解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 42 – 2023 - MALWARE

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。

MALWARE

Adams Kone

is a remote command and control (C2) tool that allows remote control of one or multiple agents. The agent implanted on the victim's machine is capable of performing various operations. For a detailed analysis of the agent's capabilities, you can refer to the in-depth study conducted by Vlad Pasca here. Analysis and comparison All samples exhibit identical behavior upon program launch: a set of data is placed on the stack. In the capture below, it is evident that the majority of the program consi...

Alessandra Perotti

Post CancelMalware Analysis & Investigation Framework Posted Oct 3, 2023 Updated Oct 3, 2023 By al3x perotti 1 min readIf you started your malware analysis journey fairly recently, you have probably wondered a few times: where do I start from? What do I prioritize? That’s exactly what happened to me: at times, the amount of information collected can be overwhelming and this can make it tricky to focus on a single aspect of the findings.And that’s why I came up with the idea of this Malware Analy...

Amit Tambe at F-Secure

Amit Tambe 09.10.23 11 min. read Tags: androidAndroid malwareSpyware Share Introduction The Android threat landscape is fraught with diverse types of malware, each bringing its own ingenuity to the field. Although each piece of Android malware has its own malicious agenda, the typical objective in most cases is to steal user data, especially personal data that can be used for nefarious purposes or even sold later. Based on the agenda alone, certain malware can be classified as spyware, because t...

ASEC

Recently, there has been a high distribution rate of malware using abnormal certificates. Malware often disguise themselves with normal certificates. However, in this case, the malware entered the certificate information randomly, with the Subject Name and Issuer Name fields having unusually long strings. As a result, the certificate information is not visible in Windows operating systems, and a specific tool or infrastructure is required to inspect the structure of these certificates. Of course...

AhnLab Security Emergency response Center (ASEC) spotted the AgentTesla Infostealer being distributed through an email in the form of a malicious BAT file. When the BAT file is executed, it employs the fileless method to run AgentTesla (EXE) without creating the file on the user’s PC. This blog post will provide an explanation of the distribution process, from the spam email to the final binary (AgentTesla), along with related techniques. Figure 1 shows the body of the spam email distributing th...

Through a continuous monitoring process, AhnLab Security Emergency response Center (ASEC) is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which abuses typos in domain addresses. After the blocking rules of the injection technique used by Magniber were distributed, ASEC published a post about the relevant information on August 10th. V3 Detects and Blocks Magniber Ransomware Injection (Direct Syscall Detection) Subsequently, the...

AhnLab Security Emergency response Center (ASEC) has recently discovered a change in the distribution method of the ShellBot malware, which is being installed on poorly managed Linux SSH servers. The overall flow remains the same, but the download URL used by the threat actor to install ShellBot has changed from a regular IP address to a hexadecimal value. hxxp://0x2763da4e/dred hxxp://0x74cc54bd/static/home/dred/dred 1. Past Case of URL Detection Evasion Typically, IP addresses are used in the ...

Overview1. Analysis of Volgmer Backdoor…. 1.1. Early Version of Volgmer…….. 1.1.1. Analysis of Volgmer Dropper…….. 1.1.2. Analysis of Volgmer Backdoor…. 1.2. Later Version of Volgmer…….. 1.2.1. Analysis of Volgmer Backdoor2. Analysis of Scout Downloader…. 2.1. Droppers (Volgmer, Scout)…. 2.2. Analysis of Scout Downloader…….. 2.2.1. Scout Downloader v1…….. 2.2.2. Scout Downloader v23. ConclusionTable of Contents The seemingly state-sponsored Lazarus threat group has records of activity that date ...

Blake Darché, Armen Boursalian, and Javier Castro at Cloudflare

Malicious “RedAlert - Rocket Alerts” Application Targets Israeli Phone Calls, SMS, and User Information Loading... October 14, 2023 1:00AM Blake Darché Armen Boursalian Javier Castro 6 min read On October 13, 2023, Cloudflare’s Cloudforce One Threat Operations Team became aware of a website hosting a Google Android Application (APK) impersonating the legitimate RedAlert - Rocket Alerts application (//play.google.com/store/apps/details?id=com.red.alert&hl=en&pli=1). More than 5,000 rockets have b...

