本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Adam Chester at XPN
Posted on 2023-10-02 Tagged in redteam, okta For a long time, Red Teamers have been preaching the mantra “Don’t make Domain Admin the goal of the assessment” and it appears that customers are listening. Now, you’re much more likely to see objectives focused on services critical to an organization, with many being hosted in the cloud. With this shift in delegating some of the security burden to cloud services, it’s commonplace to find Identity Providers (IDP) like Microsoft Entra ID or Okta being...
Ahmet Göker
DLL | Reverse-EngineeringAhmet Göker·Follow9 min read·6 days ago--ListenShareHello, everyone! Welcome back to my blog post. Today, I am going to explain how to analyze an EXE file with exported DLLs. I assume that this blog post will not be too complicated. You only need to have basic knowledge of the following:DLLCall conventionsAssembly languageProgramming languageIf you are ready to dive deep into this field, let me demonstrate it in a practical manner.Analyzing the fileIt is always important...
Any.Run
October 5, 2023 Add comment 1113 views 14 min read HomeMalware AnalysisAnalyzing Snake Keylogger in ANY.RUN: a Full Walkthrough Recent posts Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough 1113 0 We Redesigned Static Discovery: Introducing In-Depth Static Analysis for Various File Types 210 0 Release Notes: ChatGPT, Change to API Quotas, New Config Extractors and More 541 0 HomeMalware AnalysisAnalyzing Snake Keylogger in ANY.RUN: a Full Walkthrough Lena Cybersecurity analyst and resear...
Arch Cloud Labs
Analyzing & Patching a DLL Reverse Shell About The Project On September 18th, The twitter account Malware Hunter Team Tweeted about a DLL, batch script, and PowerShell script being publicly hosted at 103[.]68[.]109[.]31. Given that a DLL was being hosted, I thought it would be an interesting target to reverse engineer. This blog post is analyzing that DLL and ultimately patching this simple reverse shell to call back to a local virtual machine. OSINT Initial triage with VirusTotal reports that s...
Avast Threat Labs
CTF导航
Spyware.Joker分析报告 渗透技巧 1周前 admin 51 0 0 一、事件概要 2023年9月20日,知名社交平台X(前身为推特)上有移动安全人员发布一则Android恶意软件提醒推文[1],文章披露了全球最大的Android应用软件商店Google Play上发布了一个Android恶意软件家族Joker传播的一款名为Beauty Wallpaper HD的恶意应用软件,截至9月20日为止,拥有1000+下载量的Joker家族样本,其家族名源于其早期使用的C2域名,提取了其中的特征字符串Joker作为其家族名称,其主要的恶意行为是肆意给用户订阅各种收费SP服务、窃取用户隐私来进行收益,鉴于Joker是目前Google Play商店上最活跃的家族之一,所以我对其家族成员样本进行详细分析,披露其近期的发展态势。 二、威胁细节 恶意行为主要通过主恶意软件Beauty Wallpaper HD以及其衍生物来施行,所以通过对其进行分析掌握其恶意行为的细节脉络。 Beauty Wallpaper HD 样本概况 项 描述 应用名 Beauty Wallpaper HD 包名 com...
Simon Kenin, Ron Ben Yizhak, and Mark Vaitzman at Deep Instinct
Simon KeninThreat Intelligence ResearcherRon Ben YizhakSecurity ResearcherMark VaitzmanThreat Lab Team LeaderKey takeaways:The Deep Instinct Threat Lab has discovered a new operation against Azerbaijanian targetsThe operation has at least two different initial access vectorsThe operation is not associated with a known threat actor; the operation was instead named because of their novel malware written in the Rust programming languageOne of the lures used in the operation is a modified document t...
Jin Lee and Jenna Wang at Fortinet
By Jin Lee and Jenna Wang | October 02, 2023 Affected platforms: All platforms where NPM packages can be installed Impacted parties: Any individuals or institutions that have these malicious packages installed Impact: Leak of credentials, sensitive information, source code, etc. Severity level: High Over the past few months, the FortiGuard Labs team has discovered several malicious packages hidden in NPM (Node Package Manager), the largest software registry for the JavaScript programming languag...
