解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 41 – 2023 - THREAT INTELLIGENCE/HUNTING

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。

THREAT INTELLIGENCE/HUNTING

A. Boukar

What is DLL Hijacking and How to Prevent it?A. Boukar·Follow4 min read·4 days ago--ListenShareIn this article, we will explore DLL Hijacking, and how attackers use it for privilege escalation in Windows. We will also explore how to prevent DLL Hijacking attacks.But before that, and just so we are on the same page, let’s start off by clarifying what a DLL is.What is a DLL file?Dynamic Link Libraries ( DLL) are files that provide useful functions for Windows executables. Different Windows programs...

Adam Goss

Threat Intelligence with MISP: Part 3 — Creating EventsAdam Goss·Follow14 min read·6 days ago--ShareWelcome back to this series on using MISP for threat intelligence!MISP (Malware Information Sharing Platform and Threat Sharing) is an open-source threat intelligence platform that allows you to share, collate, analyze, and distribute threat intelligence. It is used across industries and governments worldwide to share and analyze information about the latest threats. This series aims to give you t...

Ali Paşa Turhan at Docguard

Posted by Ali Paşa Turhan on 4 October 2023 | Featured CHM, or Microsoft Compiled HTML Help, is a proprietary format for online help files used in Windows applications. Microsoft introduced it as a successor to the earlier HLP (WinHelp) format. CHM files are commonly used to provide software application documentation, help, and user guides. According to @RecordedFuture, Chinese Advanced Persistent Threat (APT) groups have been observed distributing malicious CHM files through spearphishing campa...

Assume-breach

Home Grown Red Team: LNK Phishing Revisited In 2023assume-breach·Follow16 min read·4 days ago--1ListenShareAll right so macros are out, ISOs, zips and password protected zips are all getting flagged. What’s an APT to do? Well, LNK files are still going strong against certain defenses.I’ve done a few posts about using LNK files and batch scripts in OneNote, but Microsoft has officially given command execution from OneNote files the boot. In this write-up, we’re going to explore a few different wa...

Francis Guibernau and Andrew Costis at AttackIQ

Avertium

Understanding Business Email Compromise (BEC) - A Guide October 3, 2023 executive summary Business Email Compromise (BEC) attacks are increasing, posing significant threats to organizations globally. In the realm of cybercrime, BEC attacks stand out as a highly sophisticated and rapidly evolving threat. These attacks mainly rely on cleverly crafted emails to trick people within a company into doing things that can harm the company. The primary goals of these attacks are financial gain and access...

Alyssa Snow at Black Hills Information Security

| Alyssa Snow Active Directory Certificate Services (ADCS)1 is used for public key infrastructure in an Active Directory environment. ADCS is widely used in enterprise Active Directory environments for managing certificates for systems, users, applications, and more. In 2021, SpecterOps published a white paper that described ADCS in-depth along with ADCS misconfigurations and vulnerabilities2 that can be abused for credential theft, domain escalation, and persistence. This white paper took a dee...

Lawrence Abrams at BleepingComputer

Brad Duncan at Malware Traffic Analysis

2023-10-03 (TUESDAY) - PIKABOT INFECTION WITH COBALT STRIKE REFERENCES: //twitter.com/Unit42_Intel/status/1709327580380197038 //www.linkedin.com/posts/unit42_pikabot-cobaltstrike-timelythreatintel-activity-7115093198233894912-ZhRp NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-10-03-IOCs-for-Pikabot-infection-with-Cobalt-Strike.txt.zip 2.6 kB (2,582 bytes) 2023-10-03-Pikabot-infection-with-Cobalt-Strike.pcap.z...

