本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Any.Run
ChatGPT-powered Malware Analysis: Review Sandbox Results with AI September 13, 2023 Add comment 2158 views 4 min read HomeService UpdatesChatGPT-powered Malware Analysis: Review Sandbox Results with AI Recent posts ChatGPT-powered Malware Analysis: Review Sandbox Results with AI 2158 0 How to Hire the Right Malware Analyst for Your Team: Our Experience 470 0 How to Use Interactivity in a Malware Sandbox 740 0 HomeService UpdatesChatGPT-powered Malware Analysis: Review Sandbox Results with AI Mal...
ASEC
This report provides statistics on the number of new ransomware samples, targeted systems, and targeted businesses in July 2023, as well as notable ransomware issues in Korea and other countries. Key Trends 1) More businesses affected by CLOP ransomware’s exploitation of MOVEit zero-day vulnerability 2) Big Head ransomware disguised as an emergency Windows update 3) Detection names for ransomware disguised as Sophos file ATIP_2023_Jul_Threat Trend Report on Ransomware Statistics and Major Issues...
July 2023 Major Issues on APT Groups 1) APT28 2) APT29 3) APT31 4) Camouflaged Hunter 5) Charming Kitten 6) Gamaredon 7) Kimsuky 8) Konni 9) Lazarus 10) Mustang Panda 11) Patchwork 12) Red Eyes 13) Space Pirates 14) Turla 15) Unclassified ATIP_2023_Jul_Threat Trend Report on APT Groups Categories:trend Tagged as:APT groups,APT28,APT29,APT31,Camouflaged Hunter,Charming Kitten,Gamaredon,Kimsuky,KONNI,Lazarus,Mustang Panda,Patchwork,Red Eyes,Space Pirates,Turla,Unclassified Deep Web and Dark Web Th...
This trend report on the deep web and dark web of July 2023 is sectioned into Ransomware, Forums & Black Markets, and Threat Actor. We would like to state beforehand that some of the content has yet to be confirmed to be true. 1) Ransomware (1) ALPHV (BlackCat) (2) Cactus (3) CLOP (4) Monti 2) Forum & Black Market (1) The Sale of Genesis Market (2) BreachedForums Database on Sale (3) US Medical Institution’s Database Breached 3) Threat Actor (1) Operation OpSweden Carried Out by Multiple Hacker ...
The Kimsuky group’s activities in July 2023 showed that FlowerPower is gaining traction, and the group is simultaneously diversifying their attack methods. Additionally, there were no particular issues regarding AppleSeed and RandomQuery types as they are now less used. The BabyShark type to be described in detail further on this report will be included in the statistics from July thereon. ATIP_2023_Jul_Threat Trend Report on Kimsuky Group Categories:trend Tagged as:AppleSeed,BabyShark,flowerpow...
BlueShell is a backdoor developed in Go. It is available on GitHub and supports Windows, Linux, and Mac operating systems. Currently, it seems the original GitHub repository has been deleted, but the BlueShell source code can be downloaded from other repositories. Notably, the ReadMe file containing the guidelines is in Chinese, and this suggests that the creator may be a Chinese speaker. Figure 1. BlueShell published on GitHub There aren’t many cases where BlueShell is known to have been used i...
On August 28, AhnLab Security Emergency response Center (ASEC) discovered circumstances of a downloader in distribution disguised with contents regarding the violation of intellectual property rights, targeting unspecified masses in Korea. The distributed malware included a code that detects virtual environments to evade sandbox-based security solutions and was a .NET-type that downloads the MainBot malware. Judging from the file information collected by AhnLab Smart Defense (ASD) and VirusTotal...
Doug Burks at Security Onion
Thanks to Brad Duncan for sharing this pcap://www.malware-traffic-analysis.net/2023/06/16/index.htmlWe did a quick analysis of this pcap on the NEW Security Onion 2.4. If you'd like to follow along, you can do the following:install Security Onion 2.4 in a VM://docs.securityonion.net/en/2.4/first-time-users.htmlimport the pcap using so-import-pcap://docs.securityonion.net/en/2.4/so-import-pcap.html#so-import-pcapoptionally enable the new DNS lookups feature://docs.securityonion.net/en/2.4/soc-cus...
Fortinet
By Cara Lin | September 11, 2023 Affected platforms: Windows Impacted parties: Any organization Impact: Remote attackers steal credentials, sensitive information, and cryptocurrency Severity level: Critical In August, FortiGuard Labs obtained a Word document containing a malicious URL designed to entice victims to download a malware loader. This loader employs a binary padding evasion strategy that adds null bytes to increase the file's size to 400 MB. The payloads of this loader include OriginB...