CTF导航

LightSpy APT攻击微信用户,窃取支付数据 APT 7天前 admin 174 0 0 针对香港iOS用户进行水坑攻击的LightSpy恶意软件,近日被发现嵌入在来自20台活跃服务器的安卓植入体Core(核心)及其14个相关插件当中,用于攻击移动用户。 LightSpy是一种移动高级持续性威胁(mAPT),它使用新颖的复杂技术来攻击移动用户。其中,这个恶意软件已被证实出自黑客组织APT41之手。 最近的报告表明,该恶意软件一直在使用微信支付系统访问支付数据、监控私密通信,并执行各种恶意活动。 LightSpy APT攻击微信用户 据多起报告显示,LightSpy恶意软件是一套功能齐全的模块化监视工具集,被发现使用各种插件来泄露并窃取私密数据和支付数据。此外,该恶意软件强烈关注受害者的私密信息。 其功能包括:利用后端基础设施从微信支付中泄露支付数据,并从微信获取音频相关功能,以记录受害者的VOIP对话内容。 然而,该恶意软件不能作为一个独立的应用程序来运行,因为它也是一个插件,该恶意软件的核心负责执行整条攻击链所需的所有功能。 核心功能包括设备指纹收集、控制服务器连接建立、从服务...

Dr Josh Stroschein

YouTube video

Fortinet

By Cara Lin | October 09, 2023 Affected Platforms: Linux Impacted Users: Any organization Impact: Remote attackers gain control of the vulnerable systems Severity Level: Critical In September 2023, our FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Thirteen payloads were included in this variant, including D-Link devices, Netis wireless router, Sunhillo SureLine, Geutebruck IP camera, Yealink Device Management, Zyxel devic...

Ransomware Roundup - Akira By Shunichi Imano and James Slaughter | October 12, 2023 On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the Akira ransomware. Affected...

Hex Rays

Posted on: 13 Oct 2023 By: Igor Skochinsky Categories: Decompilation IDA Pro Tags: hexrays idapro idatips shortcuts In order to faithfully represent the behavior of the code and to conform to the rules of the C language, the decompiler may need to add casts in the pseudocode. A few examples: a variable has been detected to be unsigned but participates in a signed comparison: An argument being passed to a function does not match the prototype: A narrow value (less that register size) is being loa...

Kelvin W

GuLoader Malware Analysis: Definitely Still a Noob EditionContinuation of my beginner-level malware analysis on the popular loader.Kelvin W·Follow22 min read·3 days ago--ListenShareNote: One command in the IOCs section single-handedly turned my normal “10 min read” length blog post into 22 minutes! I had to change the code blocks to Perl just to prevent it from wrapping and making this blog War and Peace length.IntroductionIn a continuation of my previous blog post, I’m going to continue some of...

All Your Cred Are Belong to Us: AgentTesla Malware AnalysisNoob EditionKelvin W·Follow8 min read·2 days ago--ListenShareEDIT: Before I get started, after some feedback and a free REM lesson from a more experienced malware analyst, I had to modify my original post’s Dynamic Analysis and Conclusion sections. A large chunk of my hypotheses were scrapped. But, that’s partly why I’m posting these… to learn. Thank you, Nick!IntroductionAs I said in my first REM writeup, I’m new at reverse engineering ...

Didier Stevens at NVISO Labs

Didier Stevens Forensics, Blue Team October 12, 2023October 11, 2023 7 Minutes In this blog post, we show in detail how a known-plaintext attack on XOR encoding works, and automate it with custom tools to decrypt and extract the configuration of a Cobalt Strike beacon. If you are not interested in the theory, just in the tools, go straight to the conclusion 🙂 . A known-plaintext attack (KPA) is a cryptanalysis method where the analyst has the plaintext and ciphertext version of a message. The go...

OALABS Research

Automated string decryption Oct 8, 2023 • 3 min read advobfuscator python obfuscation strings tooling Overview References Decryption ADV Loop Signature Emulation Decryption TODO Globals 64-bit Overview ADVobfuscator is a C++ string obfuscation library that is commonly used in malware (most famously by Conti ransomware). We are going to attempt to identify and decrypt strings protected with ADV using some simple python scripting and the unicorn emulator. References ADVobfuscator github StackStack...

Ruian Duan and Daiping Liu at Palo Alto Networks

721 people reacted 6 11 min. read Share By Ruian Duan and Daiping Liu October 13, 2023 at 4:00 PM Category: Malware Tags: Advanced URL Filtering, Cobalt Strike, Cortex XDR, Decoy Dog malware, DNS security, dns tunneling, DNSTT, FinCounter, next-generation firewall, VPN Executive Summary We present a study on why and how domain name system (DNS) tunneling techniques are used in the wild. Motivated by our findings, we present a system to automatically attribute tunneling domains to tools and campa...

