSentire Threat Response Unit (TRU) team released a blog prov...
Hex Rays
Posted on: 27 Jul 2023 By: Alex Petrov Categories: IDA Pro Programming Tags: IDA Pro plugin This is a guest entry written by the Airbus CERT team. Their views and opinions are their own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the authors. The ComIDA plugin is focused on finding usage of COM objects inside Windows modules. When a COM object is identified, ComIDA will infer its type to improve the decompilation. What’s COM? COM...
Posted on: 04 Aug 2023 By: Igor Skochinsky Categories: Decompilation IDA Pro Tags: hexrays idapro idatips shortcuts Previously, we’ve run into a function which produces a cryptic error if you try to decompile it: In such situations, you need to go back to disassembly to see what could be wrong. More specifically, check the stack frame layout by double-clicking a stack variable or pressing Ctrl–K. On the first glance it looks normal: However, if you compare with another function which decompiles ...
SangRyol Ryu at McAfee Labs
Invisible Adware: Unveiling Ad Fraud Targeting Android Users Invisible Adware: Unveiling Ad Fraud Targeting Android Users McAfee Labs Aug 04, 2023 6 MIN READ Authored by SangRyol Ryu, McAfee Threat Researcher We live in a world where advertisements are everywhere, and it’s no surprise that users are becoming tired of them. By contrast, developers are driven by profit and seek to incorporate more advertisements into their apps. However, there exist certain apps that manage to generate profit with...
Mohamed Adel
Mohamed Adel included in Malware Analysis 2023-07-31 3884 words 19 minutes Contents Introduction Analysis First stage: JS & PowerShell Second stage: Pikabot Loader String decryption Dynamic API resolving Anti Analysis Unpacking Core module Third stage: Pikabot Core module System language check Anti Analysis Hardcoded Mutex! Collect victim info. C2 server communication C2 commands task balancer and init Another Variants Yara Rule IoCs References Introduction Pikabot is a new malware first seen in...
OALABS Research
Garble GO obfuscation analysis Jul 31, 2023 • 10 min read Bandit stealer garble go obfuscation Overview References Samples Analysis Binary Analysis Garble Method Name Obfuscation String Obfuscation Stand Alone String Decryption Overview This is a new infostealer written in GO that primarily targets browser credentials and crypto wallets. The collected information is uploaded to Telegram with the operator's telegram ID and channel ID hard coded in the binary. Some variants of the stealer use Garb...
Garble GO obfuscation string decryption Aug 3, 2023 • 235 min read garble go obfuscation strings Overview String Obfuscation/Encryption Sample Analysis String Decryption Emulation String Decryption Identification Eplilogue Prologue Bugs Testing Testing Gobfuscate Overview Gable is an open source obfuscation framework for GO which also includes a string encryption feature. It has been used in multiple GO based malware builds including RootTeam and Bandit Stealer. String Obfuscation/Encryption The...
Lior Rochberger at Palo Alto Networks
5,443 people reacted 12 14 min. read Share By Lior Rochberger August 1, 2023 at 6:00 AM Category: Malware Tags: Advanced Threat Prevention, Advanced URL Filtering, Cortex XDR, Cortex XSIAM, DNS security, Facebook, incident response, Infostealer, next-generation firewall, NodeStealer, Phishing, WildFire This post is also available in: 日本語 (Japanese)Executive Summary Unit 42 researchers have recently discovered a previously unreported phishing campaign that distributed an infostealer equipped to f...
Phylum
🚨August 9, 2023 Update: This appears to be a slow, on-going attack. Since our initial report, two more packages have been identified as part of this campaign: ng-zulutrade-ssr and binarium-crm. We will provide periodic updates as we identify further publications associated with this campaign. 🚨August 16-24, 2023 Update: Additional packages continue to be published by this actor: developer_backup_test531, binarium-client, olymptrade, hh-dep-monitoring, career-service-client, school-task-tester, o...
Phylum
On Aug 3, 2023 Phylum’s automated risk detection platform alerted us to a series of suspicious publications on npm. The attacker eventually published final versions of two packages: a typosquat of a popular cryptocurrency library and a dependency that contained the malicious code buried deep in a large file that most developers would never bother looking at. The malicious code did not change the primary functionality of the cryptographic library. Instead, it makes an HTTP request to a Chinese se...
Kelsey Merriman and Pim Trouerbach at Proofpoint
Out of the Sandbox: WikiLoader Digs Sophisticated Evasion Share with your network! July 31, 2023 Kelsey Merriman and Pim Trouerbach Key Takeaways Proofpoint identified a new malware we call WikiLoader. It has been observed delivered in multiple campaigns conducted by threat actors targeting Italian organizations. The malware uses multiple mechanisms to evade detection. It is named WikiLoader due to the malware making a request to Wikipedia and checking that the response has the string “The Free”...
Securelist
Malware reports 03 Aug 2023 minute read Table of Contents IntroductionDarkGateLokiBotEmotetConclusionIndicators of compromise (MD5s) Authors GReAT Introduction The malware landscape keeps evolving. New families are born, while others disappear. Some families are short-lived, while others remain active for quite a long time. In order to follow this evolution, we rely both on samples that we detect and our monitoring efforts, which cover botnets and underground forums. While doing so, we found new...
Ayush Anand at Securityinbits
{ Security-in-bits }HomeMalware AnalysisDeobfuscationStatic analysisUnpackingVideo TutorialToolsCyberChefIncident ResponseNewsletter AsyncRAT: Config Decryption Techniques and Salt AnalysisAugust 5, 2023.NET, AsyncRAT, Config, CyberChef, CyberChef Recipe, RAT, Remote Access ToolAyush AnandAbout the NewsletterJoin 100+ subscribers who get 0x1 actionable security bit every week. shieldSubscribeIn this article, we dive into the inner workings of AsyncRAT. This Remote Access Trojan (RAT) has seen a ...
Ax Sharma at Sonatype
August 03, 2023 By Ax Sharma 3 minute read time SHARE: This month, we analyzed a malicious PyPI package called ‘VMConnect,’ which has been designed to strongly resemble the legitimate VMware vSphere connector module, ‘vConnector,’ except it hides sinister code within. Assigned sonatype-2023-3387 and discovered by Sonatype’s automated detection systems last week, ‘VMConnect’ contains much the same code as its legitimate counterpart and has been downloaded 225 times, according to pepy.tech. While ...
Junestherry Dela Cruz at TrendMicro
In June 2023, Trend Micro observed an upgrade to the evasion techniques used by the Batloader initial access malware, which we’ve covered in previous blog entries. By: Junestherry Dela Cruz August 07, 2023 Read time: ( words) Save to Folio Subscribe In June 2023, Trend Micro observed an upgrade to the evasion techniques used by the Batloader initial access malware, which we’ve covered in previous blog entries. The group behind Batloader (which we named Water Minyades) have begun employing Pyarmo...
Zachary Reichert at Aon
DarkGate Keylogger Analysis: masterofnone Home → Aon’s Cyber Labs → DarkGate Keylogger Analysis: masterofnone As cybercriminal threat actors evolve their tools to circumvent detection and to advance their attacks, it’s critical to have experienced and well-equipped incident response firm at the ready to identify, contain and remove them from your environment. In a recent investigation, Aon’s Stroz Friedberg Incident Response Services (“Stroz Friedberg”) encountered a group utilizing techniques s...
