本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Alessandra Perotti
al3x perottimalware reverse engineer, threat hunter, and security consultant. HOME ABOUT CATEGORIES TAGS ARCHIVES Home ExeWho2 - A Tool from the Wild Post CancelExeWho2 - A Tool from the Wild Posted Dec 4, 2023 Updated Dec 4, 2023 By al3x perotti 3 min readExeWho2 appears to be a red teaming command line tool that can be used to deliver and execute obfuscated payloads on compromised systems. It’s written in Rust and it appears to be an evolution of Exe_who.The tool and its source code were found...
Alexander Tasse
Blue Team Labs — “Malicious PowerShell Analysis”Alexander·Follow4 min read·2 days ago--ListenShareScenario:Recently the networks of a large company named GothamLegendwere compromised after an employee opened a phishing emailcontaining malware. The damage caused was critical and resultedin business-wide disruption. GothamLegend had to reach out toa third-party incident response team to assist with the investigation.You are a member of the IR team - all you have is an encoded Powershellscript. Can...
ASEC
A remote desktop service refers to the feature that allows remote control of other PCs. In Windows, this service is provided by default through Remote Desktop Protocol (RDP). This means that if the target system is a Windows environment, RDP can be used to control this remote target without having to install additional remote control tools. For remote control, the operator is required to have account credentials for the target system and log in using these credentials. As such, if an RDP-enabled...
The AhnLab Security Emergency response Center (ASEC) analysis team previously posted about AsyncRAT being distributed via files with the .chm extension. [1] It was recently discovered that this type of AsyncRAT malware is now being distributed in WSF script format. The WSF file was found to be distributed in a compressed file (.zip) format through URLs contained within emails.[Download URLs]1. //.com.br/Pay5baea1WP7.zip2. //.za.com/Order_ed333c91f0fd.zip3. //***...
OverviewInitial Access…. 2.1. Spear Phishing Attack…. 2.2. LNK MalwareRemote Control Malware…. 3.1. XRat (Loader)…. 3.2. Amadey…. 3.3. Latest Attack Cases…….. 3.3.1. AutoIt Amadey…….. 3.3.2. RftRATPost-infection…. 4.1. Keylogger…. 4.2. Infostealer…. 4.3. Other TypesConclusion 1. Overview The Kimsuky threat group, deemed to be supported by North Korea, has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy ...
In this report, we cover nation-led threat groups presumed to conduct cyber espionage or sabotage under the support of the governments of certain countries, referred to as “Advanced Persistent Threat (APT) groups” for the sake of convenience. Therefore, this report does not contain information on cybercriminal groups aiming to gain financial profits. We organized analyses related to APT groups disclosed by security companies and institutions including AhnLab during the previous month; however, t...
This trend report on the deep web and dark web of October 2023 is sectioned into Ransomware, Forums & Black Markets, and Threat Actors. We would like to state beforehand that some of the content has yet to be confirmed to be true. Ransomware – Rebrand of Hive? Hunters International – NoEscape Ransomware Gang – RagnarLocker DLS Shut Down – Trigona Disappears Forum & Black Market – 23andMe Database Leaked and Being Sold – Breach of Okta’s Support System Detected Threat Actor – Hacktivist Activitie...
The Kimsuky group’s activities in October 2023 decreased slightly in comparison to their overall activities in September. One phishing domain was discovered, but because it uses the BabyShark infrastructure, it was classified as the BabyShark type. There was also a compound type where FlowerPower and RandomQuery were distributed simultaneously. Finally, more changes to the FlowerPower system via script fragmentation were observed. 2023_Oct_Threat Trend Report on Kimsuky Group Categories:trend Ta...
This report provides statistics on the number of new ransomware samples, targeted systems, and targeted businesses in October 2023, as well as notable ransomware issues in Korea and other countries. Key Trends 1) HelloKitty Ransomware’s Source Code Leaked 2) Ransomware Attacks Against Unpatched WS_FTP Server 3) BlackCat Ransomware Uses ‘Munchkin’ Alpine Linux VM 4) Others 2023_Oct_Threat Trend Report on Ransomware Statistics and Major Issues Categories:trend Tagged as:BlackCat,HelloKitty,Ransomw...
Jonathan Tanner at Barracuda
Topics: Dec. 7, 2023 | Jonathan Tanner Tweet Share Share Tweet Share Share While endpoint anti-malware solutions can be a powerful tool for detecting and stopping malware, they are still bound by the rules and limitations that apply to all software that runs on a system. Malware, too, is usually bound by these rules and limitations, but malware authors don't like to play by the rules and the most effective way to overcome these rules (aside from exploiting bugs in the software) is to rewrite the...
Hendrik Eckardt at cyber.wtf
In an Incident Response case earlier this year, we encountered an interesting piece of malware that turned out to be a RAT written in C#. In this post we’ll give an overview about how it was loaded onto the systems and what its general capabilities are. PowerShell stager As is often the case, a PowerShell script was used to deploy the malware. The scripts we encountered in this case were heavily obfuscated with arithmetic expressions and dead code. Eek. An obfuscated mess that goes on like this ...
