本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Alberto Marín at Outpost24
Contents LummaC2 v4.0 updatesPackerLayer 1Layer 2Control Flow FlatteningControl structure on stackRelevant blocksNew Anti-Sandbox technique: Using trigonometry to detect human behaviorHow to bypass LummaC2 v4.0 Anti-Sandbox techniqueForcing threat-actors to use a crypter for their buildsConclusionIOCsHashesC&CsReferences Unveiling LummaC2 stealer’s novel Anti-Sandbox technique: Leveraging trigonometry for human behavior detection Research & Threat Intel 20 Nov 2023 Written By Alberto Marín Rever...
Any.Run
November 21, 2023 Add comment 1447 views 6 min read HomeMalware AnalysisXWorm Malware: Exploring C&C Communication Recent posts XWorm Malware: Exploring C&C Communication 1447 0 Black Friday 2023: 2-for-1 and Free Threat Intelligence Feeds 347 0 Upload Additional Files into Active Tasks in ANY.RUN 509 0 HomeMalware AnalysisXWorm Malware: Exploring C&C Communication In this article, our guest author Igal Lytzki (0xToxin on Twitter) will explore and understand the dynamics occurring when a success...
ASEC
AhnLab Security Emergency response Center (ASEC) is monitoring attacks against vulnerable web servers that have unpatched vulnerabilities or are being poorly managed. Because web servers are externally exposed for the purpose of providing web services to all available users, these become major attack targets for threat actors. Major examples of web services that support Windows environments include Internet Information Services (IIS), Apache, Apache Tomcat, and Nginx. While the Apache web servic...
Recently, AhnLab Security Emergency response Center (ASEC) has identified a malicious LNK file being distributed to financial and blockchain corporation personnel through email and other ways. The malicious LNK file is distributed via URLs and AhnLab Smart Defense (ASD) has confirmed the following URLs. Download URLshxxps://file.lgclouds001[.]com/read/?[이메일 계정]&zw=블록체인%20기업%20솔루션%20편람%20제작.zip (hxxps://file.lgclouds001[.]com/read/?[email-account]&zw=blockchain%20corporate%20solution%20handbook%2...
The ASEC analysis team identified the circumstances of the Andariel group distributing malware via an attack using a certain asset management program. The Andariel group is known to be in a cooperative relationship with or a subsidiary organization of the Lazarus group. The Andariel group usually launches spear phishing, watering hole, or supply chain attacks for initial penetration. There is also a case where the group exploited a central management solution during the malware installation proc...
CTF导航
APT-C-35(肚脑虫)利用RemcosRAT远控攻击活动分析 APT 4天前 admin 25 0 0 APT-C-35 肚脑虫 APT-C-35(肚脑虫)组织,又称Donot,是一个针对巴基斯坦、斯里兰卡等印度周边国家政府机构等领域进行网络间谍活动,以窃取敏感信息为主的攻击组织。 在对该组织追踪溯源的过程中,我们通过360安全卫士检测到有一批针对巴基斯坦地区的攻击活动,通过对其的跟踪、分析和研判,初步将这次的攻击者归属于肚脑虫。同时在挖掘中,我们还发现了APT-C-35(肚脑虫)与APT-C-09(摩诃草)之间的关联性。 一、攻击活动分析 1.攻击流程分析 此次攻击活动中,攻击者主要使用两个不同的手法“撬开”受害者的大门: 1.使用带有漏洞的inp文档,当用户打开此inp文档后,便会在%UserProfile%AppDataLocal下释放Remcos的加载器,之后启动该加载器加载商业远控Remcos并接受控制; 2.使用恶意lnk文件,当受害者打开投递的恶意压缩包中的lnk文件时,该lnk文件将会从远端//webmail[.]mod[.]com[.]pk/uploads/dir...
Matthew at Embee Research
Practical Queries for Malware Infrastructure - Part 3 (Advanced Examples) More interesting and practical queries for identifying malware infrastructure. Matthew Nov 22, 2023 — 9 min read Practical and real-world examples of queries for identifying malware infrastructure. The primary tooling used is Censys.io. Redline StealerQakbot NJRatRemcosBianLian Go TrojanXTreme RATSuperShell BotnetQakbot Command and Control Servers Censys LinkEmpty Banner Produces Unique HashParticular Structure to TLS cert...
Embee Research Home Reverse Engineering Detection Engineering Threat Intelligence Paid Modules Testimonials Sign in Subscribe Intermediate Ghidra Basics - Cross References From Strings Leveraging Ghidra to establish context and intent behind suspicious strings. Matthew Nov 24, 2023 — 4 min read Leveraging Ghidra to establish context and intent behind suspicious strings. Taking things one step further after initial analysis tooling like Pe-Studio and Detect-it-easy. This is great technique for wo...