CERT Ukraine

CERT-AGID

Come funziona il ransomware Knight – Analisi con l’aiuto di Triton 02/10/2023 knight ransomware Il ransomware Knight, distribuito in Italia tramite una falsa fattura, è Cyclops 2.0. Il gruppo omonimo ha rilasciato a maggio di quest’anno la nuova versione con un nuovo nome. Stando a quanto è stato pubblicizzato, Knight è in grado di infettare sistemi Windows, Linux (incluso l’hypervisor ESXi) e MacOS. E’ inoltre in grado di esfiltrare file dalle macchine compromesse al fine di sfruttare la cla...

Sintesi riepilogativa delle campagne malevole nella settimana del 30 Settembre – 6 Ottobre 2023 06/10/2023 riepilogo In questa settimana, il CERT-AgID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento, un totale di 29 campagne malevole, di cui 25 con obiettivi italiani e 4 generiche che hanno comunque interessato l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 319 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio dell...

Check Point

Yehuda Gelb at Checkmarx Security

The Evolutionary Tale of a Persistent Python ThreatYehuda Gelb·FollowPublished incheckmarx-security·7 min read·5 days ago--ListenShareIn the vast landscape of the open-source ecosystem, shadows occasionally move. While this realm thrives on collaboration and knowledge sharing, it’s also a playground for predators, from novice hackers to well-coordinated nation-state actors. Over recent months, one such threat has been emerging, growing, and refining its arsenal.Our team at Checkmarx’s Supply Cha...

Guilherme Venere at Cisco’s Talos

Qakbot-affiliated actors distribute Ransom Knight malware despite infrastructure takedown By Guilherme Venere Thursday, October 5, 2023 07:10 Threats SecureX The threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails.Notably, this activity appeared to begin before the FBI seized Qakbot infrastructure in late August and has been ongoing since, indicati...

Derrick Masters at Cybereason

Written By Cybereason Security Research Team Cybereason issues Threat Analysis reports to explore widely used attack techniques, outline how threat actors leverage these techniques, describe how to reproduce an attack, and report how defenders can detect and prevent these attacks. In this Threat Analysis report, Cybereason investigates and explores various techniques for abusing the Windows Shortcut file format. KEY POINTS Widely popular for initial infection and persistence: The Cybereason Secu...

Cyfirma

Published On : 2023-10-06 Share : Ransomware of the Week CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization. Type: Ransomware. Target Technologies: MS Windows. Target Geographies: Argentina, Canada, Germany, Italy, Mexico, Romania, United Kingdom, United States. Target Industries: Construction, E-commerce, E...

Paranoid Ninja at Dark Vortex

A Thousand Sails, One Harbor - C2 Infra on Azure Posted on 29 Sep 2023 by Paranoid Ninja Over the past four years of conducting Red Team workshops, one of the most asked questions has always been the configuration of a Command & Control infrastructure. As much as Fastly helps to secure a CDN, the novelty among Red Team has always been to use azureedge.net as redirectors, as the fronting was disabled by Microsoft last year. This blog is a mini-consolidated post on various ways to set up the C2 In...

Jeremy Fox, Julien Terriac, and Edouard Schweisguth at Datadog Security Labs

October 2, 2023 open source kubernetes container security twitter reddit on this page Sniffing out attack paths in KubernetesBatteries (of attacks) includedRed and blue team use casesRed team: Looking for low-hanging fruitBlue team: Assessing the impact of a compromised containerBlue team: RemediationBlue team: Metrics and KPIsGetting started with KubeHoundWhat’s under the hoodCollecting the dataIngesting the dataBuilding the graphWhat’s next Jeremy Fox Senior Security Engineer, Adversary Si...

Dheeraj Kumar and Ella Dragun at Securonix

SIEM Share By Dheeraj Kumar, Ella Dragun, Securonix Threat Labs The Monthly Intelligence Insights provides a summary of top threats curated, monitored, and analyzed by Securonix Threat Labs in September. The report additionally provides a synopsis of the threats; indicators of compromise (IoCs); tactics, techniques, and procedures (TTPs); and related tags. Each threat has a comprehensive threat summary from Threat Labs and search queries from the Threat Research team. For additional information ...