Elastic Security Labs
Getting gooey with GULOADER: deobfuscating the downloaderElastic Security Labs walks through the updated GULOADER analysis countermeasures.14 min readMalware analysisOverview Elastic Security Labs continues to monitor active threats such as GULOADER, also known as CloudEyE – an evasive shellcode downloader that has been highly active for years while under constant development. One of these recent changes is the addition of exceptions to its Vectored Exception Handler (VEH) in a fresh campaign, a...
Matthew at Embee Research
Home Reverse Engineering Detection Engineering Threat Intelligence Paid Modules Testimonials Sign in Subscribe Advanced Ghidra Basics - Identifying, Decoding and Fixing Encrypted Strings Manual identification, decryption and fixing of encrypted strings using Ghidra and x32dbg. Matthew Dec 5, 2023 — 14 min read In this post, we will investigate a Vidar Malware sample containing suspicious encrypted strings. We will use Ghidra cross references to analyse the strings and identify the location where...
Cara Lin at Fortinet
By Cara Lin | December 07, 2023 Article Contents By Cara Lin | December 07, 2023 Affected Platforms: Microsoft Windows Impacted Users: Microsoft Windows Impact: The information collected can be used for future attacks Severity Level: High FortiGuard Labs recently identified an email phishing campaign using deceptive booking information to entice victims into clicking on a malicious PDF file. The PDF downloads a .NET executable file created with PowerGUI and then runs a PowerShell script to fetch...
Monty Security
Stumbling Through an APK Filemontysecurity·Follow5 min read·3 days ago--ListenShareIn this post, I will showcase my process of learning how to analyze an APK file. Operative word there being “learning”, going into this I did not know the first thing about android malware. By the end of it I had a basic understanding of how to enumerate IOCs and capabilities of an Android app.The SampleI sourced this sample from the Malware Hunter Team on Twitter/X. Looking at it’s details in VirusTotal, there is...
OALABS Research
Taking a look at a new version of the Danabot loader Dec 4, 2023 • 3 min read danabot loader delphi Overview References Sample Analysis Notes Overview Initially Danabot was operated as a malware as a service platform that specialized in information theft (banking credentials and other information). Currently (end of 2023) they appear to have pivoted to initial access for the purpose of deploying ransomware. References From DarkGate to DanaBot Technical Analysis of DanaBot Obfuscation Techniques ...
PetiKVX
Nov 30, 2023 • petikvx Share on: //app.any.run/tasks/d6da4173-2f9d-4b2f-8a20-b0a86dddd510 File Informations Attribut Détail Type de fichier PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows MD5 761E82385AC656CDB40C5B9189AB0CF2 SHA1 F5E22AEDB5435AF95D2E76ABD348661909526437 SHA256 B902F48739FA84BE97815B796681A7B337C7BBCAD14D436AEB6BA93B9FE5AEBD SSDEEP 6144:pdr9vlTixqewT/IDI32oQqDVJ2r1lXohOBkWTXd7umpq:HmxIIM2ojJ2r1lYhOBkWTphpq Creation Time 2023-11-23 01:59:44 UTC Analyse informa...
Dec 9, 2023 • petikvx Share on: //app.any.run/tasks/6dffcbde-ca2b-45c2-9a91-6c01975b69a8/ Introduction Phobos ransomware is a malicious software that has gained notoriety in the world of cyber threats. This ransomware strain is designed to encrypt a victim’s files and demand a ransom payment in exchange for the decryption key. In this article, we will explore the key characteristics and impact of Phobos ransomware. File information Analysis date: December 07, 2023 at 18:58:53 OS: Windows 10 Prof...
Phylum
Red team or adversary? Digging into malicious packages targeting a financial institution. Determining the intent behind a package publication is notoriously difficult. Is it a legitimate threat actor or a security researcher? We can rarely make this determination, so Phylum generally errs on the side of caution and annotates packages that exhibit characteristics congruent with malware-like behavior. Today is not such an occasion. Not only were we able to successfully decrypt the malware packages...
Securelist
Malware descriptions 05 Dec 2023 minute read Authors Sergey Puzan We recently discovered a new variety of malicious loader that targets macOS, presumably linked to the BlueNoroff APT gang and its ongoing campaign known as RustBucket. The threat actor is known to attack financial organizations, particularly companies, whose activity is in any way related to cryptocurrency, as well as individuals who hold crypto assets or take an interest in the subject. Information about the new loader variant fi...
Malware descriptions 06 Dec 2023 minute read Table of Contents Postinstall scriptWindowServerVersions targeting other platformsIndicators of compromise Authors Sergey Puzan Illegally distributed software historically has served as a way to sneak malware onto victims’ devices. Oftentimes, users are not willing to pay for software tools they need, so they go searching the Web for a “free lunch”. They are an excellent target for cybercriminals who realize that an individual looking for a cracked ap...
Lukas Stefanko at WeLiveSecurity
ESET researchers describe the growth of deceptive loan apps for Android and techniques they use to circumvent Google Play Lukas Stefanko 05 Dec 2023 • , 24 min. read Since the beginning of 2023, ESET researchers have observed an alarming growth of deceptive Android loan apps, which present themselves as legitimate personal loan services, promising quick and easy access to funds. Despite their attractive appearance, these services are in fact designed to defraud users by offering them high-intere...
