解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 47 – 2023 - MALWARE

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。

MALWARE

Any.Run

November 16, 2023 Add comment 295 views 4 min read HomeService UpdatesUpload Additional Files into Active Tasks in ANY.RUN Recent posts Upload Additional Files into Active Tasks in ANY.RUN 295 0 ANY.RUN now Automatically Detects QR Codes and Extracts Their Contents 612 0 Understanding interactive vs automated malware analysis sandboxes 396 0 HomeService UpdatesUpload Additional Files into Active Tasks in ANY.RUN ANY.RUN cloud virtual machines already come with a selection of pre-installed softwa...

ASEC

In this report, we cover nation-led threat groups presumed to conduct cyber espionage or sabotage under the support of the governments of certain countries, referred to as “Advanced Persistent Threat (APT) groups” for the sake of convenience. Therefore, this report does not contain information on cybercriminal groups aiming to gain financial profits. We organized analyses related to APT groups disclosed by security companies and institutions including AhnLab during the previous month; however, t...

This report provides statistics on the number of new ransomware samples, targeted systems, and targeted businesses in September 2023, as well as notable ransomware issues in Korea and other countries. Key Trends 1) Sharp Decrease in Targeted Businesses Related to CLOP Ransomware and MOVEit 2) NoEscape Ransomware and Its Imitations 3) Ransomware Group Using GDPR as a Bluff (GDPR Gambit) 4) Others Sep_Threat Trend Report on Ransomware Statistics and Major Issues Categories:trend Tagged as:clop ran...

The Kimsuky group’s activities in September 2023 showed a notable surge in the RandomQuery type, while the activities of other types were relatively low or non-existent. Sep_Threat Trend Report on Kimsuky Group Categories:trend Tagged as:AppleSeed,BabyShark,flowerpower,Kimsuky,RandomQuery 2023 Sep – Deep Web and Dark Web Threat Trend Report 2023 Sep – Threat Trend Report on Ransomware Statistics and Major Issues 0 0 votes Article Rating Subscribe Login Notify of new follow-up comments new replie...

This trend report on the deep web and dark web of September 2023 is sectioned into Ransomware, Forums & Black Markets, and Threat Actors. We would like to state beforehand that some of the content has yet to be confirmed to be true. RansomwareAkira – ALPHV (BlackCat) – LockBit – RansomedVC Forum & Black Market – Data Breach Affecting 7 Million Users – Personal Information of Police Officers Leaked Threat Actor – Prosecution of Individuals Associated with the Trickbot Cybercrime Group – About ...

AhnLab Security Emergency response Center (ASEC) detected circumstances of a malware strain being distributed through breached legitimate websites using various file names, prompting users to run them. This post will introduce how AhnLab EDR analyzes and detects the method of malware distribution using LNK files as the medium, a method that has been employed often in recent times. Pomerium Project Related Inquiry Data.txt.lnkData Regarding Application for Changes Before the 2023 Iris Agreement.t...

The AhnLab Security Emergency response Center’s (ASEC) analysis team is constantly monitoring malware distributed to vulnerable database servers. MySQL server is one of the main database servers that provides the feature of managing large amounts of data in a corporate or user environment. Typically, in Windows environments, MS-SQL is primarily installed for database services, while in Linux environments, database services like MySQL and PostgreSQL are used. However, although not as frequently a...

AhnLab Security Emergency response Center (ASEC) observed the distribution of malicious shortcut (*.lnk) files impersonating a public organization. The threat actor seems to be distributing a malicious script (HTML) file disguised as a security email by attaching it to emails. These usually target individuals in the field of Korean reunification and national security. Notably, these were disguised with topics of honorarium payment to make them seem like legitimate documents. The malware’s operat...

Binary Ninja

Analyzing Obfuscated Code With Binary Ninja -- a Flare-On Journey Xusheng Li 2023-11-13 reversing The Flare-On challenge is the Olympics for reverse engineers. This year, while celebrating the 10th sequel of the event, the organizers set “a new standard for difficulty and creativity” (words from last year’s challenge solutions). As a long-time player, I was very excited to complete all challenges in just over a month. In this write-up, I will discuss two challenges (5th and 13th) and share...