Arda Büyükkaya at EclecticIQ

EclecticIQ analysts identified a cyber espionage campaign where threat actors used a variant of HyperBro loader with a Taiwan Semiconductor Manufacturing (TSMC) lure. This was likely to target the semiconductor industry in Mandarin/Chinese speaking East Asian regions (Taiwan, Hong Kong, Singapore). Arda Büyükkaya – October 5, 2023 (Updated on October 6, 2023) Executive Summary EclecticIQ analysts identified a cyber espionage campaign where threat actors used a variant of HyperBro loader with a T...

Eclypsium

Matthew at Embee Research

Practical Queries for Identifying Malware Infrastructure - Part 2 Matthew Oct 4, 2023 • 1 min read This is a continuously updated list of interesting practical Censys queries. Remote Access Hosting MZ Fileslabels: remote-access and services.esponse.body:"This program cannot be run in DOS mode"Darkgate Hosting Serversautonomous_system.asn: 210644 and services.esponse.headers: (key: Content-Transfer-Encoding and value.headers: binary)services.esponse.headers.content_disposition:*.xll service...

Embee Research Home Reversing Detection Threat Intel Github Index Sign in Subscribe Yara Featured Developing Yara Signatures for Malware - Practical Examples Practical examples and breakdowns of indicators that can be used to produce effective yara rules. Matthew Oct 4, 2023 • 4 min read The purpose of this article is to highlight some practical examples of indicators that can be used for detection using Yara. The rules are not intended to be performance-optimized. Purely examples of indicators ...

Introduction to DotNet Configuration Extraction - RevengeRAT Introduction to dotnet configuration extraction. Leveraging RevengeRat and Python. Matthew Oct 5, 2023 • 12 min read This post is an introduction to developing configuration extractors for dotnet malware. The sample used here is RevengeRat, this rat typically employs minimal obfuscation and presents an ideal introduction for config extraction.The sample has config which can be obtained via strings. However, it is far more interesting a...

Various IOC dumps from malware research Matthew Oct 8, 2023 • 4 min read Njrat - 2023/10/080a349a9b956f99d57b6e1c2119b65c6389930272672457f2b52ed0b91b92ac83: ['office365microsoft[.]duckdns[.]org', '8095', 'c3b22a97f04044', '@!#&^%$', 'NYAN CAT', '0.7NC', '']114784f1f94b09a3ee0621eb19120e81f61219dd79fcc176afc3dd40da0782d5: ['tiagoodiaz[.]duckdns[.]org', '1994', '1f0e646916494d', '@!#&^%$', 'NYAN CAT', '0.7NC', '']1550225ffb22d23d230b9958532b2d2b9540fad37af8dc483b4abd43a704ad3c: ['svchost[.]ydns[.]...

Esentire

→ Sep 21, 2023 Key Learnings from the Tempur Sealy Ransomware Attack → Sep 21, 2023 Questions to Ask a Managed Security Services Provider (MSSP) → VIEW BLOG → Resources Case Studies → Videos → Reports → Webinars → Data Sheets → Cybersecurity Tools → Glossary → EXPLORE LIBRARY → SECURITY ADVISORIES Oct 04, 2023 Zero-Day Vulnerability Impacts Confluence THE THREAT Atlassian has unveiled details concerning an actively exploited privilege escalation vulnerability; the company was made aware of the i...

Faan Ross

what is threat hunting part I - different strokes for different folksPosted on Oct 3, 2023prefaceToday I want to explore one of several frameworks I like to employ to help me understand exactly what threat hunting is at a high level. I have a few more related frameworks I’d like to explore in the future, so I guess we can go ahead and call this what is threat hunting part i - different strokes for different folks.Let’s begin by exploring what I like to think of as the central problem of organiza...

