解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 37 – 2023 - MALWARE

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。

MALWARE

Adam at Hexacorn

Posted on 2023-09-03 by adam I recently came across a malware sample that included the following, mysterious string: 961c151d2e87f2686a955a9be24d316f1362bf21 [digit].[digit].[digit] There are a few versions of this strings out there (extracted from a few malware samples downloaded in 2023): 961c151d2e87f2686a955a9be24d316f1362bf21 2.1.1 961c151d2e87f2686a955a9be24d316f1362bf21 3.5.0 961c151d2e87f2686a955a9be24d316f1362bf21 3.6.1 961c151d2e87f2686a955a9be24d316f1362bf21 3.9.1 961c151d2e87f2686a95...

ASEC

AhnLab Security Emergency response Center (ASEC) has discovered a phishing campaign that propagates through spam mails and executes a PE file (EXE) without creating the file into the user PC. The malware attachment in the hta extension ultimately executes malware strains such as AgentTesla, Remcos, and LimeRAT. This blog post will explain the distribution process flow from the spam mail to the final binary, as well as the techniques employed. Figure 1 shows the main text of the spam mail distrib...

The AhnLab Security Emergency response Center (ASEC) analysis team has recently discovered that the CHM malware, which is assumed to have been created by the RedEyes threat group, is being distributed again. The CHM malware in distribution operates in a similar way to the “CHM Malware Disguised as Security Email from a Korean Financial Company”[1] covered in March of this year and also uses the same commands used in the “2.3. Persistence”[2] stage in the attack process of the RedEyes group’s M2R...

AhnLab Security Emergency response Center (ASEC) has recently identified circumstances of multiple phishing script files disguised as PDF document viewer screens being distributed as attachments to emails. A portion of the identified file names are as below, and keywords such as purchase order (PO), order, and receipt were used. New order_20230831.html Salbo_PO_20230823.pdf.html WoonggiOrder-230731.pdf.html PO_BG20231608-019.html ○○○ Pharma.pdf.html DH○BILL_LADING_DOCUMENT_RECEIPT.html Purchas...

Yehuda Gelb at Checkmarx Security

A Deep Dive into 70 Layers of Obfuscated Info-Stealer MalwareYehuda Gelb·FollowPublished incheckmarx-security·6 min read·2 days ago--ListenShareIn the arms race of hackers against defenders, we consistently find hackers trying to disguise their true intent. We have analyzed an interesting sample armed with multiple layers of obfuscation; these packages were quite the challenge. However, I guess the attackers have not yet realized that no amount of obfuscation can cope against our abilities.Key F...

CISA

Release DateSeptember 07, 2023 Alert CodeAR23-250A Related topics: Incident Detection, Response, and Prevention, Cyber Threats and Advisories, Securing Networks Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:CL...

Release DateSeptember 07, 2023 Alert CodeAR23-250A Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information car...

Dr Josh Stroschein

YouTube video

Esentire

→ Sep 01, 2023 Fake Browser Updates Distribute LummaC Stealer, Amadey and PrivateLoader… → Aug 17, 2023 What Does the NIS2 Directive Mean for Your Organization and How Can You… → VIEW BLOG → Resources Case Studies → Videos → Reports → Webinars → Data Sheets → Cybersecurity Tools → Glossary → EXPLORE LIBRARY → SECURITY ADVISORIES Aug 22, 2023 Ivanti Zero-Day Vulnerability – CVE-2023-38035 THE THREAT On August 21st, 2023, Ivanti disclosed a new vulnerability impacting Ivanti Sentry (formerly Mobil...

BY eSentire Threat Response Unit (TRU) September 1, 2023 | 10 MINS READ Attacks/Breaches Threat Intelligence Threat Response Unit TRU Positive/Bulletin Want to learn more on how to achieve Cyber Resilience? TALK TO AN EXPERT Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes. We have discovered some of the most dangerous threats and nation state atta...