Manually Reversing a decryption function using Ghidra, ChatGPT and CyberChef. Matthew Nov 24, 2023 — 6 min read This post is a continuation of "Malware Unpacking With Hardware Breakpoints". Here we will be utilising Ghidra to locate the shellcode, analyse the decryption logic and obtain the final decrypted content using Cyberchef. This post is for paying subscribers only Subscribe now Already have an account? Sign in Read more Ghidra Basics - Cross References From Imported Functions Leveraging G...
Cara Lin at Fortinet
By Cara Lin | November 20, 2023 Article Contents By Cara Lin | November 20, 2023 Affected Platforms: Microsoft Windows Impacted Users: Microsoft Windows Impact: Remote attackers gain control of the infected systems Severity Level: Critical FortiGuard Labs recently identified the use of a Russian-language Word document equipped with a malicious macro in the ongoing Konni campaign. Despite the document's creation date of September, ongoing activity on the campaign's C2 server is evident in interna...
Hex Rays
Posted on: 21 Nov 2023 By: Alex Petrov Categories: IDA Pro Programming Tags: IDA Pro plugin This is a guest entry written by Baptiste Verstraeten from the Thalium Team. His views and opinions are his own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the author. The Symless plugin aims to simplify the process of retrieving and defining structures, classes, and virtual tables. Building structures with their fields and managing cross-...
Posted on: 24 Nov 2023 By: Igor Skochinsky Categories: News Tags: Occasionally you may run into the following error message: To ensure that the decompilation speed remains acceptable and does not block IDA, especially when using batch decompilation, by default the decompiler refuses to decompile the functions over 64 kilobytes (0x10000 bytes). But here we have function which is 3x as large: In such case you can manually increase the size to force the decompiler try decompile the function anyway....
InfoSec Write-ups
Open in appSign upSign inWriteSign upSign inUnmasking NJRat: A Deep Dive into a Notorious Remote Access Trojan Part1JustAnother-Engineer·FollowPublished inInfoSec Write-ups·5 min read·6 days ago--ListenShareNjRAT is a type of malware that allows a remote actor to gain control of an infected computer system. It is one of the most widely used types of malware on the Internet due to its easy accessibility, free tutorials available on clear web, and wide range of functionalities to evade detection t...
Osama Ellahi·FollowPublished inInfoSec Write-ups·14 min read·Oct 21--ListenShare| NJRAT Malware analysisExecutive SummaryThis version {0.7NC} of NJRat was first seen on 17 August 2023 with the name utah-Robert-magazine- speaker. It was delivered by email using phishing. Red Packet Security defines NJRat as a type of remote access trojan (RAT). This malicious software can do a range of things, like recording keystrokes, accessing the victim’s camera, stealing saved login information from web brow...
OALABS Research
PikaBot Is Back With a Vengeance - Part 2Automated String Decryption Nov 19, 2023 • 108 min read pikabot debugging string decryption emulation memulator Overview Sample String Decryption Locating Strings Decryption Overview This is a continuation of our work on the new Pikabot core module. Our initial analysis can be found here. Sample 39d6f7865949ae7bb846f56bff4f62a96d7277d2872fec68c09e1227e6db9206 UnpacMe String Decryption Strings are inline The string data is built in a stack string (pushed o...
Mohammad Amr Khan at Pulsedive
This blog examines three different loader types used in recent DarkGate infections. Mohammad Amr Khan Nov 20, 2023 • 8 min read As DarkGate's popularity continues to increase, we've observed several different methods being used to start DarkGate infections. From the initial phishing vector to the first stage loader, threat actors have changed techniques to try and avoid detection and bypass security controls. This blogs examines three different loader types used in recent DarkGate infections.Wha...
Suraj Mundalik at Qualys
RussianPanda
RussianPanda Research Blog Menu Home About Contact Me Home About Contact Me Search Search for Blog 17 min read Nov 20, 2023 MetaStealer - Redline's Doppelgänger RussianPanda Case Study MetaStealer made its debut on Russian hacking forums on March 7, 2022. The stealer is said to incorporate the functionality, code, and panel of Redline Stealer. The developer claims to have improved the stub of the payload. It is priced at $150 per month, mirroring the price of Redline Stealer. Note: Some samples ...
Securelist
APT reports 22 Nov 2023 minute read Table of Contents IntroductionInitial infectionHrServ web shellCode executionOlder variantsVictimsAttributionConclusionIndicators of compromiseFile hashes Authors Mert Degirmenci Introduction In the course of our routine investigation, we discovered a DLL file, identified as hrserv.dll, which is a previously unknown web shell exhibiting sophisticated features such as custom encoding methods for client communication and in-memory execution. Our analysis of the ...
Anna Lvova at G Data
MENU Awareness G DATA Campus SMB Security Tips and tricks Techblog Ransomware Warning Malware CyberCrime Exploits Phishing Bots & Botnets New "Agent Tesla" Variant: Unusual "ZPAQ" Archive Format Delivers Malware 11/20/2023 G DATA Blog A new variant of Agent Tesla uses the uncommon compression format ZPAQ to steal information from approximately 40 web browsers and various email clients. But what exactly is this file compression format? What advantage does it provide to threat actors? And why it i...
