本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Any.Run
Malware Analysis in ANY.RUN: The Ultimate Guide Raccoon Stealer 2.0 Malware analysis How to Get Free Malware Samples and Reports Categories Analyst Training Cybersecurity Lifehacks Instructions on ANY.RUN Interviews Malicious History Malware Analysis News Service Updates Write for us Authors Go to service 14-day free trial Search 14-day free trial Guides and Tutorials Featured posts Malware Analysis in ANY.RUN: The Ultimate Guide Raccoon Stealer 2.0 Malware analysis How to Get Free Malware Sampl...
ASEC
The Lazarus group is a hacking group that is known to be state-sponsored and is actively conducting hacking activities worldwide for financial gain, data theft, and other purposes. A simplified overview of the Lazarus group’s watering hole attack that abused the INISAFE vulnerability is as follows: a malicious link was inserted within a specific article on a news website. Consequently, companies and institutions that clicked on this article were targeted for hacking. The hackers exploited vulner...
Kimsuky, a threat group known to be supported by North Korea, has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy agency in 2014. Other countries have also become targets of their attack since 2017. [1] The group usually launches spear phishing attacks on the national defense, diplomatic, and academic sectors, defense and media industries, as well as national organizations. Their goal is to exfiltrate i...
Infostealers, which steal user account credentials saved in web browsers or email clients, constitute the majority of attacks targeting general or corporate users. Related information was shared through the ASEC Blog in December of last year. [1] While the distribution method for the named malware differs slightly depending on their main features, Infostealer-type malware typically uses malicious sites disguised as pages for downloading legitimate programs as their distribution route. They are a...
Doug Burks at Security Onion
Thanks to Brad Duncan for sharing this pcap://www.malware-traffic-analysis.net/2023/10/17/index.htmlWe did a quick analysis of this pcap on the NEW Security Onion 2.4. If you'd like to follow along, you can do the following:install Security Onion 2.4 in a VM://docs.securityonion.net/en/2.4/first-time-users.htmlimport the pcap using so-import-pcap://docs.securityonion.net/en/2.4/so-import-pcap.html#so-import-pcapoptionally enable the new DNS lookups feature://docs.securityonion.net/en/2.4/soc-cus...
Embee Research
Decoding a Simple Visual Basic (.vbs) Script - DarkGate Loader Demonstrating basic techniques for decoding a darkgate .vbs loader. Matthew Oct 16, 2023 • 6 min read In this post I will demonstrate a process for decoding and demystifying a simple darkgate loader vbs script. This script employs minimal obfuscation and is not particularly complex however it does deploy some decoy tactics which can be tricky to navigate and may throw off an inexperienced analyst. This post will demonstrate some basi...
Ghidra Tutorial - Using Entropy To Locate a Cobalt Strike Decryption Function Using Ghidra Entropy Analysis to Identify a decryption function. Matthew Oct 18, 2023 • 6 min read Using Ghidra to analyse malware can be a difficult and daunting task. This task is often complicated through the use of encryption and the general complexity of using Ghidra for the first time. In this blog, I will demonstrate a simple workflow that you can use to speed up this process. By using the entropy view within Gh...
Decoding a Cobalt Strike .hta Loader Using CyberChef and Emulation Decoding a .hta script with CyberChef and analysing Shellcode with the SpeakEasy Emulator. Matthew Oct 20, 2023 • 6 min read In this post. I will demonstrate a process for decoding a simple .hta loader used to load cobalt strike shellcode. We will perform initial analysis using a text editor, and use CyberChef to extract embedded shellcode. From here we will validate the shellcode using an emulator (SpeakEasy) and perform some ba...
James Slaughter at Fortinet
By James Slaughter | October 19, 2023 Affected Platforms: Windows Impacted Users: Windows users Impact: The information collected can be used for future attacks Severity Level: Medium In 2023, the InfoStealer market is a reasonably crowded affair. The likes of RedLine, Raccoon, and Vidar own a significant market share, with new entrants such as SaphireStealer appearing frequently. The latest entry, ExelaStealer has now taken the field. Very little backstory is available on ExelaStealer, with the...
Hex Rays
Posted on: 17 Oct 2023 By: Alex Petrov Categories: IDA Pro Programming Tags: IDA Pro plugin This is a guest entry written by Sergejs Harlamovs from IKARUS Security Software GmbH. His views and opinions are his own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the author. IdaClu: Finding clues without knowing what to seek IdaClu, as the name suggests, is about "clusterization" and "finding the clues". The plugin offers a toolset to ...
Posted on: 20 Oct 2023 By: Igor Skochinsky Categories: IDA Pro Tags: idapro idatips As covered before, the action “Create struct from selection” can be used to quickly create structures from existing data items. However, Disassembly view not the only place where it can be used. For example, let’s imagine you’ve created a structure to represent some context used by the binary being analyzed: 00000000 Context struc ; (sizeof=0x1C) 00000000 version dd ? 00000004 pid dd ? 00000008 tid dd ? 0000000C ...
Lathashree K at K7 Labs
Posted byLathashree K October 18, 2023October 18, 2023 AndroidFake ApplicationsRemote Access Trojan Rusty Droid: Under the Hood of a Dangerous Android RAT By Lathashree KOctober 18, 2023 Threat actors focus on gaining remote access and control of victims’ devices. For this they either use fake apps or masquerade as legitimate apps. This blog is about the Rusty Droid RAT, which masquerades Chrome browser for Android. The sample under consideration is taken from this tweet. It has the capabilities...
