4n6 Week 49 – 2023 - MALWARE
本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Any.Run
November 28, 2023 Add comment 2363 views 15 min read HomeMalware AnalysisRisePro Malware Analysis: Exploring C2 Communication of a New Version Recent posts 3 Cybersecurity Events ANY.RUN Attended in November 2023 168 0 5 malware threats we discovered in the wild in November 2023 380 0 RisePro Malware Analysis: Exploring C2 Communication of a New Version 2363 0 HomeMalware AnalysisRisePro Malware Analysis: Exploring C2 Communication of a New Version RisePro is a malware-as-a-service info-stealer,...
November 29, 2023 Add comment 380 views 5 min read HomeMalware Analysis5 malware threats we discovered in the wild in November 2023 Recent posts 3 Cybersecurity Events ANY.RUN Attended in November 2023 168 0 5 malware threats we discovered in the wild in November 2023 380 0 RisePro Malware Analysis: Exploring C2 Communication of a New Version 2363 0 HomeMalware Analysis5 malware threats we discovered in the wild in November 2023 ANY.RUN interactive sandbox excels in analyzing malware that evades...
ASEC
While monitoring recent attacks by the Andariel threat group, AhnLab Security Emergency response Center (ASEC) has discovered the attack case in which the group is assumed to be exploiting Apache ActiveMQ remote code execution vulnerability (CVE-2023-46604) to install malware. The Andariel threat group usually targets South Korean companies and institutions, and the group is known to be either in a cooperative relationship of the Lazarus threat group, or a subsidiary group of Lazarus. Their atta...
AhnLab Security Emergency response Center (ASEC) has recently identified that the Kimsuky threat group is distributing a malicious JSE file disguised as an import declaration to research institutes in South Korea. The threat actor ultimately uses a backdoor to steal information and execute commands. The file name of the dropper disguised as an import declaration is as follows. Import Declaration_Official Stamp Affixed.jse The file contains an obfuscated PowerShell script, a Base64-encoded backdo...
AhnLab Security Emergency response Center (ASEC) discovered a case of malware distribution using personal information sales as bait. This attack case employs a social engineering hacking technique. ASEC provides you with recently discovered circumstances of malware distribution using social engineering hacking techniques. Figure 1. Distribution site used by the threat actor Figure 1 shows the content of the website used by the threat actor as a distribution site, with multiple files. Most of the...
Ashley Shen and Chetan Raghuprasad at Cisco’s Talos
By Ashley Shen, Chetan Raghuprasad Thursday, November 30, 2023 08:00 Threat Spotlight SecureX RAT Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” We found evidence suggesting the threat actor is targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korea. We assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous...
Matthew at Embee Research
Home Reverse Engineering Detection Engineering Threat Intelligence Paid Modules Testimonials Sign in Subscribe Intermediate Ghidra Basics - Cross References From Imported Functions Leveraging Ghidra to establish context and intent behind imported functions. Matthew Nov 26, 2023 — 7 min read In this blog, we'll use Ghidra to analyse a suspicious imported function identified with PeStudio. This forms a basic and repeatable workflow within Ghidra, where imported functions are cross-referenced to es...
Home Reverse Engineering Detection Engineering Threat Intelligence Paid Modules Testimonials Sign in Subscribe Advanced Ghidra Basics - Manual Shellcode Analysis and Locating Function Calls Manual analysis of Cobalt Strike Shellcode with Ghidra. Identifying function calls and resolving API hashing. Matthew Nov 29, 2023 — 12 min read In previous posts we decoded some Malicious scripts and obtained Cobalt Strike Shellcode. After obtaining the Shellcode, we used SpeakEasy emulation to determine the...
Cara Lin at Fortinet
GoTitan Botnet - Ongoing Exploitation on Apache ActiveMQ By Cara Lin | November 28, 2023 Article Contents By Cara Lin | November 28, 2023 Affected Platforms: Any OS running Apache Active MQ versions prior to 5.15.16, 5.16.7, 5.17.6, and 5.18.3 Impacted Parties: Any organization Impact: Remote attackers gain control of the vulnerable systems Severity Level: Critical This past October, Apache issued a critical advisory addressing CVE-2023-46604, a vulnerability involving the deserialization of unt...
Igor Skochinsky at Hex Rays
Posted on: 02 Dec 2023 By: Igor Skochinsky Categories: IDA Pro Tags: When analyzing firmware binaries, a proper memory layout is quite important. When loading a raw binary, IDA usually creates a code segment for the whole binary. This is good enough when that code is all you need to analyze, but it is not always the case. For example, the code can refer to external hardware as MMIO (memory-mapped I/O), or use extra memory which is not part of the binary image. How to handle such situations? Crea...
InfoSec Write-ups
Open in appSign upSign inWriteSign upSign inUnmasking NjRAT: A Notorious Remote Access Trojan Part2JustAnother-Engineer·FollowPublished inInfoSec Write-ups·5 min read·Nov 26--ListenShareCredit : Pedro Henrique Andrade ( //playgroundai.com/post/clmwrdcjh03ims601z3a9d99d )In the first part of this blog series, we discussed how the malware NjRAT is built , its capabilities and more.In this blog we will continue our discussion by looking into few of the functions this notorious remote access trojan ...
Malware Analysis of Remcos RAT: Exploitaion and Detection ExplainedOsama Ellahi·FollowPublished inInfoSec Write-ups·16 min read·Nov 23--ListenShareExecutive SummarySHA256 hash:2e5c4d023167875977767da513d8889f1fc09fb18fdadfd95c66a6a890b5ca3fRemcos is a commercially available Remote Access Tool (RAT) marketed for legitimate use in surveillance and penetration testing. However, it has been leveraged in various unauthorized hacking initiatives. When deployed, Remcos establishes a backdoor, allowing ...