GreyNoise

Daniel GrantOctober 2, 2023TLDR:GreyNoise is exposing a new internally developed tool, Sift, to the public for the first time. Sift curates a report of new/interesting traffic observed by GreyNoise sensors daily after doing much of the analysis and triage work itself. Check it out at //sift.labs.greynoise.io/Â Note that it is a new and experimental feature and will probably have some bugs and change without warning. We will soon be integrating direct marker.io feedback capability. For now, pleas...

Gurumoorthi Ramanathan at Trellix

By Gurumoorthi Ramanathan · October 5, 2023 Executive Summary: In early July 2023, the threat actor that Microsoft calls “Storm-0324” was observed sending a phishing message through Microsoft Teams. Storm-0324 is a financially motivated threat actor group previously known for distributing phishing emails to gain initial access to compromised systems via remote code execution. After gaining the initial foothold, Storm-0324 has a history of often handing-off the access to well-known Ransomware gro...

Rosemary Cipriano at Human Security

By Rosemary Cipriano Oct 4, 2023 Ad Fraud HUMAN’s Satori Threat Intelligence and Research team announced today the disruption of the PEACHPIT ad fraud botnet and their research into the larger BADBOX fraud empire. The BADBOX operation, based out of China, sold off-brand mobile and Connected TV (CTV) devices on popular online retailers and resale sites. These Android devices came preloaded with a known malware called Triada. Once the device was turned on or plugged in, those devices called home a...

Huntress

Previous Post Next Post Share on Twitter Share on LinkedIn Share on Facebook Share on Reddit On Thursday, September 28, 2023, software vendor Progress released a security advisory for numerous vulnerabilities affecting the WS_FTP Server Ad Hoc Transfer Module within their WS_FTP software. These vulnerabilities were disclosed as: CVE-2023-40044 (CVSS: 10) CVE-2023-42657 (CVSS 9.9) CVE-2023-40045 (CVSS 8.3) CVE-2023-40046 (CVSS 8.2) CVE-2023-40048 (CVSS 6.8) CVE-2022-27665 (CVSS 6.1) CVE-2023-4004...

Infoblox

Lookalike Domain Attacks are on the Rise. Be on the Lookout for these Four Types.October 3, 2023If you think you’re seeing double, you probably are. Website domains, that is. Yet, despite the growing threat of lookalike domains, a targeted form of phishing where malicious actors use visually similar website domains to deceive unsuspecting users into clicking links or visiting fake websites, they can be overlooked as a key attack vector for threat actors. As users have learned to scrutinize links...

RDGAs: The New Face of DGAsOctober 5, 2023Author: Darby Wise Following our publication introducing the concept of DNS threat actors, we will be taking a closer look at a few types of actors we have been researching and how they are using DNS to orchestrate complex campaigns. These threat actors are increasingly leveraging domain generation algorithms to create, register, and then actively use a large set of domains over time; a method that uses what we call a registered domain generation algorit...

Intel471

Oct 03, 2023 Managed file transfer (MFT) software is a product category that emerged to supplement or replace file transfer protocol (FTP), which served its purpose but did not address growing security and compliance requirements. However, the ubiquity of MFT software among enterprises has not gone unnoticed by threat actors, who have repeatedly targeted it for financial gain. The exploitation of MFT software is at the core of one of the most significant cyber extortion events on record. In May ...

Itai Tevet at Intezer

Written by Itai Tevet - 4 October 2023 CountryUnited StatesCanadaAfghanistanAlbaniaAlgeriaAndorraAngolaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBoliviaBosnia and HerzegovinaBotswanaBrazilBruneiBulgariaBurkina FasoBurundiCambodiaCameroonCape VerdeCayman IslandsCentral African RepublicChadChileChinaColombiaComorosDemocratic Republic of the Congo (Kinshasa)Congo, Republic of(Brazzaville)Costa RicaCroatiaC...