Igor Skochinsky at Hex Rays

Posted on: 08 Sep 2023 By: Igor Skochinsky Categories: IDA Pro Tags: idapro idatips Firmware binaries often use raw binary file format without any metadata so they have to be loaded manually into IDA. You can do it interactively using the binary file loader, but if you have many files to disassemble it can quickly get boring. If you already know some information about the files you’re disassembling, you can speed up at least the first steps. For example, if you have a binary for big endian ARM, ...

Sudeep at K7 Labs

Posted bySudeep September 8, 2023September 8, 2023 Fake ApplicationsRemote Access Trojan RomCom RAT: Not Your Typical Love Story By SudeepSeptember 8, 2023 Remote Access Trojan (RAT) is a type of malware that, as the name suggests, can remotely access a victims’ system after successful infection. This blog is about one such RAT, RomCom RAT which can take complete control of a compromised system by spoofing and deploying fake versions of legitimate applications on the victims’ system to gain init...

muha2xmad

20 minute read On this page Introduction Technical summary Commands Power options Enumerate operations Enumerate Processes and their executable Enumerate Drives Enumerate folders Enumerate screens Enumerate Cameras Enumerate Microphones Clipboard grabber Show notifications Execute CS, VB, VBS, PS Take screenshots Download File Run a specific file Write bat file in temp Downlaod and execute Denial of Service DoS Steal Steam credintials Get Telegram path Get Discord path System info Persistence Co...

OALABS Research

Researching a generic solution to decrypt these stack strings Sep 3, 2023 • 27 min read string decryption emulation golang Overview Sample Analysis Identify The Encrypted Strings Pattern 1 - DWORD MOV Encrypted Pattern 2 - DWORD MOV Encrypted Overlap Pattern 3 - DWORD MOV Plaintext Anti-Pattern 1 - MOV Low Value IMM Deobfuscate Strings Locating The Obfuscated Strings Overview Based on our previous work on Garble Go string decryption we have identified another type of obfuscator used for GoLang t...

Phylum

⚠️September 5, 2023: This appears to be an ongoing campaign with additional packages published. The package timeline table has been updated to reflect this. Phylum has been extremely busy in the past few weeks, reporting on multiple malware campaigns, including malicious updates to npm packages, malware masquerading as a GCC binary, and a package containing a complicated command-and-control setup for data exfiltration. We monitor open-source ecosystems and analyze every package's source code and...

Igor Golovin at Securelist

Malware descriptions 08 Sep 2023 minute read Table of Contents ConclusionIOC Authors Igor Golovin A while ago we discovered a bunch of Telegram mods on Google Play with descriptions in traditional Chinese, simplified Chinese and Uighur. The vendor says these are the fastest apps which use a distributed network of data processing centers around the world. What can possibly be wrong with a Telegram mod duly tested by Google Play and available through the official store? Well, lots of things, as a ...

Fernando Ortega at Zimperium

Nikolaos Pantazopoulos at ZScaler

THE ZSCALER EXPERIENCE THE ZSCALER EXPERIENCE Learn about: Your world, secured. Zero Trust Security Service Edge (SSE) Secure Access Service Edge (SASE) Zero Trust Network Access (ZTNA) Secure Web Gateway (SWG) Cloud Access Security Broker (CASB) Cloud Native Application Protection Platform (CNAPP) PRODUCTS & SOLUTIONS PRODUCTS & SOLUTIONS Secure Your Users Secure Your Workloads Secure Your IoT and OT Secure Internet Access (ZIA) Secure Private Access (ZPA) Data Protection (CASB/DLP) Digital Exp...

ACELab

September04, 2023 Contest for the Greatest Data Recovery Case Dear PC-3000 users, You are often sending us a great number of incredible stories about your awesome and impressively successful data recovery cases. Someone extracted the data from the NAND Flash Drive that travelled to space, someone did successful data recovery from the RAID that had been almost completely destroyed during the natural disaster and many, many more. You always inspire us by the great things you do, and we decided tha...