解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 44 – 2023 - MALWARE

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。

MALWARE

Any.Run

October 24, 2023 Add comment 1933 views 7 min read HomeMalware AnalysisUnpacking the Use of Steganography in Recent Malware Attacks Recent posts What is Cyber Threat Intelligence 230 0 Unpacking the Use of Steganography in Recent Malware Attacks 1933 0 Expand Your SIEM’s Threat Coverage with ANY.RUN Threat Intelligence Feeds 542 0 HomeMalware AnalysisUnpacking the Use of Steganography in Recent Malware Attacks Malware delivery techniques are always evolving to bypass security measures. Gone are ...

ASEC

This report provides statistics on the number of new ransomware samples, targeted systems, and targeted businesses in August 2023, as well as notable ransomware issues in Korea and other countries. Key Trends 1) CLOP ransomware expanded pressure tactics on targeted businesses 2) Rhysida ransomware connection with Vice Society 3) Monti ransomware introduced new Linux encryption technique Aug_Threat Trend Report on Ransomware Statistics and Major Issues Categories:trend Tagged as:CLOP,Monti,Ransom...

This trend report on the deep web and dark web of August 2023 is sectioned into Ransomware, Forums & Black Markets, and Threat Actors. We would like to state beforehand that some of the content has yet to be confirmed to be true. 1) Ransomware (1) ALPHV (BlackCat) (2) LockBit (3) NoEscape (4) MetaEncryptor (5) Rhysida 2) Forum & Black Market (1) The Return of Raccoon Stealer (2) Anonfiles Shut Down (3) Data Breach of Foreign Language Learning Website 3) Threat Actor (1) Genesis Market User Arres...

August 2023 Major Issues on APT Groups 1) Andariel 2) APT29 3) APT31 4) Bitter 5) Bronze Starlight 6) Callisto 7) Carderbee 8) Charcoal Typhoon (RedHotel) 9) Earth Estries 10) Flax Typhoon 11) GroundPeony 12) Infamous Chisel 13) Kimsuky 14) Lazarus 15) MoustachedBouncher 16) Mysterious Elephant (APT-K-47) 17) Nobelium (Midnight Blizzard) 18) Red Eyes (APT37) Aug_Threat Trend Report on APT Groups Categories:trend Tagged as:Andariel,APT29,APT31,bitter,Bronze Starlight,Callisto,Carderbee,Charcoal T...

The Kimsuky group’s activities in August 2023 showed a notable surge in the BabyShark type, while the activities of other types were relatively low. Also, phishing samples were found in the infrastructure known for distributing previous malware (FlowerPower, RandomQuery, and AppleSeed), and BabyShark samples were discovered in the RandomQuery infrastructure. This suggests the likelihood of multiple types of malware utilizing a single infrastructure. Aug_Threat Trend Report on Kimsuky Group Categ...

Avast Threat Labs

Jarosław Jedynak at CERT Polska

24 October 2023 | Jarosław Jedynak | #dropper, #malware, #analysis, #xworm, #malwarestory XWorm is a multi-purpose malware family, commonly used as RAT. This post contains a detailed analysis and walk-through the reverse-engineering process. Motivation After obtaining our new .NET extraction powers we quickly had a chance to give them another try. This time we decided to focus on a malware family called XWorm - a multi-purpose tool that is most commonly used as RAT (a remote access trojan to co...

Cluster25

By Cluster25 Threat Intel Team October 25, 2023 Cluster25 observed a malicious campaign that employs LinkedIn messages as a vector for executing identity theft attacks. In this campaign, compromised LinkedIn accounts are utilized to send messages to users with the aim of compromising their accounts by illicitly procuring their cookies, session data, and browser credentials. The malware employed in these attacks has been positively identified as a member of the DuckTail family. This malware varia...

Matthew at Embee Research

Cobalt Strike .VBS Loader - Decoding with Advanced CyberChef and Emulation Manually decoding a Cobalt Strike .vbs Loader utilising advanced CyberChef and Shellcode Emulation. Matthew Oct 23, 2023 • 8 min read Demonstrating how to manually decode a complex .vbs script used to load Cobalt Strike shellcode into memory. The referenced script implements heavy text-based obfuscation. We can defeat this obfuscation by utilising CyberChef and Regex. Post obfuscation, we will identify some "malformed" sh...

Understanding and Improving The Ghidra UI for Malware Analysis Improving Malware Analysis Workflows by Modifying the default Ghidra UI. Matthew Oct 25, 2023 • 4 min read The Ghidra User interface can be intimidating and complicated for users who are not familiar with the tool. In this post, I'll go over some changes that I made in order to improve the usability of Ghidra and ensure a better analysis experience. This is an expansion of a post that I previously made on Twitter. How to Enable Dark ...