Nicole Fishbein at Intezer
Written by Nicole Fishbein - 27 November 2023 CountryUnited StatesCanadaAfghanistanAlbaniaAlgeriaAndorraAngolaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBoliviaBosnia and HerzegovinaBotswanaBrazilBruneiBulgariaBurkina FasoBurundiCambodiaCameroonCape VerdeCayman IslandsCentral African RepublicChadChileChinaColombiaComorosDemocratic Republic of the Congo (Kinshasa)Congo, Republic of(Brazzaville)Costa RicaC...
Arunkumar at K7 Labs
Posted byArunkumar November 30, 2023November 30, 2023 Stealer Trojan Uncovering the “Serpent” By ArunkumarNovember 30, 2023 Information Stealers are a pervasive threat and are capable of providing threat actors with a rich source of sensitive data. Recently, we came across this tweet that the Serpent Stealer is on sale on the dark web. A .NET based malware, this has the ability to not only acquire sensitive information from the most popular online browsers and applications but also has the capab...
Mike Hunhoff, Moritz Raabe, Willi Ballenthin, and Tina Johnson at Mandiant
Blog Improving FLARE’s Malware Analysis Tools at Google Summer of Code 2023Mike Hunhoff, Moritz Raabe, Willi Ballenthin, Tina Johnson Nov 30, 20239 min readReverse EngineeringFLAREMalwareThis summer marked the FLARE team’s first year participating in Google Summer of Code (GSoC). GSoC is a global online mentoring program focused on introducing new contributors to open source software development. GSoC contributors work with mentors to complete 12+ week projects that support open source organizat...
Microsoft Security
Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage
Mohammed Salah
LockBit Unpacked P.1: Fundamentals of Basic Static AnalysisMohammed Salah·Follow10 min read·Nov 25--ListenShareI. IntroductionWhy Malware Analysis?Malware analysis is like being a digital detective. It involves studying harmful software — known as malware — to understand the kind of problems it can cause for people and businesses. This includes looking at how it can disrupt systems, steal private information, and sneak into areas it shouldn’t. Doing this helps us protect our computers and keep o...
Mostafa Farghaly
On this page Vidar Stealer Malware Analysis Overview Unpacking Encrypted Strings Resolve APIs C2 Communication Conclusion IOCs References Vidar Stealer Malware Analysis Overview Vidar is a forked malware based on Arkei. The malware runs on Windows and can collect a wide range of sensitive data from browsers and digital wallets. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. It was first discovered in the wild in late 2018 SHA256: 5cd0759c1...
Chema Garcia at Palo Alto Networks
3,020 people reacted 14 14 min. read Share By Chema Garcia December 1, 2023 at 3:00 AM Category: Malware Tags: .NET Framework, Advanced URL Filtering, Advanced WildFire, Agent Raccoon, backdoor, CL-STA-0002, CL-STA-0043, Cortex XDR, DNS, DNS security, Mimikatz, Mimilite, Ntospy Executive Summary Unit 42 researchers observed a series of apparently related attacks against organizations in the Middle East, Africa and the U.S. We will discuss a set of tools used in the course of the attacks that rev...
Patrick Wardle at Objective-See
Objective-See a non-profit 501(c)(3) foundation. About #OBTS Book Series Objective-We Our Store/Swag Malware Collection Support Us! blog tools It's Turtles All The Way Down 🐢 Analyzing the newly discovered "Turtle" ransomware by: Patrick Wardle / November 30, 2023 Objective-See's research, tools, and writing, are supported by the "Friends of Objective-See" such as: Jamf Mosyle Kandji CleanMyMac X Kolide Palo Alto Networks 📝 👾 Want to play along? As “Sharing is Caring” I’ve uploaded the malicious...
Ben Martin at Sucuri
Tommy Dong and Yuanjing Guo at Symantec Enterprise
A look at some deceptive tactics used by malware authors in an effort to evade analysis.With the surging popularity of mobile applications, the landscape of cybersecurity is encountering increasingly intricate and discreet forms of malicious software.One common strategy in the realm of cybersecurity is code obfuscation. This practice involves the deliberate alteration of various elements within the code, such as variables, functions, and class names, rendering them virtually indecipherable. This...
Raymond Chen at The Old New Thing
Raymond Chen November 29th, 20235 2 In the Windows Portable Executable (PE) format, the image import descriptor table describes the functions imported from a specific target DLL. struct IMAGE_IMPORT_DESCRIPTOR { DWORD OriginalFirstThunk; DWORD TimeDateStamp; DWORD ForwarderChain; DWORD Name; DWORD FirstThunk; }; The OriginalFirstThunk points to an array of pointer-sized IMAGE_THUNK_DATA structures which describe the functions being imported. The FirstThunk points to an array of pointers, whose i...
Raymond Chen November 30th, 20232 3 In the Windows Portable Executable (PE) format, the image import descriptor table describes the functions imported from a specific target DLL. struct IMAGE_IMPORT_DESCRIPTOR { DWORD OriginalFirstThunk; DWORD TimeDateStamp; DWORD ForwarderChain; DWORD Name; DWORD FirstThunk; }; The OriginalFirstThunk points to an array of pointer-sized IMAGE_THUNK_DATA structures which describe the functions being imported. The FirstThunk points to an array of pointers, whose i...
Zhassulan Zhussupov
4 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! In one of the previous posts (and at conferences in the last couple of months) I talked about the TEA encryption algorithm and how it affected the VirusTotal detection score. Today I decided to look at an improved algorithm - XTEA. XTEA XTEA (eXtended TEA) is a symmetric block cipher designed to enhance the security of TEA (Tiny Encryption Algorithm). Developed by David Wheeler and Roger Needham, XTEA operates on 64-bit blocks w...