Phylum

Over the weekend, Phylum’s automated risk detection alerted us to a series of publications surrounding packages on PyPI, all purporting to be some kind of cloud provider SDK or helper package. While these packages do, in fact, provide the purported functionality, they also surreptitiously ship the credentials off to an obfuscated remote URL.--cta--⚠️ Update October 11, 2023We've seen 2 additional packages published in this campaign since yesterday. enumerate-iam-aws which employed the same tacti...

On October 6, 2023, Phylum’s automated risk detection platform alerted us to a suspicious publication on NuGet. After working through several layers of obfuscation we ultimately discovered that this package was delivering SeroXen RAT.BackgroundThe package in question is Pathoschild.Stardew.Mod.Build.Config published by a user called Disti. The package is a typosquat of a legitimate package called Pathoschild.Stardew.ModBuildConfig. Notice that lack of dots in the “ModBuildConfig” part — the legi...

Soumen burma at Quick Heal

By Soumen burma 13 October 2023 4 min read 0 Comments Our recent research has highlighted the presence of the MedusaLocker ransomware, which first surfaced in mid-2019. Its primary targets are the Hospital and Healthcare industries. MedusaLocker employs AES and RSA encryption techniques to encrypt victims’ data. Technical Analysis At the start, it performs a check for the presence of a Mutex. If the Mutex does not exist, it proceeds to create the Mutex using the CreateMutexW() function, as shown...

Giampaolo Dedola, Domenico Caldarella, Alexander Fedotov, and Andrey Gunkin at Securelist

APT reports 12 Oct 2023 minute read Table of Contents ToolsetStandard loadersTailored loaderNinjaLoFiSeDropBox uploaderPcexterOther toolsPassive UDP backdoorCobaltStrikePost-exploitationData collection and exfiltrationToddyCat’s indicator of compromise Authors Giampaolo Dedola Domenico Caldarella Alexander Fedotov Andrey Gunkin ToddyCat is an advanced APT actor that we described in a previous publication last year. The group started its activities in December 2020 and has been responsible for mu...

Alex Delamotte and Jim Walter at SentinelOne

October 12, 2023 by Alex Delamotte and Jim Walter PDF In September 2023, automation and manufacturing company Johnson Controls was targeted in a ransomware attack where threat actors used Dark Angels ransomware to lock the company’s VMWare ESXi servers. SentinelOne has analyzed the binary related to this attack and found that it has considerable overlap with RagnarLocker’s ESXi version. In this post, we present technical details of the Dark Angels ransomware, offer a comparative analysis of Dark...

Satyajit Daulaguphu at Tech Zealots

bySatyajit DaulaguphuOctober 12, 2023No comments4 minute read 0Shares 0 0 0 0 0 Code obfuscation is the process of making software code difficult to understand, analyze, and reverse-engineer. It is a technique used by malware authors and other malicious actors to conceal their code’s true intentions and evade detection by security software.In this article, we will explore the various techniques and methods used in code obfuscation and how to obfuscate code.How Does Code Obfuscation Work?Code obf...

Trend Micro

Almost a year after Void Rabisu shifted its targeting from opportunistic ransomware attacks with an emphasis on cyberespionage, the threat actor is still developing its main malware, the ROMCOM backdoor. By: Feike Hacquebord, Fernando Merces October 13, 2023 Read time: ( words) Save to Folio Subscribe Void Rabisu is an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine. Among the threat actor’s previous t...

We detail an ongoing campaign abusing messaging platforms Skype and Teams to distribute the DarkGate malware to targeted organizations. We also discovered that once DarkGate is installed on the victim’s system, additional payloads were introduced to the environment. By: Trent Bessell, Ryan Maglaque, Aira Marcelo, Jack Walsh, David Walsh October 12, 2023 Read time: ( words) Save to Folio Subscribe From July to September, we observed the DarkGate campaign (detected by Trend Micro as TrojanSpy.Auto...

Virus Bulletin

Posted by on Oct 12, 2023 Android botnets are a formidable threat to the security and privacy of millions of users worldwide. In a new paper, Aditya K Sood and Rohit Bansal discuss an inherent security flaw present in the C&C panel of the Nexus Android botnet, which has been exploited to gather internal details of the C&C design. In addition, they present a model of mobile AppInjects, to uncover how overlay attacks are performed on compromised Android devices to hijack user accounts and steal cr...