L M

Lighting the Exfiltration Infrastructure of a LockBit Affiliate (and more)L M·Follow7 min read·5 days ago--ListenShareExecutive SummaryWe investigated a recent LockBit extortion incident that occurred in Q3 2023, which involved an unusual FTP server located in Moscow. The hostname of this server was identified as matching many hostnames found in various posts on the LockBit leak site.Our investigation revealed that this remote endpoint is associated with criminal activities dating back to 2019, ...

Matt Suiche at Magnet Forensics

This is a post authored by Matt Suiche (Director of Detection Engineering). Introduction Once again, compression algorithms are showing us that they are ruling the internet. My initial encounter with compression algorithms was in the year 2007 while reversing the Windows hibernation file to reimplement the now well-known Microsoft LZXpress, which I discovered later was used in most Microsoft products until today. This journey continues today, scrutinizing the vulnerability CVE-2023-4863 located ...

Microsoft Security

Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage

Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage

Nik Alleyne at ‘Security Nik’

Beginning SiLK - Systems for Internet Level Knowledge - working with network flow data Silk is one of the tools used to analyze network flow data and something we teach in the SANS SEC503, Network Monitoring and Threat Detection. In this post, I am walking through some of the tools within the SiLK suite, to show their basic and somewhat common usage. There is no specific order to their usage and at times, you may even see the same tool being used multiple times but in different ways.Get SiLK ver...

Dima at Outflank

Dima | October 5, 2023 For avoiding EDR userland hooks, there are many ways to cook an egg: Direct system calls (syscalls), Indirect syscalls, unhooking, hardware breakpoints, and bringing and loading your own version of a library. These methods each have advantages and disadvantages. When developing a C2 implant it’s nice to work with a combination of multiple of these. For instance, you could use a strong (in)direct syscall library for direct usermode to kernel transition, then use unhooking o...

Ovi Liber

The evolution of North Korean Android spyware: ROKRAT & RambleOn OVI Oct 4, 2023 Please note in this article when I mention ROKRAT, I am specifically referring to the Android variant of the malware, and not the malware relating to other operating systems. IntroductionIn December 2022, working with Interlab, we discovered a seemly novel piece of Android spyware that was targeting human rights activists in South Korea. I published a reverse engineering report on the spyware through Interlab's webs...

Sam Rubin at Palo Alto Networks

Marc Lean at Red Canary

Roy Akerman at Rezonate

SANS Internet Storm Center

John Dwyer and Richard Emerson at Security Intelligence

X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related incident response engagements were associated with the use of stolen credentials. I...

Felix Aimé and Maxime A. at Sekoia

Jim Walter at SentinelOne

October 5, 2023 by Jim Walter PDF The LostTrust ransomware operation is a new multi-extortion threat that emerged in September 2023. Our analysis of LostTrust malware payloads indicates that the family is an evolution of SFile and Mindware, and that all three follow similar operations and tradecraft to MetaEncryptor. Similarities between the LostTrust leaks sites and the earlier MetaEncryptor leaks sites are also apparent, while aspects of SFile encryptor previously observed with MetaEncryptor c...

SOCRadar

Sucuri

Sysdig

Heresh Zaremand at Truesec

Threat actor, Client VPN gateway, valid accounts, Cisco ASA, initial access, Akira ransomware; these are some words frequently seen together lately describing attack campaigns targeting Cisco AnyConnect Client SSL VPNs. These attacks sound very advanced but are in reality quite simple and rely on misconfigurations somewhere in the targeted environments.9 min readHeresh ZaremandShareDuring this past year, the Truesec CSIRT team has handled a notable number of incidents where the threat actor has ...

Yelisey Bohuslavskiy at RedSense

: Introducing RedSense Series on Cyber Interconnectivity & Emerging Killchains Actionable cyber threat intel (#CTI) is, essentially, a cyber-focused counter-espionage. Its primary goal is to understand how the adversary may access information that they should not have access to. As such, it is all about correlations, #TTPs, patterns, and adversarial paradigms; in other words, it's about analysis and connecting the dots. Because #CTI is all about recognizing the adversarial pattern, and because w...