本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Any.Run
November 7, 2023 Add comment 386 views 6 min read HomeService UpdatesAnalyze Script Execution in ANY.RUN Using Script Tracer Recent posts Understanding interactive vs automated malware analysis sandboxes 161 0 Analyze Script Execution in ANY.RUN Using Script Tracer 386 0 Release Notes: Threat Intelligence Feeds, QR Codes, New Extractors, and More 833 0 HomeService UpdatesAnalyze Script Execution in ANY.RUN Using Script Tracer Script tracer makes it easy to trace and deobfuscate the execution flo...
November 9, 2023 Add comment 161 views 5 min read HomeCybersecurity LifehacksUnderstanding interactive vs automated malware analysis sandboxes Recent posts Understanding interactive vs automated malware analysis sandboxes 161 0 Analyze Script Execution in ANY.RUN Using Script Tracer 386 0 Release Notes: Threat Intelligence Feeds, QR Codes, New Extractors, and More 833 0 HomeCybersecurity LifehacksUnderstanding interactive vs automated malware analysis sandboxes Both interactive and automated san...
ASEC
The distribution method involving the impersonation of resumes is one of the main methods used by the LockBit ransomware. Information related to this has been shared through the ASEC Blog in February of this year. [1] In contrast to the past where only the LockBit ransomware was distributed, it has been confirmed that an Infostealer is also being included in recent distributions. [2] (This link is only available in Korean.) Figure 1. Content of email disguised as a resume Figure 2. Attachment co...
AhnLab Security Emergency response Center (ASEC) has recently discovered the active distribution of the Phobos ransomware. Phobos is a variant known for sharing technical and operational similarities with the Dharma and CrySis ransomware. These ransomware strains typically target externally exposed Remote Desktop Protocol (RDP) services with vulnerable securities as attack vectors. Given the frequent occurrence of ransomware distribution that leverages these vulnerable RDPs as initial access poi...
AhnLab Security Emergency response Center (ASEC) observed the distribution of PDF files that contain malicious URLs. The domains linked from the PDF files indicate that similar PDFs are being distributed under the guise of downloading certain games or crack versions of program files. Below is a list of some of the PDF files that are being distributed. Far-Cry-3-Multiplayer-Crack-Fix.pdf STDISK-Activator-Free-Download-X64.pdf Hungry-Shark-World-360-Apk-MOD-Diamond-Coin-Data-Free-Download-FULL.pdf...
On May 3rd, 2022, AhnLab posted an analysis on the ASEC blog under the title “Distribution of Malicious Word File Related to North Korea’s April 25th Military Parade”.[+] Analysis of Malware Disguised with Military Parade Content: //asec.ahnlab.com/en/33936/This report is based on 17 months of tracking and analysis of the Kimsuky group’s hacking activities (C2 operations, management, sending hacking emails, distributing malware, etc.) that share similar patterns with the major characteristics (C...
Yehuda Gelb at Checkmarx Security
Python Obfuscation TrapsYehuda Gelb·FollowPublished incheckmarx-security·4 min read·4 days ago--1ListenShareIn the realm of software development, open-source tools and packages play a pivotal role in simplifying tasks and accelerating development processes. Yet, as the community grows, so does the number of bad actors looking to exploit it. A recent example involves developers being targeted by seemingly legitimate Python obfuscation packages that harbor malicious code.Key PointsThroughout 2023,...
Elastic Security Labs
Introducing the REF5961 intrusion setThe REF5961 intrusion set discloses three new malware families targeting ASEAN members. The threat actor leveraging this intrusion set continues to develop and mature their capabilities.27 min readSecurity research, Malware analysisPreamble Updated October 11, 2023 to include links to the BLOODALCHEMY backdoor. Elastic Security Labs continues to monitor state-aligned activity, targeting governments and multinational government organizations in Southern and So...
Matthew at Embee Research
Embee Research Home Reverse Engineering Detection Engineering Threat Intelligence Paid Content Index Learning Path Sign in Subscribe Malware Unpacking With Hardware Breakpoints - Cobalt Strike Shellcode Loader Last updated on Nov 9, 2023 In previous posts here and here, we explored methods for extracting cobalt strike shellcode from script-based malware. In this post, we'll explore a more complex situation where Cobalt Strike shellcode is loaded by a compiled executable .exe file. This will requ...
Igor Skochinsky at Hex Rays
Posted on: 11 Nov 2023 By: Igor Skochinsky Categories: IDA Pro Tags: hexrays idapro idatips Let’s consider this snippet from decompilation of an x86 Windows binary: The same function is called twice with the same argument and the last one doesn’t seem to use the result of the GetComputerNameExW call. By switching to disassembly, we can see that eax is initialized before each call with a string address: However the decompiler does not consider it, because on x86 the stack is the usual way of pass...
Kelvin W
The final entry of my malware analysis for the popular loader.Kelvin Winborne·Follow6 min read·3 days ago--ListenShareIntroductionAs promised, I’m back after studying some of the more advanced topics from the Practical Malware Analysis (PMAT) course by TCM Security. After finally at least getting an introduction to disassembling, decompiling, and debugging binaries, I’m revisiting my first malware analysis blog post, GuLoader. This is also the same sample as before. As always, my favorite way to...
Jérôme Segura at Malwarebytes
Posted: November 8, 2023 by Jérôme Segura The majority of malvertising campaigns delivering malicious utilities that we have tracked so far typically deceive victims with pages that are almost the exact replica of the software vendor being impersonated. For example, we have seen fake websites appearing like the real Webex, AnyDesk or KeePass home page. In a new campaign, we observed a threat actor copying a legitimate Windows news portal (WindowsReport.com) to distribute a malicious installer fo...
Maxime Thiebaut at NVISO Labs
Maxime Thiebaut Tools, Reverse Engineering November 7, 2023November 6, 2023 5 Minutes When working with IDA, a commonly leveraged feature are type information libraries (TIL). These libraries contain high-level type information such as function prototypes, type definitions, standard structures or enums; enabling IDA to convert statements such as movsxd rbx, dword ptr [r12+3Ch] into, for example, the more human-readable counterpart movsxd rbx, [r12+IMAGE_DOS_HEADER.e_lfanew]. On Windows, a simila...
Squiblydoo.blog
Posted bysquiblydooNovember 7, 2023November 8, 2023Posted inUncategorizedTags:analysis, backdoor, deepdive, infostealer, Jupyter, malware, malware analysis, Polazert, PowerShell, registry, reverse engineering, Security Analysis, SEO Poisoning, SOC, Solarmarker, VM The intent of this blogpost is to document the function and characteristics of SolarMarker malware as it was seen in October 2023. For information about SolarMarker as it appeared during September 2022 until September 2023 see The Old ...
Zhassulan Zhussupov
Malware development trick - part 37: Enumerate process modules via VirtualQueryEx. Simple C++ example. 4 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! Today, this post is the result of my own research on another popular malware development trick: get list of modules of target process. It’s similar to my previous post about enum list of modules, but in this case I used VirtualQueryEx practical example First of all, we just use one of the methods to find target process PID. For...