Matthew at Embee Research

Embee Research Home Reverse Engineering Detection Engineering Threat Intelligence Paid Modules Sign in Subscribe Beginner Identifying Simple Pivot Points in Malware Infrastructure - RisePro Stealer Identifying Simple pivot points in RisePro Stealer Infrastructure using Censys. Matthew Nov 15, 2023 — 5 min read In a previous post we analysed a Redline stealer sample and obtained a C2 address of 5.42.92[.]51:19057. In this post, we'll demonstrate how to pivot from this c2 address to identify a tot...

Extracting C2 configuration using the Garbageman .NET analysis tool Matthew Nov 16, 2023 — 4 min read In this post, we'll demonstrate the Garbageman analysis tool. Garbageman is a .NET analysis tool that can be used to obtain information from packed or obfuscated .NET malware. Here is a great blog on the internals of Garbageman. The TLDR is that Garbageman intercepts the memory management components of .NET and saves the information for future analysis. Using this, we can easily obtain c2 inform...

Combining Pivot Points to Identify Malware Infrastructure - Redline, Smokeloader and Cobalt Strike Identifying Malware infrastructure by combining weak pivot points. Matthew Nov 19, 2023 — 6 min read In this post, we'll demonstrate how to use Censys to pivot when there are minimal unique indicators that could be used for a single strong pivot. We'll combine 5 separate "weak" indicators to identify 11 malware servers from a single initial IP found on URLHaus. The final query we will be building c...

Igor Skochinsky at Hex Rays

Posted on: 17 Nov 2023 By: Igor Skochinsky Categories: IDA Pro Tags: idapro idatips shortcuts IDA supports different representations for the instruction operands and data items. However, only the most common of them are listed in the context menu or have hotkeys assigned. Let’s imagine that you’ve discovered an area in a firmware binary which looks like a table of floating-point values: You can confirm that it looks plausible by switching the representation in the Hex View: However, in the disas...

InfoSec Write-ups

Opening HTML Files : A gateway to MalwareJustAnother-Engineer·FollowPublished inInfoSec Write-ups·5 min read·Nov 10--ListenShareOverviewThis blog post examines how the ability to run VBscript / Jscript from HTML files in windows environment is being abused.This post is focused on reverse engineering and understanding the techniques used in these attacks.User’s receives a phishing email having a webpage as an attachment for normal eye it may appear harmless, but it would have code crafted for mal...

Mandiant

Blog Flare-On 10 Challenge SolutionsNick Harbour Nov 11, 20232 min readReverse EngineeringMalwareFLAREOur goal this year was to make the most difficult Flare-On challenge we’ve ever produced to celebrate a full decade of contests. At the time of this writing, there were 219 Flare-On finishers out of 4,767 registered users, which makes it the lowest finishing rate we’ve ever had. Truly, only the elite of the elite can claim to be a Flare-On 10 finisher. These lucky few will receive this pennant (...

OALABS Research

Indirect Syscalls and Layers of Crypto Nov 12, 2023 • 34 min read pikabot debugging string decryption Overview Sample References Analysis Strings Example Automated String Decryption (Debugger) IDA Labels APIs Overview According to Zscaler, the core Pikabot module includes the ability to execute arbitrary commands and inject payloads that are provided by a command-and-control server. A new updated version of the bot has been observed in the wild. This new version includes significant anti-analysi...

Veronica Chierzi at Trend Micro

A Closer Look at ChatGPT's Role in Automated Malware Creation This blog entry explores the effectiveness of ChatGPT's safety measures, the potential for AI technologies to be misused by criminal actors, and the limitations of current AI models. By: Veronica Chierzi November 14, 2023 Read time: ( words) Save to Folio Subscribe With contributions from Charles Perine As the use of ChatGPT and other artificial intelligence (AI) technologies becomes more widespread, it is important to consider the po...