Remcos Downloader Analysis - Manual Deobfuscation of Visual Basic and Powershell Decoding a Remcos Loader, leveraging regex, python and Cyberchef to identify IOCs. Matthew Oct 27, 2023 • 7 min read In this post, we'll demonstrate a process for decoding a visual basic (.vbs) script, which contains an encoded Powershell Script used to download Remcos malware from a Google Drive. We'll manually analyse and deobfuscate both the vbs and powershell, and develop a decoder to obtain IOCs and decoded val...

Igor Skochinsky at Hex Rays

Posted on: 27 Oct 2023 By: Igor Skochinsky Categories: Decompilation IDA Pro Tags: hexrays idapro idatips Let’s say you found a promising-looking string in the binary, followed the cross reference to the function using it, then decompiled it to see how the string is used, only to see no signs of it in the pseudocode. What’s happening? In such situation it often helps to set up two synchronized disassembly>-<pseudocode views and scroll through them looking for oddities. As a rule of thumb, most p...

MWLab

2023-10-22 #malware #stealer #asyncrat #dcrat #venomrat #reversing #obfuscation #cyberchef Yesterday, as a part of a challenge in one CTF competition, I had to analyze a modified sample of AsyncRAT. I will try to avoid any spoilers, however, I wanted to decode and decrypt strings from AsyncRAT configuration settings. AsyncRAT is written in C#, and there are various variants and clones in the wild, such as DcRat or VenomRAT. Some samples are almost not obfuscated (except the encryption of the con...

NVISO Labs

Bastien Bossiroy Red Team October 26, 2023October 24, 2023 19 Minutes Introduction In this blog post, we will go over the most recurring (and critical) findings that we discovered when auditing the Active Directory environment of different companies, explain why these configurations can be dangerous, how they can be abused by attackers and how they can be mitigated or remediated. First, let’s start with a small introduction on what Active Directory is.Active Directory (AD) is a service that allo...

Moritz Thomas Red Team, Reverse Engineering October 26, 2023October 26, 2023 23 Minutes This entry is part 3 in the series Introducing CS2BR - Teaching Badgers new Tricks Introduction Over the span of the previous two blog posts in the series, I showed why the majority of Cobalt Strike (CS) BOFs are incompatible with Brute Ratel C4 (BRC4) and what you can do about it. I also presented CS2BR itself: it’s a tool that makes patching BOFs to be compatible with BRC4 a breeze. However, we also found s...

OALABS Research

A closer look at this Agent Tesla successor Oct 22, 2023 • 2 min read dotnet origin logger agenttesla config Overview Sample References Analysis Settings Yara Rule C2 Extraction Overview This is a .NET stealer that is possibly a clone or new version of AgentTesla. It has been sold on public grayware sites such as fudsender[.]com. There is even a YouTube commercial for the stealer! //www.youtube.com/watch?v=o-MDujYrtto Sample b1114c27beb856eae1f9fba0a880450702b7bda007f0fbacc4d5df561d83ec88 UnpacM...

Siddharth Sharma at Palo Alto Networks

3,007 people reacted 60 4 min. read Share By Siddharth Sharma October 26, 2023 at 6:00 AM Category: Malware Tags: Advanced WildFire, API, Linux, Sandbox This post is also available in: 日本語 (Japanese)Executive Summary In this article, we’ll explore the use of pluggable authentication module (PAM) application programming interfaces (APIs) in malicious software. We’ll also demonstrate why keeping an eye on PAM APIs in a sandboxed environment could be useful. PAM is a widely used framework for authe...

Zhassulan Zhussupov

8 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! This post is the result of my own research on try to evasion AV engines via encrypting payload with another algorithm: WAKE. As usual, exploring various crypto algorithms, I decided to check what would happen if we apply this to encrypt/decrypt the payload. wake The WAKE (Word Auto-Key Encryption) algorithm, created by David Wheeler in 1993, is a stream encryption method. It uses an automatic key schedule to encrypt and decrypt ...

ZScaler

JAVIER VICENTE - Sr. Staff Security ResearcherOctober 25, 2023 - 21 min read Threatlabz ResearchContentsIntroductionKey TakeawaysTechnical AnalysisCommunicationsConclusionCloud SandboxIndicators of Compromise (IoCs)AppendixMore blogsCopy URLCopy URLIntroduction Mystic Stealer is a relatively new downloader and information stealer that emerged in early 2023. The malware harvests data from a large number of web browsers and cryptocurrency wallet applications. Mystic can also be used to steal Steam...

NIRAJ SHIVTARKAR, RAJDEEPSINH DODIAOctober 27, 2023 - 9 min read Threatlabz ResearchContentsIntroductionKey TakeawaysAttack MethodologiesInfections by IndustryCountries Targeted by AvosLockerRansomware AnalysisData Leak SiteAnti-AnalysisNetMonitor BackdoorConclusionZscaler CoverageIndicators of Compromise (IOCs)More blogsCopy URLCopy URLIntroduction On October 11, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory for AvosLocker, which was a sophisticated dou...