By James Slaughter and Shunichi Imano | September 12, 2023 Affected Platforms: Windows Impacted Users: Windows users Impact: Potential to deploy additional malware for additional purposes Severity Level: Medium One of the most exciting aspects of malware analysis is coming across a family that is new or rare to the reversing community. Determining the function of the malware, who created it, and the reasons behind it become a mystery to solve. The previously unseen dropper variant we recently fo...
Joshua Kamp and Alberto Segura at Fox-IT
Global Threat Intelligence Uncategorized September 11, 2023 23 Minutes Authored by Joshua Kamp (main author) and Alberto Segura. Summary Hook and ERMAC are Android based malware families that are both advertised by the actor named “DukeEugene”. Hook is the latest variant to be released by this actor and was first announced at the start of 2023. In this announcement, the actor claims that Hook was written from scratch [1]. In our research, we have analysed two samples of Hook and two samples of E...
Mohitrajai
Malware Analysis Report: Clop Ransomware — 1Mohitrajai·Follow3 min read·5 days ago--ListenShareExecutive SummarySHA256 hash3320f11728458d01eef62e10e48897ec1c2277c1fe1aa2d471a16b4dccfc1207MD5 hash8752a7a052ba75239b86b0da1d483dd7What is CLOP Ransomware?⮚ A CLOP is a cryptomix Ransomware which is file encrypting malware that intentionally encrypt the file with “.clop” extension.⮚ CLOP Ransomware can infect a System by various ways like spam email attachments, crack software’s or Unprotected protoco...
Jan Michael Alcantara at Netskope
Phrozen
Timeline Tools Projects Code Snippets Malware Gallery Unprotect About Contact Us Github Reverse Engineering Our efforts in Reverse engineering aids in identifying vulnerabilities, understanding threats, and formulating robust defense mechanisms, making it integral to maintaining a secure and resilient digital environment. Malware Research Our focus in malware research involves dissecting and understanding the operation of malicious software. By documenting their behavior and impact, we provide c...
Ole Villadsen, Golo Mühr, and Kat Metrick at Security Intelligence
IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote...
Ax Sharma at Sonatype
September 12, 2023 By Ax Sharma 4 minute read time SHARE: Sonatype has identified several npm packages that are named after internal dependencies purportedly used by PayPal Zettle and Airbnb developers. These packages identified by our automated malware detection systems exploit the well-known dependency confusion technique in an attempt to gain access to these organizations’ internal systems. However, our analysis concludes these are proof-of-concept (PoC) packages published by pen testers hopi...
Ben Martin at Sucuri
Raymond Chen at The Old New Thing
Raymond Chen September 11th, 202325 6 There was a spike in Explorer crashes that resulted in the instruction pointer out in the middle of nowhere. 0:000< r eax=00000001 ebx=008bf8aa ecx=77231cf3 edx=00000000 esi=008bf680 edi=008bf8a8 eip=7077c100 esp=008bf664 ebp=008bf678 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 7077c100 ?? ??? Maybe the return address tells us something. 0:000< u poi esp 008bf6d4 test eax,eax 008bf6d6 je 008bf6b9 008bf6d8 xor e...
Hitomi Kimura, Ryan Soliven, Ricardo Valdez III, Nusrath Iqra, and Ryan Maglaque at Trend Micro
In this blog, we investigate how threat actors used information-stealing malware with EV code signing certificates and later delivered ransomware payloads to its victims via the same delivery method. By: Hitomi Kimura, Ryan Soliven, Ricardo Valdez III, Nusrath Iqra, Ryan Maglaque September 13, 2023 Read time: ( words) Save to Folio Subscribe We have been observing malware families RedLine and Vidar since the middle of 2022, when both were used by threat actors to target victims via spear-phishin...
Sudeep Singh at ZScaler
THE ZSCALER EXPERIENCE THE ZSCALER EXPERIENCE Learn about: Your world, secured. Zero Trust Security Service Edge (SSE) Secure Access Service Edge (SASE) Zero Trust Network Access (ZTNA) Secure Web Gateway (SWG) Cloud Access Security Broker (CASB) Cloud Native Application Protection Platform (CNAPP) PRODUCTS & SOLUTIONS PRODUCTS & SOLUTIONS Secure Your Users Secure Your Workloads Secure Your IoT and OT Secure Internet Access (ZIA) Secure Private Access (ZPA) Data Protection (CASB/DLP) Digital Exp...