Kelvin W
What a Load of %$&#!: DarkGate Malware AnalysisNoob EditionKelvin W·Follow7 min read·Oct 15--ListenShareIntroductionToday, I’ll be walking readers through my analysis of DarkGate malware, an oldie but goodie that has seen a recent resurgence in the wild due to having a whole host of capabilities. DarkGate is a commodity loader on sale for big $$$ on cybercrime forums. I accidentally classified this as a RAT when I first started gathering malware samples initially, and didn’t realize my mistake u...
Born at nullteilerfrei
born code, malware-analysis, technology 2023-10-21 This blag post covers scanning the Ghidra virtual memory with YARA. # What is YARA YARA is the industry standard when it comes to signatures matching on malware. If you don't know YARA: It's a simple pattern-matching language that has some features tailored for searching in binary data. Logical expressions for matches and the capability to match on parsed structures of some common executable formats are a few examples of such features. rule hell...
OALABS Research
Extending our ADV automated string decryption tool to handle custom cases Oct 15, 2023 • 7 min read advobfuscator python obfuscation strings tooling Overview References Samples Decryption ADV Loop Signature Emulation Decryption Overview ADVobfuscator is a C++ string obfuscation library that is commonly used in malware (most famously by Conti ransomware). We are going to attempt to identify and decrypt strings protected with ADV using some simple python scripting and the unicorn emulator. We crea...
OSArmor
A customer contacted us due to some messages received on Facebook Messenger to unlock his Facebook page. The customer is a business owner and runs a Facebook page of his shop. According to the messages received, his page has been locked due to copyright infringement and he has to click on a link received on the messages to unlock the page: The PMs come from “Page Report Notification” and use a “customer support”-like avatar. The malicious/phishing URL found on the messages is: hxxps://facebook.s...
Ayush Anand at Securityinbits
October 17, 2023CyberChef, CyberChef Recipe, Infostealer, RedLineAyush AnandAbout the NewsletterJoin 100+ subscribers who get 0x1 actionable security bit every week. shieldSubscribeIn this quick blog post, we’ll explore the various combination of CyberChef operations e.g Subsection, From Base, Fork etc for deobfuscating VBScript used in the RedLine stealer infection chain. VBScript often employs the ‘chr’ function to obfuscate its code, where ‘chr’ converts Ascii codes to characters e.g. Chr(65)...
Quentin Bourgue at Sekoia
Rajesh Nataraj at Sophos
Multiple LockBit knock-off attacks in September targeting obsolete software foiled, exposing tactics and tools. Written by Rajesh Nataraj October 19, 2023 Threat Research Adobe ColdFusion cryptominers featured LockBit Ransomware LoLBINs Sophos X-Ops Servers are always a point of interest for threat actors as they are one of the most efficient attack vectors to penetrate an organization. Server-related accounts often have the highest privilege levels, making lateral movement to other machines in ...
Nijith Wilson at System Weakness
Nijith Wilson·FollowPublished inSystem Weakness·14 min read·Oct 15--1ListenShareIntroductionIn this article, we’ll look at how to use Python to build a Discord RAT (Remote Administration Tool). Through Discord commands, this programme let users to remotely handle a device and offers functions like process management, file downloads, system information retrieval, and more.How to BuildFull Code ImplementationThe full Python code for the Discord RAT is provided below. Ensure you have the required l...
The Citizen Lab
لقد أصدرت Apple للتو تحديثًا لمنتجات Apple بما في ذلك أجهزة iPhones وiPads وأجهزة الكمبيوتر Mac وساعات Apple. نحث جميع المستخدمين على تحديث أجهزتهم فورًا. النتائج الرئيسية بين شهري مايو وسبتمبر 2023، استُهدِف عضو البرلمان المصري السابق أحمد الطنطاوي ببرنامج التجسس Predator من Cytrox عبر روابط أُرسلت إليه عبر رسائل قصيرة و رسائل WhatsApp. وقع الاستهداف بعد أن صرح الطنطاوي علنًا بخطته للترشح لمنصب الرئاسة في الانتخابات المصرية لعام 2024. في شهري أغسطس وسبتمبر من عام 2023، وقع الاختيار على اتصال ها...
Tejaswini Sandapolla and Karthickkumar Kathiresan at Uptycs
Tags: Threat Research, Threat Detection Tejaswini Sandapolla October 20, 2023 Share: Coauthored by Karthickkumar Kathiresan of Uptycs Threat Research Team The Quasar RAT employed a technique known as DLL side-loading, which involved leveraging trusted Microsoft files, including “ctfmon.exe” and “calc.exe,” to achieve its objectives. This technique capitalizes on the inherent trust these files command within the Windows environment. This report sheds light on the intricacies of these DLL side-loa...
Joshua Platt and Jason Reaves at Walmart
IcedID gets LoadedJason Reaves·FollowPublished inWalmart Global Tech Blog·4 min read·1 day ago--ListenShareBy: Joshua Platt and Jason ReavesWhile investigating a recent IcedID campaign leveraging GitLab:hxxps://gitlab.]com/group9652040/my1/-/raw/main/2.exeWe noticed that the imphash for the sample had an overlap with another sample:Ref: //www.virustotal.com/gui/search/imphash%253Ace088b62574105896ea14183bc034940/filesAnd that new sample was talking to a different domain:Ref: //www.virustotal.com...