Igor Skochinsky at Hex Rays
Posted on: 06 Oct 2023 By: Igor Skochinsky Categories: Decompilation IDA Pro Tags: hexrays idapro idatips shortcuts In order to show the user only the most relevant code and hide the unnecessary clutter, the decompiler performs various optimizations before displaying the pseudocode. Some of these optimizations rely on various assumptions which are usually correct in well-behaved programs. However, in some situations they may be incorrect which may lead to wrong output, so you may need to know ho...
OALABS Research
The many variants of this new stealer Oct 1, 2023 • 6 min read mystic stealer stealer obfuscation cpp Overview Samples References Analysis Config Sample ID Config Extraction Overview According to Zscaler Mystic is a stealer that has been active since April 2023, sold on underground forum such as XSS. Other than stealing browser credentials and crypto wallets the stealer's main differentiator is the use of a custom obfuscator that is used to protect strings. This obfuscator produces similar outpu...
Lee Wei Yeong, Xingjiali Zhang, Yang Ji and Wenjun Hu at Palo Alto Networks
709 people reacted 2 13 min. read Share By Lee Wei Yeong, Xingjiali Zhang, Yang Ji and Wenjun Hu October 6, 2023 at 6:00 AM Category: Malware Tags: Android, Android APK, Banking Trojan, Cerberus trojan, HiddenAd, Hooking, Sandbox, WildFire Executive Summary One of the biggest challenges we face in analyzing Android application package (APK) samples at scale is the diversity of Android platform versions that malware authors use. When trying to utilize static and dynamic analysis techniques in the...
Suraj Yadav
:When a 32-bit application running within a 64-bit process needs to call a 64-bit system function or interface, it must switch the processor into 64-bit mode. This is where the Heaven’s Gate technique comes into play.The technique involves executing a special syscall instruction, which triggers a context switch from 32-bit mode to 64-bit mode, effectively changing the CS register’s contents.Context Switch:The Windows kernel handles the transition between modes. It saves the state of the 32-bit e...
Aliakbar Zahravi and Peter Girnus at Trend Micro
This entry delves into threat actors' intricate methods to implant malicious payloads within seemingly legitimate applications and codebases. By: Aliakbar Zahravi, Peter Girnus October 05, 2023 Read time: ( words) Save to Folio Subscribe Introduction As technology evolves and the world becomes more interconnected, so do the techniques used by threat actors against their victims. Threat actors pose a significant risk to organizations, individuals, and communities by continuously exploiting the in...
Chris Partridge
Published Sep 30, 2023 â 6 mins read You know, if I was a cybercriminal, the last thing I would want to do is invite scrutiny to my operation. Things like ⦠posting a really obvious lure in a den of cybersecurity/IT/etc. professionals and aspirants. But maybe Iâd just be a better cybercriminal, because someone did exactly that today over on r/cybersecurity. The Lure While cleaning up the usual spam/marketing/etc. on r/cybersecurity, I noticed an interesting and unexpected post, advertising...
Fernando Tavella at WeLiveSecurity
ESET researchers discovered a cyberespionage campaign against a governmental entity in Guyana Fernando Tavella 05 Oct 2023 • , 15 min. read In February 2023, ESET researchers detected a spearphishing campaign targeting a governmental entity in Guyana. While we haven’t been able to link the campaign, which we named Operation Jacana, to any specific APT group, we believe with medium confidence that a China-aligned threat group is behind this incident. In the attack, the operators used a previously...
بانک اطلاعات تهدیدات بدافزاری پادویش
Virus.Win32.Expiro 2023-10-07 شرح کلی نوع: ویروس (virus) درجه تخریب: زیاد میزان شیوع: کم اسامی بدافزار: Virus.Win32.Expiro ویروس (virus) چیست؟ ویروسهای کامپیوتری همچون Expiro نوعی از بدافزار محسوب میشوند که قادر به تکثیر خودکار نیستند. ویروسها میتوانند کلیه فایلهای اجرایی قابل دسترس در سیستم که معمولاً دارای پسوندهای exe. و dll. هستند را آلوده نمایند. ویروسها در زمان اجرا به دنبال فایلهای آلوده نشده (میزبان) میگردند و برای تکثیر خود نیازمند فایل میزبان هستند تا کدهای خود را میان کدهای فا...